From 0c6d37da7fd91bacac14137acc45ae430acea673 Mon Sep 17 00:00:00 2001 From: ndk Date: Tue, 20 Apr 2004 17:46:58 +0000 Subject: [PATCH] Documents metadatatool and includes a couple other minor changes. git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1002 ab3bd59b-922f-494d-bb5f-6f0a3c29deca --- doc/DEPLOY-GUIDE-ORIGIN.html | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/doc/DEPLOY-GUIDE-ORIGIN.html b/doc/DEPLOY-GUIDE-ORIGIN.html index c26a784..2653409 100644 --- a/doc/DEPLOY-GUIDE-ORIGIN.html +++ b/doc/DEPLOY-GUIDE-ORIGIN.html @@ -223,6 +223,7 @@ that arises. Please ensure that you have the
  • Establishing default ARP's for the origin community
    • +
  • metadatatool
  • @@ -1028,6 +1029,30 @@ configuration information regarding how ARP's are processed or syntactically formed, please refer to section 5.b.i.

    +

    4.e. metadatatool

    +
    +

    The Shibboleth origin leverages metadata distributed by relying parties and federations to validate the identity of requesters and the resource providers on whose behalf the request is being made. This metadata is cached locally in the form of sites.xml files. Shibboleth includes a simple utility called metadatatool which can be used to refresh a sites.xml file. These files are then pointed to by FederationProvider elements in shibboleth.xml.

    +

    The following command is appropriate for most deployments and is run from the $SHIB_HOME directory. This should be frequently run by adding it to a crontab/span> to ensure that the data is fresh.

    +
    bin/metadatatool -i https://wayf.internet2.edu/InQueue/sites.xml -k conf/internet2.jks -p shib123 -a sitesigner -o /your_path_here/sites.xml
    +

    This is a list of all the command-line parameters that may be specified:

    +
    when signing: -i -s -k -a -p [-o +]
    +when updating: -i [-k -a OR -N ] [-o ]
    + + + + + + + + + + + +
    -i,--ininput file or url
    -k,--keystorepathname of Java keystore file
    -a,--aliasalias of signing or verification key
    -p,--passwordkeystore/key password
    -o,--outfilewrite signed copy to this file instead of stdout
    -s,--signsign the input file and write out a signed version
    -N,--noverifyallows update of file without signature check
    -h,--helpprint a list of configuration options
    -x,--nsXML namespace of root element
    -n,--namename of root element
    +
    +

    Shibboleth 1.2 still utilizes mod_ssl for verification of certificates presented by SHAR's when processing attribute requests. This requires an updated ca-bundle.crt to ensure that all appropriate certificate authorities used by relying parties are recognized.

    +


    @@ -1223,7 +1248,7 @@ configuration Must be contained by a Logging element. -
    <confFederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper" uri="pathname"/>
    +
    <FederationProvider type="edu.internet2.middleware.shibboleth.metadata.provider.XMLMetadataLoadWrapper" uri="pathname"/>
    Individual sets of targets in the form of a sites.xml file that this origin will trust to make requests may be specified by adding class="fixed">ShibbolethOriginConfig element for each. The URI points to a sites.xml file, which is generally distributed by - federations.
    + federations. This file should be regularly refreshed using + metadatatool.
    <FileResolver Id="string">
    This element defines a pair of files used to store a -- 1.7.10.4