Per-Entity Metadata Working Group

[Rhys Smith <>]

FYI, for those interested.

Finally found the time to switch the signing key used for the UKf MDQ to a 
new one.

So the UKf aggregates are at http://metadata.ukfederation.org.uk/foo and 
signed by our old key, imported into and held on the HSM; MDQ is at 
http://mdq.ukfederation.org.uk/foo and signed by our new key, generated on, 
and held on, the HSM.

So the UKf’s MDQ service is now essentially production ready and live, and 
we’ll start to get customers to start using it in anger soon.

Still interested in ways we can work together to share things and make things 
more resilient, though, as I suspect you all know :-).

Rhys.


> On 28 Oct 2016, at 15:08, Nicholas Roy 
> <>
>  wrote:
> 
> Thanks Rhys, makes sense.
> 
> Nick
> 
> On 10/28/16 6:12 AM, Rhys Smith wrote:
>> This is a temporary work around until Azure adds native v6 support. When 
>> it does, we can get rid of it.
>> 
>> The v6 proxies are a redundant pair of VMs, so yes, they are introducing 
>> an extra point of failure, but it’s been designed so it’s a fairly low 
>> risk of failing. The two VMs are geographically resilient, and all they 
>> are is apache servers proxying requests to the v4 servers, so there’s not 
>> much to go wrong at the application level.
>> 
>> For us, not supporting v6 was not an option - we’ve had v6 support on our 
>> MD dist servers for many years now, and didn’t want to make refreshing the 
>> infrastructure introduce retrograde steps.
>> 
>> Rhys.
>> --
>> Dr Rhys Smith
>> Chief Technical Architect, Trust & Identity
>> Jisc
>> 
>> T: +44 (0) 1235 822145
>> M: +44 (0) 7968 087821
>> Skype: rhys-smith
>> GPG: 0x4638C985
>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>> 
>> jisc.ac.uk
>> 
>> Jisc is a registered charity (number 1149740) and a company limited by 
>> guarantee which is registered in England under Company No. 5747339, VAT 
>> No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower 
>> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>> 
>>> On 27 Oct 2016, at 22:37, Nicholas Roy 
>>> <>
>>>  wrote:
>>> 
>>> Is the addition of in-house infrastructure that proxies v6 introducing an 
>>> additional point of failure?  Do you think the risk is worth supporting 
>>> v6 right now?
>>> 
>>> Thanks,
>>> 
>>> Nick
>>> 
>>> On 10/27/16 12:55 PM, Tom Scavo wrote:
>>>> On Thu, Oct 27, 2016 at 12:22 PM, Rhys Smith 
>>>> <>
>>>>  wrote:
>>>>> What’s weird is that the first two worked at all… Unless your client 
>>>>> decided to do v4 for those queries for some reason. If it did work over 
>>>>> v6, I have *no* idea how!
>>>> After you made the patch, I can confirm that all three use IPv6.
>>>> However, I don't have verbose output that pre-dates your patch, sorry.
>>>> 
>>>> Tom
>>>> 
>>>>>> On 27 Oct 2016, at 13:37, Tom Scavo 
>>>>>> <>
>>>>>>  wrote:
>>>>>> 
>>>>>> On Thu, Oct 27, 2016 at 8:25 AM, Rhys Smith 
>>>>>> <>
>>>>>>  wrote:
>>>>>>> Should be fixed…
>>>>>> Yup, works great.
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Tom
>>>>>> 
>>>>>>>> On 27 Oct 2016, at 13:04, Rhys Smith 
>>>>>>>> <>
>>>>>>>>  wrote:
>>>>>>>> 
>>>>>>>> Oh bo*****s. Yes, sorry, that’s v6 at play. The UKf infrastructure 
>>>>>>>> is v4 only hosted in azure, with a set of v6 proxies hosted on our 
>>>>>>>> own infrastructure that proxies to the v4 for the MD dist and CDS. I 
>>>>>>>> set up the MDQ stuff on the servers themselves, and forgot to update 
