From: ndk Date: Tue, 20 Apr 2004 18:00:29 +0000 (+0000) Subject: Compliance & typo fixes. X-Git-Tag: v2.1.3~1633 X-Git-Url: https://repo.niif.hu/gitweb/gitweb.cgi?p=java-idp.git;a=commitdiff_plain;h=77af6cd4940d3537c15e4367c95b2b4ada023f1d Compliance & typo fixes. git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1003 ab3bd59b-922f-494d-bb5f-6f0a3c29deca --- diff --git a/doc/DEPLOY-GUIDE-ORIGIN.html b/doc/DEPLOY-GUIDE-ORIGIN.html index 2653409..96b802d 100644 --- a/doc/DEPLOY-GUIDE-ORIGIN.html +++ b/doc/DEPLOY-GUIDE-ORIGIN.html @@ -1032,12 +1032,12 @@ configuration

4.e. metadatatool

The Shibboleth origin leverages metadata distributed by relying parties and federations to validate the identity of requesters and the resource providers on whose behalf the request is being made. This metadata is cached locally in the form of sites.xml files. Shibboleth includes a simple utility called metadatatool which can be used to refresh a sites.xml file. These files are then pointed to by FederationProvider elements in shibboleth.xml.

-

The following command is appropriate for most deployments and is run from the $SHIB_HOME directory. This should be frequently run by adding it to a crontab/span> to ensure that the data is fresh.

+

The following command is appropriate for most deployments and is run from the $SHIB_HOME directory. This should be frequently run by adding it to a crontab to ensure that the data is fresh.

bin/metadatatool -i https://wayf.internet2.edu/InQueue/sites.xml -k conf/internet2.jks -p shib123 -a sitesigner -o /your_path_here/sites.xml

This is a list of all the command-line parameters that may be specified:

-
when signing: -i -s -k -a -p [-o -]
-when updating: -i [-k -a OR -N ] [-o ]
+
when signing: -i <uri> -s -k <keystore> -a <alias> -p <pass> [-o +<outfile>]
+when updating: -i <uri> [-k <keystore> -a <alias> OR -N ] [-o <outfile>]
@@ -1171,7 +1171,7 @@ when updating: -i [-k -a OR -N ] [-o ]
class="mandatory">mandatory by a purple background.

-
<ArpRepository implementation ="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository">
+
<ArpRepository implementation ="edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository">

This element specifies an individual implementation of a release policy engine, with the given value specifying Shibboleth's file-based ARP repository implementation, which is currently the only @@ -1192,7 +1192,7 @@ when updating: -i [-k -a OR -N ] [-o ]
group entries would have ARP attributes, and all those ARP's would be applicable.

