Shibboleth IdP V5より、JPA StorageServiceが廃止されてJDBC StorageServiceに置き換わることがアナウンスされています。[1]

本ページでは、JPA StorageServiceからJDBC StorageServiceへのマイグレーション方法について説明します。各StorageServiceの詳細についてはShibboleth Projectのページをご参照ください。

• https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631707/StorageConfiguration
• https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2989096970/JDBCStorageService

1. JPA StorageService利用の確認

下記コマンドを実行して、Shibboleth IdPでJPA StorageServiceを利用しているか確認します。
grepコマンドの出力がない場合はJPA StorageServiceを利用していませんので、JDBC StorageServiceへのマイグレーションは必要ありません。

$ grep '^[^#].*JPAStorageService' /opt/shibboleth-idp/conf/idp.properties
idp.consent.StorageService = shibboleth.JPAStorageService

2. JDBC StorageServiceプラグインのURLの確認

JDBC StorageServiceプラグインの最新バージョンのURLを確認します。

1. https://shibboleth.atlassian.net/wiki/spaces/IDPPLUGINS/pages/2989096970/JDBCStorageServiceにアクセスして、Plugin Installationにあるdownloadをクリックします。
2. 最新のバージョンのディレクトリ x.y.zにアクセスします。(2022年9月末現在 1.0.4)
3. java-plugin-jdbc-storage-x.y.z.tar.gzのURLを確認します。

3. JDBC StorageServiceプラグインのインストール

上記 2.で確認したURLを引数として、JDBC StorageServiceプラグインをインストールします。

# /opt/shibboleth-idp/bin/plugin.sh -i http://shibboleth.net/downloads/identity-provider/plugins/jdbc/x.y.z/java-plugin-jdbc-storage-x.y.z.tar.gz
INFO  - Including auto-located properties in bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in bin/../conf/ldap.properties
INFO  - Including auto-located properties in bin/../conf/services.properties
INFO  - Including auto-located properties in bin/../conf/saml-nameid.properties
Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/jdbc/x.y.z/java-plugin-jdbc-storage-x.y.z.tar.gz]
Downloading from HTTPResource [http://shibboleth.net/downloads/identity-provider/plugins/jdbc/x.y.z/java-plugin-jdbc-storage-x.y.z.tar.gz.asc]
Plugin net.shibboleth.plugin.storage.jdbc: Trust store folder does not exist, creating
Plugin net.shibboleth.plugin.storage.jdbc: Trust store does not exist, creating
TrustStore does not contain signature 0x1483F262A4B3FF0
Accept this key:
Signature:      0x1483F262A4B3FF0
FingerPrint:    4AF4D83EEDDF43DA3C06CB3101483F262A4B3FF0
Username:       Rod Widdowson <rdw@steadingsoftware.com>
 [yN] y
Installing Plugin net.shibboleth.plugin.storage.jdbc version x.y.z
Rebuilding /opt/shibboleth-idp/war/idp.war, Version 4.2.1
Initial populate from /opt/shibboleth-idp/dist/webapp to /opt/shibboleth-idp/webpapp.tmp
Overlay from /opt/shibboleth-idp/dist/plugin-webapp to /opt/shibboleth-idp/webpapp.tmp
Overlay from /opt/shibboleth-idp/edit-webapp to /opt/shibboleth-idp/webpapp.tmp
Creating war file /opt/shibboleth-idp/war/idp.war

# /opt/shibboleth-idp/bin/plugin.sh -l
INFO  - Including auto-located properties in bin/../conf/admin/admin.properties
INFO  - Including auto-located properties in bin/../conf/authn/authn.properties
INFO  - Including auto-located properties in bin/../conf/c14n/subject-c14n.properties
INFO  - Including auto-located properties in bin/../conf/ldap.properties
INFO  - Including auto-located properties in bin/../conf/services.properties
INFO  - Including auto-located properties in bin/../conf/saml-nameid.properties
Plugin: net.shibboleth.plugin.storage.jdbc      Current Version: x.y.z

4. Shibboleth IdPの設定変更

JPA StorageServiceからJDBC StorageServiceにShibboleth IdPの設定を変更します。

• /opt/shibboleth-idp/conf/global.xml

  @@ -14,24 +14,10 @@ <!-- Use this file to define any custom beans needed globally. --> - <bean id="shibboleth.JPAStorageService" - class="org.opensaml.storage.impl.JPAStorageService" + <bean id="JDBCStorageService" parent="shibboleth.JDBCStorageService" p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" + p:dataSource-ref="MyDataSource" + p:transactionIsolation="4" + p:retryableErrors="40001" + /> - c:factory-ref="shibboleth.JPAStorageService.EntityManagerFactory" /> - - <bean id="shibboleth.JPAStorageService.EntityManagerFactory" - class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> - <property name="persistenceUnitName" value="storageservice" /> - <property name="packagesToScan" value="org.opensaml.storage.impl" /> - <property name="dataSource" ref="MyDataSource" /> - <property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" /> - <property name="jpaDialect"> - <bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" /> - </property> - </bean> - - <bean id="shibboleth.JPAStorageService.JPAVendorAdapter" - class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> - <property name="database" value="MYSQL" /> - </bean> <!-- A DataSource bean suitable for use in the idp.persistentId.dataSource property. -->

• /opt/shibboleth-idp/conf/idp.properties

  上記 1.のgrepコマンドで出力された変数の値を shibboleth.JPAStorageService から JDBCStorageService に変更します。

  @@ -142,5 +142,5 @@ idp.session.secondaryServiceIndex=true # Set to "shibboleth.StorageService" or custom bean for alternate storage of consent -idp.consent.StorageService = shibboleth.JPAStorageService +idp.consent.StorageService = JDBCStorageService # Default consent auditing formats

5. Jettyの再起動

Jettyを再起動します。

# systemctl restart jetty