Changes between Version 14 and Version 15 of IdpKeyRollOver


Ignore:
Timestamp:
09/28/11 09:55:14 (13 years ago)
Author:
jpmitchell@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • IdpKeyRollOver

    v14 v15  
    3131}}} 
    3232 
    33 2. Copy the key/certificate into the credentials directory of the IdP installation. You will need to do this on all Shibboleth [[https://iam.alaska.edu/projects/wiki/IamProjectHosts|servers]] as the credential directory is not managed in subversion. 
     332. Copy the key/certificate into the credentials directory of the IdP installation. You will need to do this on all Shibboleth servers as the credential directory is not managed in subversion. See [ [#IamProjectHosts IAM Project Hosts] ]. 
    3434{{{ 
    3535-bash-3.2$ cp idp.new.crt /opt/shibboleth-idp/credentials/ 
     
    1701705. Submit the new certificate to !InCommon for inclusion in the next federation metadata publication. This occurs daily and is done from an administrative web interface. See David Bantz for more details as he currently is the only individual with access to this. 
    171171 
    172 6. Test config changes according to [[https://iam.alaska.edu/shib/wiki/TestIdPConfig|Test IdP Config Change]] procedure. 
    173  
    174 7. Notify non-federation SPs of metadata change and instruct them to update. SPs in the !InCommon federation should be polling the !InCommon metadata [[http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml|distribution]] point daily. Wait for SPs to get metadata. 
     1726. Test config changes according to procedure. See [ [#TestIdPConfig Test IdP Config Change] ]. 
     173 
     1747. Notify non-federation SPs of metadata change and instruct them to update. SPs in the !InCommon federation should be polling the !InCommon metadata distribution point daily. Wait for SPs to get metadata. See [ [#InCommonMetadata InCommon Metadata] ]. 
    175175 
    1761768. Move to the new key/certificate and delete the old key/certificate "security:Credential" stanza in the relying party configuration. After this step there should be //only// one "security:Credential" stanza that points to the key/cert. **Note**: The id //must// be "IdPCredential".  
     
    201201-bash-3.2$ openssl pkcs8 -topk8 -nocrypt -in idp.new.key -out idp.new.key.der -outform der 
    202202-bash-3.2$ openssl x509 -in idp.new.crt -out idp.new.crt.der -outform der 
     203-bash-3.2$ openssl x509 -in incommon.crt -out incommon.crt.der -outform der 
     204-bash-3.2$ openssl x509 -in addtrust.crt -out addtrust.crt.der -outform der 
     205-bash-3.2$ cat incommon.crt.der addtrust.crt.der >> idp.new.crt.der 
    203206-bash-3.2$ java ImportKey idp.new.key.der idp.new.crt.der  
    204207Using keystore-file : /opt/tomcat/temp/keystore.ImportKey 
     
    232235}}} 
    233236 
    234 12. Test config changes according to [[https://iam.alaska.edu/shib/wiki/TestIdPConfig|Test IdP Config Change]] procedure.  
     23712. Test config changes according to procedure. See [ [#TestIdPConfig Test IdP Config Change] ] 
    235238 
    236239References: 
     
    238241* [=#InCommonCert][[https://www.incommon.org/cert/repository/AddTrustExternalCARoot.txt|AddTrust External CA Root]] 
    239242* [=#AddTrustCert][[https://www.incommon.org/cert/repository/InCommonServerCA.txt|InCommon Server CA]] 
     243* [=#IamProjectHosts][[https://iam.alaska.edu/projects/wiki/IamProjectHosts|IAM Project Hosts]] 
     244* [=#TestIdPConfig][[https://iam.alaska.edu/shib/wiki/TestIdPConfig|Test IdP Config Change]] 
     245* [=#InCommonMetadata][[http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml|InCommon Metadata Distribution Point]]