To prevent any service interruptions while moving a Shibboleth service provider protected website to a new server, it is recommended to follow these steps:
1. Ensure that the new server meets the system requirements for the Shibboleth service provider software.
2. Install the Shibboleth service provider software on the new server.
3. Log on to your old server. Go to shibboleth installation directory(/etc/shibboleth on Linux, c:\opt\shibboleth-sp on Windows). Verify the expiration day of the encryption certificate( signing certificate usually has the same expiration day as the encryption certificate so you only need to verify encryption certificate)
Open sp-encrypt-cert.pem in text editor, copy the content and paste it in online certificate decoder: https://www.sslshopper.com/certificate-decoder.html. It will tell you the expiration day.
4. Log on to your new server. Go to shibboleth installation directory. Copy the Shibboleth configuration files(shibboleth2.xml and attribute-map.xml) from the old server to the new server.
5. If the expiration day of the encryption certificate on your old server is still valid for a long time, copy them to the new server.
Certificate files: sp-encrypt-cert.pem, sp-encrypt-key.pem, sp-signing-cert.pem, sp-signing-key.pem
Skip step 6.
6. If the encryption certificate on your old server is close to expire:
- do NOT copy them to the new server. Use the newly generated certificates on the new server instead( encryption certificate and signing certificate are automatically generated during Shibboleth SP installation. If they are not generated, follow Shibboleth installation guide to generate them).
- Open shibboleth2.xml, change the entityID to a different value.
- Get your SP's new metadata. Then submit your metadata from https://shibrequest.cit.cornell.edu
7. For testing update the hosts file on your own laptop to reflect your website's hostname and the new server's IP address. After you change the host file, your browser should send the request to your new server when you access the site.
Example: 56.94.3.42 mysite.cit.cornell.edu
8. Test the new server to ensure that the Shibboleth service provider is functioning correctly.
By following these steps, you can avoid any potential disruptions to your Shibboleth service provider protected website when moving it to a new server.