>>>>>>>> the v6 proxy config accordingly.
>>>>>>>> 
>>>>>>>> Thanks for pointing this out :-). I’ll fix that later so v6 works as 
>>>>>>>> well.
>>>>>>>> 
>>>>>>>> Rhys.
>>>>>>>> --
>>>>>>>> Dr Rhys Smith
>>>>>>>> Chief Technical Architect, Trust & Identity
>>>>>>>> Jisc
>>>>>>>> 
>>>>>>>> T: +44 (0) 1235 822145
>>>>>>>> M: +44 (0) 7968 087821
>>>>>>>> Skype: rhys-smith
>>>>>>>> GPG: 0x4638C985
>>>>>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>>>>>> 
>>>>>>>> jisc.ac.uk
>>>>>>>> 
>>>>>>>> Jisc is a registered charity (number 1149740) and a company limited 
>>>>>>>> by guarantee which is registered in England under Company No. 
>>>>>>>> 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One 
>>>>>>>> Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>>>>>> 
>>>>>>>>> On 27 Oct 2016, at 12:47, Tom Scavo 
>>>>>>>>> <>
>>>>>>>>>  wrote:
>>>>>>>>> 
>>>>>>>>> On Thu, Oct 27, 2016 at 2:09 AM, Rhys Smith 
>>>>>>>>> <>
>>>>>>>>>  wrote:
>>>>>>>>>>> On 27 Oct 2016, at 01:28, Tom Scavo 
>>>>>>>>>>> <>
>>>>>>>>>>>  wrote:
>>>>>>>>>>> 
>>>>>>>>>>> On Wed, Oct 26, 2016 at 5:11 PM, Rhys Smith 
>>>>>>>>>>> <>
>>>>>>>>>>>  wrote:
>>>>>>>>>>>>> On 26 Oct 2016, at 22:04, Rhys Smith 
>>>>>>>>>>>>> <>
>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> UKf Test IdP: curl --compress 
>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>>> UKf Test IdP (SHA1 query): curl --compress 
>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D9bbc0354ea6f33ee008fcbe3c7680c0460e9cd1b
>>>>>>>>>>>> Sorry, that second one should be:  curl --compress 
>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D52e2065fc0d53744e8d4ee2c2f30696ebfc5def9
>>>>>>>>>>> The latter two URLs work fine, the first one does not.
>>>>>>>>>> Does not in what way? Seems to work for me.
>>>>>>>>> That's weird, I get 404 not found:
>>>>>>>>> 
>>>>>>>>> $ curl --version
>>>>>>>>> curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 
>>>>>>>>> SecureTransport zlib/1.2.5
>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap 
>>>>>>>>> ldaps
>>>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
>>>>>>>>> NTLM_WB SSL libz UnixSockets
>>>>>>>>> 
>>>>>>>>> $ curl --verbose --compress
>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>> *   Trying 2001:630:1:174::83...
>>>>>>>>> *   Trying 52.169.160.61...
>>>>>>>>> * Connected to mdq.ukfederation.org.uk (2001:630:1:174::83) port 80 
>>>>>>>>> (#0)
>>>>>>>>>> GET 
>>>>>>>>>> /entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>  HTTP/1.1
>>>>>>>>>> Host: mdq.ukfederation.org.uk
>>>>>>>>>> User-Agent: curl/7.43.0
>>>>>>>>>> Accept: */*
>>>>>>>>>> Accept-Encoding: deflate, gzip
>>>>>>>>>> 
>>>>>>>>> < HTTP/1.1 404 Not Found
>>>>>>>>> < Date: Thu, 27 Oct 2016 11:43:49 GMT
>>>>>>>>> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
>>>>>>>>> < Content-Length: 258
>>>>>>>>> < Content-Type: text/html; charset=iso-8859-1
>>>>>>>>> <
>>>>>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>>>>>> <html><head>
>>>>>>>>> <title>404 Not Found</title>
>>>>>>>>> </head><body>
>>>>>>>>> <h1>Not Found</h1>
>>>>>>>>> <p>The requested URL
>>>>>>>>> /entities/https://test-idp.ukfederation.org.uk/idp/shibboleth was 
>>>>>>>>> not
>>>>>>>>> found on this server.</p>
>>>>>>>>> </body></html>
>>>>>>>>> * Connection #0 to host mdq.ukfederation.org.uk left intact
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature