Changes between Version 1 and Version 2 of IdpKeyRollOver

Timestamp:

07/07/11 17:17:19 (13 years ago)

Author:

jpmitchell@…

Comment:

--

IdpKeyRollOver

@@ -37 +37 @@
 }}}
 
-3. Add the new key/certificate to the relying party configuration:
+3. Add the new key/certificate to the relying party configuration. After this step there should be two "security:Credential" stanzas. One with the "IdPCredential" id and one with the "IdPCredentialNew" id.
 {{{
 -bash-3.2$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/conf
@@ -51 +51 @@
 }}}
 
-4. Add the new key/certificate to the IdP metadata:
+4. Add the new key/certificate to the IdP metadata. There should be two "<!KeyDescriptor>" stanzas after this step in the metadata for the "<IDPSSODescriptor>" stanza and the "<!AttributeAuthorityDescriptor>" stanza.
 {{{
 -bash-3.2$ cat idp.new.crt 
@@ -167 +167 @@
 -bash-3.2$ svn ci metadata/idp-metadata.xml -m "Added new IdP cert."
 }}}
+
 5. Submit the new certificate to !InCommon for inclusion in the next federation metadata publication. This occurs daily and is done from an administrative web interface. See David Bantz for more details as he currently is the only individual with access to this.
 
-6. Restart the IdP or wait for the reload interval of 15 minutes:
-{{{
--bash-3.2$ /opt/tomcat/bin/shutdown.sh
--bash-3.2$ ps -ef | grep tomcat
-tomcat    9097     1  0 Jun06 ?        00:26:23 /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Xmx1024m -XX:MaxPermSize=128m -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/opt/tomcat/endorsed -classpath /opt/tomcat/bin/bootstrap.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start
-root      9821  2633  0 15:22 pts/1    00:00:00 su - tomcat
-tomcat    9823  9821  0 15:22 pts/1    00:00:00 -bash
-tomcat   12913  9823  0 15:46 pts/1    00:00:00 ps -ef
-tomcat   12914  9823  0 15:46 pts/1    00:00:00 grep tomcat
--bash-3.2$ /opt/tomcat/bin/startup.sh
-}}}
-
-7. Test config changes according to [[https://iam.alaska.edu/shib/wiki/TestIdPConfig|Test IdP Config Change]] procedure.
-
-8. 
+6. Test config changes according to [[https://iam.alaska.edu/shib/wiki/TestIdPConfig|Test IdP Config Change]] procedure.
+
+7. Wait for SPs to get metadata. SPs in the !InCommon federation should be polling the !InCommon metadata [[http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml|distribution]] point daily.
+
+8. Move to the new key/certificate and delete the old key/certificate "security:Credential" stanza in the relying party configuration. After this step there should be //only// one "security:Credential" stanza that points to the key/cert.
+{{{
+-bash-3.2$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/conf
+-bash-3.2$ vi conf/relying-party.xml
+...
+    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
+        <security:PrivateKey>/opt/shibboleth-idp/credentials/idp.new.key</security:PrivateKey>
+        <security:Certificate>/opt/shibboleth-idp/credentials/idp.new.crt</security:Certificate>
+    </security:Credential>
+...
+:wq!
+-bash-3.2$ svn ci conf/relying-party.xml -m "Moved to new IdP key/cert and deleted old IdP key/cert."
+}}}
+
+9. Move to the new key/certificate in the IdP metadata. There should be one "<!KeyDescriptor>" stanzas after this step in the metadata for the new cert in the "<IDPSSODescriptor>" stanza and the "<!AttributeAuthorityDescriptor>" stanza.
+{{{
+-bash-3.2$ svn co svn+ssh://sxjpm@iron.alaska.edu/usr/local/iam/shib-svn/idp/trunk/metadata
+-bash-3.2$ vi metadata/idp-metadata.xml
+...
+:wq!
+-bash-3.2$ svn ci metadata/idp-metadata.xml -m "Moved to new IdP cert and deleted old cert."
+
+10. Create a new Java Key Store for Tomcat containing the new key/cert for securing the back channel.
+{{{
+
+}}}