-
<CAPath>pathname</CAPath>
+
<CAPath>pathname</CAPath>
Paired with a Path element and contained by a FileResolver @@ -1202,14 +1202,14 @@ when updating: -i [-k -a OR -N ] [-o ]
may be specified. The expectations of the target and the federation may determine the necessity for the use of this field.
-
<CertAlias>string</CertAlias>
+
<CertAlias>string</CertAlias>
Specifies the alias for the certificate corresponding to the private key used by the HS. If no alias is specified, defaults to the private key's alias. Contained by the KeyStoreResolver element.
-
<Certificate format="type">
+
<Certificate format="type">
This specifies the certificate corresponding to this set of credentials. The certificate itself must be referred to using a Path element @@ -1223,7 +1223,7 @@ when updating: -i [-k -a OR -N ] [-o ]
and must be paired with the corresponding private key using the Key element.
-
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
+
<Credentials xmlns="urn:mace:shibboleth:credentials:1.0">
This element is the container for credentials used by the credential mechanism specified by the [-k -a OR -N ] [-o ]
class="fixed">KeyStoreResolver element for compound keystores.
-
<ErrorLog level="level" location="URL">
+
<ErrorLog level="level" location="URL">
Paired with a TransactionLog element, this will log any errors encountered by the origin above a certain logging threshold to a @@ -1248,7 +1248,7 @@ when updating: -i [-k -a OR -N ] [-o ]
Must be contained by a Logging element.
-
<FederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper" uri="pathname"/>
+
<FederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper" uri="pathname"/>
Individual sets of targets in the form of a sites.xml file that this origin will trust to make requests may be specified by adding [-k -a OR -N ] [-o ]
federations. This file should be regularly refreshed using metadatatool.
-
<FileResolver Id="string">
+
<FileResolver Id="string">
This element defines a pair of files used to store a private key and certificate associated with a given identifier and is contained by the [-k -a OR -N ] [-o ]
contain one Certificate element.
-
<HSNameFormat nameMapping="id"/>
+
<HSNameFormat nameMapping="id"/>
Individual RelyingParty elements may contain this element to specify the [-k -a OR -N ] [-o ]
relying party. If this element is not present, default Shibboleth handles will be used.
-
<Key format="type">
+
<Key format="type">
This specifies the file containing a private key to be used by a set of credentials. Valid encodings are PEM and DER. Keys are @@ -1293,43 +1293,43 @@ when updating: -i [-k -a OR -N ] [-o ]
class="fixed">Certificate element, and contain a Path element.
-
<KeyAlias>string</KeyAlias>
+
<KeyAlias>string</KeyAlias>
Specifies the alias used for accessing the private key. Contained by the KeyStoreResolver element.
-
<KeyPassword>string</KeyPassword>
+
<KeyPassword>string</KeyPassword>
Specifies the password used to retrieve the private key. Contained by the KeyStoreResolver element.
-
<KeyStoreKeyAlias>string</KeyStoreKeyAlias>
+
<KeyStoreKeyAlias>string</KeyStoreKeyAlias>
Specifies the alias used for accessing the private key. Contained by the NameMapping element when a CryptoHandleGenerator type is specified.
-
<KeyStoreKeyPassword>string</KeyStoreKeyPassword>
+
<KeyStoreKeyPassword>string</KeyStoreKeyPassword>
Specifies the password used to retrieve the private key. Contained by the NameMapping element when a CryptoHandleGenerator type is specified.
-
<KeyStorePassword>string</KeyStorePassword>
+
<KeyStorePassword>string</KeyStorePassword>
Specifies the password to access the keystore containing the private key to be used for symmetric encryption. Contained by the NameMapping element when a CryptoHandleGenerator type is specified.
-
<KeyStorePath>string</KeyStorePath>
+
<KeyStorePath>string</KeyStorePath>
Specifies the location of the keystore containing the private key to be used for symmetric encryption to pass handles between the HS and AA. Contained by the NameMapping element when a CryptoHandleGenerator type is specified.
-
<KeyStoreResolver Id="string" storeType="type">
+
<KeyStoreResolver Id="string" storeType="type">
This element is contained by the Credentials element and to specify a keystore that contains both the certificate and @@ -1348,7 +1348,7 @@ when updating: -i [-k -a OR -N ] [-o ]
href="#confCertAlias">CertAlias element.
-
<Log4JConfig location="pathname"/>
+
<Log4JConfig location="pathname"/>
This element informs Shibboleth to utilize Log4J as a logging system and points to the relevant configuration file using the location attribute. A basic configuration is @@ -1362,7 +1362,7 @@ when updating: -i [-k -a OR -N ] [-o ]
class="fixed">TransactionLog or ErrorLog element.
-
<Logging>
+
<Logging>
This container element identifies a logging method for both the HS and AA to use and may not occur more than once. Three different logging methods may be specified depending on what is placed @@ -1379,7 +1379,7 @@ when updating: -i [-k -a OR -N ] [-o ]
format="URN"
handleTTL="seconds"
id="string"
-type="type"/>
+type="type"/>
This element defines a name mapping system to create SAML assertion subject names for users; in standard Shibboleth, this will be the creation of a handle to be given to the SHAR and shared with @@ -1415,19 +1415,19 @@ shared in-memory repository.
-
<Path>pathname</Path>
+
<Path>pathname</Path>
This mandatory element specifies the path to a file or directory utilized by other elements of the configuration. It may be contained by various elements to point to different types of files required by the origin.
-
<ReleasePolicyEngine>
+
<ReleasePolicyEngine>
The ReleasePolicyEngine element is used to specify a class of release policy processing. This should contain one ArpRepository element.
-
<RelyingParty name="URN"
+
<RelyingParty name="URN"
AAsigningCredential="string"
AAUrl="URL"
defaultAuthMethod="URN"
@@ -1437,7 +1437,7 @@ signAttrAssertions="true/false"
signAttrResponses="true/false"
signAuthAssertions="true/false"
signAuthResponses="true/false"
-signingCredential="string">
+signingCredential="string">

The RelyingParty element is used to specify one or more relying parties that this origin must recognize. This includes any federations the origin is a member of, any @@ -1483,7 +1483,7 @@ signingCredential="string">

provider is a member of.
  • AAsigningCredential: This attribute must equal the identifier of one of the FileResolver + href="#confFileResolver">FileResolver Id's. A separate set of credentials may be specified for the AA's signing of assertions/SSL session identification using this attribute, as opposed to the HS' signing of assertions. If this is not specified @@ -1539,7 +1539,7 @@ signingCredential="string"> one or more assertions. Defaults to true.
  • signingCredential: This attribute must - equal the identifier of one of the FileResolver Id's. This allows the origin to use different signing keys and certificates for exchanges with different federations or targets. Ensure that the appropriate signing @@ -1561,7 +1561,7 @@ authHeaderName="string"
    defaultAuthMethod="URN"
    maxHSThreads="integer"
    passThruErrors="true/false"
    -resolverConfig="pathname"> +resolverConfig="pathname">

    This is the primary element that defines an origin.xml file and is the container for every other element and must appear once and only once. For most deployments, all the xmlns attributes, which specify the handlers for different aspects of origin operation, should remain unchanged. The mandatory attributes must be changed before operating the origin.

    • defaultRelyingParty: This specifies the relying party to use for a request when no RelyingParty element's name attribute matches the policy URN of an incoming request. Typically, this will be populated with the URN of a federation.
      • @@ -1597,10 +1597,10 @@ resolverConfig="pathname">
    -
    <StorePassword>string</StorePassword>
    +
    <StorePassword>string</StorePassword>
    Specifies the password for the keystore. Contained by the KeyStoreResolver element.
    -
    <TransactionLog location="URL">
    +
    <TransactionLog location="URL">
    Paired with an ErrorLog element, this will log all transactions that the origin is involved in. The information in this file is sensitive and may be useful for auditing and security purposes. Must be contained by a Logging element.
    • -i,--ininput file or url
    -k,--keystorepathname of Java keystore file