BanditIdP Installation Notes

The instructions for installing the BanditIdP web application are at http://code.bandit-project.org/trac/wiki/Bandit%20IdP%20Deploy%20Configure. There are a few important steps that may not be obvious.

• The BanditIdP web app only runs under HTTPS. Some pages will work with HTTP, but various forms and links will redirect to HTTPS. If you have both HTTP and HTTPS connectors configured for Tomcat, you'll be fine, or you can just run the entire web app under HTTPS.
• Enable Strong Encryption for your JVM before starting. InfoCards won't work without it, but the error messages won't make it clear that the strength of the available crypto is the problem. Just download the replacement policy files from the Sun JDK download pages as directed.
• You can safely ignore the following validateJarFile warnings when Tomcat is started. (They could be repeated for each connector.)

  Sep 19, 2008 12:23:19 PM org.apache.catalina.loader.WebappClassLoader validateJarFile
  INFO: validateJarFile(C:\apache-tomcat-5.5.25\webapps\BanditIdP\WEB-INF\lib\gwt-dev-linux.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
  Sep 19, 2008 12:23:19 PM org.apache.catalina.loader.WebappClassLoader validateJarFile
  INFO: validateJarFile(C:\apache-tomcat-5.5.25\webapps\BanditIdP\WEB-INF\lib\gwt-user.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
  Sep 19, 2008 12:23:19 PM org.apache.catalina.loader.WebappClassLoader validateJarFile
  INFO: validateJarFile(C:\apache-tomcat-5.5.25\webapps\BanditIdP\WEB-INF\lib\servlet-api.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
  Sep 19, 2008 12:23:19 PM org.apache.catalina.loader.WebappClassLoader validateJarFile
  INFO: validateJarFile(C:\apache-tomcat-5.5.25\webapps\BanditIdP\WEB-INF\lib\servlet.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
  

• The Tomcat keystore and the BanditIdP keystore should be one and the same. The SSL certificate for the web site and the certificate used to sign the InfoCard are expected to be the same.
• Although the LDAP context is the default IDAS Context Provider, a file context is much easier to install and configure. Just delete the LDAP context and add a file context for your initial installation.

Simple BanditIdP Installation Walk-through

Here is a simple walk-through of a BanditIdP installation. I took every default I could, doing as little configuration as possible just to get the IdP up and running. You would certainly want to go back and reconfigure or reinstall once everything was working before using it for real.

1. Make sure that Tomcat is up and running on its own. Try accessing the default welcome page for Tomcat via both HTTP and HTTPS. No sense trying to troubleshoot installing BanditIdP if you can't be sure Tomcat itself might not be the culprit.
2. Deploy the BanditIdP-1.0.1762.war file as BanditIdP. For a default Tomcat installation, you should be able to rename the BanditIdP-1.0.1762.war file to BanditIdp.war and copy it into the Tomcat webapps directory. Tomcat will expand it automatically.
3. Access the web app at whatever is appropriate for your Tomcat installation. Use HTTPS, which means using the fully-qualified domain name (FQDN). Otherwise, the browser will complain about the SSL certificate name not matching the computer name. For example, even though I have the web app installed on my laptop, I use the URL https://laptop225.corp.cmdinfo.com/BanditIdP/.
4. Since the web app is freshly installed, you will be redirected to the configuration pages.
   
   There are 3 fields that must be filled in, which I've marked with the hand: .
   Enter a password twice and a directory in which to store the BanditIdP configuration. I found it convenient to make a sub-directory under the Tomcat conf directory. If you plan on reinstalling later, it will help to have it outside the exploded web app itself.
5. In another window, create that directory.
6. Continue in the web app by clicking on Next.
7. For the Claims configuration, just accept the defaults and press Next.
   
   
8. For the Card Template configuration, enter a directory to pull card images from. There is an images directory in the web app that can be used. Once you fill in the directory name and click or tab off the field, the page will refresh, and you can choose an image from the drop down at the bottom of the page.
   
   Click on Next to continue.
9. Configure the keystore to be the same keystore that Tomcat is using. Private key alias and certificate alias will be the same, for example tomcat, and the keystore password and private key password as likely the same, for example changeit.
   
   Click on Next to continue.
10. An LDAP Context Provider is more difficult to configure than a file context. Press Delete Context to get rid of the default LDAP configuration, and then click on Add Context to add a file context.
11. Configure the file context with an ID, a name, and then the provider class name which will be org.bandit.idp.cphandlers.FileContextProviderHandler.
    
    Click on Add Context to continue.
12. Finish the context configuration by choosing a file name for the XML context file.
    
    Click on Next to continue.
13. Configuration options are completed, but the web app still has to write the configuration to disk.
    
    Click on Finish Install to continue.
14. You should see that the installation was completed.
    
    
15. Restart Tomcat (or just the BanditIdP web app through the manager) and access it again. You should be redirected to the login page this time.
    
    
16. Installation is complete. You can get back to the configuration screens via the admin.jsp page. For example, https://laptop225.corp.cmdinfo.com/BanditIdP/admin.jsp.