Skip to Content.
Sympa Menu

per-entity - Re: [Per-Entity] UKf MDQ server

Subject: Per-Entity Metadata Working Group

List archive

Re: [Per-Entity] UKf MDQ server


Chronological Thread 
  • From: Tom Scavo <>
  • To: Rhys Smith <>
  • Cc: "" <>
  • Subject: Re: [Per-Entity] UKf MDQ server
  • Date: Thu, 24 Nov 2016 13:23:37 -0500
  • Ironport-phdr: 9a23:QwtEoB/2bNdMhP9uRHKM819IXTAuvvDOBiVQ1KB20e8cTK2v8tzYMVDF4r011RmSDN6dsaMP0rKH+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFGiTanf79/KBq6oRjNusQSnIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRQT2gykbKTE27GDXitRxjK1FphKhuwd/yJPQbI2MKfZyYr/RcdYcSGFcXMheSjZBD5u+YIsBD+QPM+VWoZTjqVQSohWzHhWsBPr1xzNUmnP6wa833uI8Gg/GxgwgGNcOvWzKotXyMacZTP27w7XSwjXdaPNdxDDw6JTSchA6vf6DR6xwcc3KxEkuEQPFkkufqZbjPzyLyuQBrXKX4PR9WuKykmMqrRx6rDaoxscpkIbJh4QVx0jZ9SV6zoY6O8C3R1BhYdG+DJtQtiaaN41sTsMlWWFotz42yqAFuZ61YicF1YooxwTFZPybcoiI5RTjWPyWITdii3JpYq+/hxW0/EO9yeP8TtG53EhQoSZZjtXBs20B2hPT58SbT/Zw8Vut1SqT2A3W9u5IPV04mK/eJpI/3LI/jZweulnZECDsgkX5lqqWe10k+ue27+TnZa3rppqGOI91jgHyK6ovms6jDeghPQkCQXaX9v+m2L3s+k35R7pKjvkonaXDrJ/aIsEbqra4Aw9TzIkj9w6yAym839gEgXUKKU9JdR2HgoT1PlzDL+z0AeujjFmpjDhn2+3KM7jkD5nTMHTMi6/tfbNn5E5dzAozw8pf55VRCrwZPPLzQFTxu8DCAR8nNAy52OnnCNBn2YMfXWKDGLOWMKTXsVOQ/OIgP/GMZJMJuDb6M/Ul5vjugmM+mV8YeKmp2p0XZGq/HvR8LEWVeGLsjckbEWsToAU+SvDqiFyeUT9TfHuyW6M85ionCIK9E4vPXIGtgLqd3CilBJ1WYH5JCkySHXvyaYqLRuoMO2quJZpbki0fHYOkSpMhnUWUtB7hjYFiL/bU0i8Zrpml3dMz+u6Fxj8o8jkhM8OYm1qGRn9z1jcUXSQ91b54iU171lqZ16Vk2bpVGcEFtKABaRszKZOJl78yMNv1QA+UO47REFs=

Thanks Rhys. Can you give a pointer to the new signing certificate?
I'm curious to know the size of the key (among other things).

Tom

On Thu, Nov 24, 2016 at 12:15 PM, Rhys Smith
<>
wrote:
> FYI, for those interested.
>
> Finally found the time to switch the signing key used for the UKf MDQ to a
> new one.
>
> So the UKf aggregates are at http://metadata.ukfederation.org.uk/foo and
> signed by our old key, imported into and held on the HSM; MDQ is at
> http://mdq.ukfederation.org.uk/foo and signed by our new key, generated on,
> and held on, the HSM.
>
> So the UKf’s MDQ service is now essentially production ready and live, and
> we’ll start to get customers to start using it in anger soon.
>
> Still interested in ways we can work together to share things and make
> things more resilient, though, as I suspect you all know :-).
>
> Rhys.
>
>
>> On 28 Oct 2016, at 15:08, Nicholas Roy
>> <>
>> wrote:
>>
>> Thanks Rhys, makes sense.
>>
>> Nick
>>
>> On 10/28/16 6:12 AM, Rhys Smith wrote:
>>> This is a temporary work around until Azure adds native v6 support. When
>>> it does, we can get rid of it.
>>>
>>> The v6 proxies are a redundant pair of VMs, so yes, they are introducing
>>> an extra point of failure, but it’s been designed so it’s a fairly low
>>> risk of failing. The two VMs are geographically resilient, and all they
>>> are is apache servers proxying requests to the v4 servers, so there’s not
>>> much to go wrong at the application level.
>>>
>>> For us, not supporting v6 was not an option - we’ve had v6 support on our
>>> MD dist servers for many years now, and didn’t want to make refreshing
>>> the infrastructure introduce retrograde steps.
>>>
>>> Rhys.
>>> --
>>> Dr Rhys Smith
>>> Chief Technical Architect, Trust & Identity
>>> Jisc
>>>
>>> T: +44 (0) 1235 822145
>>> M: +44 (0) 7968 087821
>>> Skype: rhys-smith
>>> GPG: 0x4638C985
>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>
>>> jisc.ac.uk
>>>
>>> Jisc is a registered charity (number 1149740) and a company limited by
>>> guarantee which is registered in England under Company No. 5747339, VAT
>>> No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
>>> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>
>>>> On 27 Oct 2016, at 22:37, Nicholas Roy
>>>> <>
>>>> wrote:
>>>>
>>>> Is the addition of in-house infrastructure that proxies v6 introducing
>>>> an additional point of failure? Do you think the risk is worth
>>>> supporting v6 right now?
>>>>
>>>> Thanks,
>>>>
>>>> Nick
>>>>
>>>> On 10/27/16 12:55 PM, Tom Scavo wrote:
>>>>> On Thu, Oct 27, 2016 at 12:22 PM, Rhys Smith
>>>>> <>
>>>>> wrote:
>>>>>> What’s weird is that the first two worked at all… Unless your client
>>>>>> decided to do v4 for those queries for some reason. If it did work
>>>>>> over v6, I have *no* idea how!
>>>>> After you made the patch, I can confirm that all three use IPv6.
>>>>> However, I don't have verbose output that pre-dates your patch, sorry.
>>>>>
>>>>> Tom
>>>>>
>>>>>>> On 27 Oct 2016, at 13:37, Tom Scavo
>>>>>>> <>
>>>>>>> wrote:
>>>>>>>
>>>>>>> On Thu, Oct 27, 2016 at 8:25 AM, Rhys Smith
>>>>>>> <>
>>>>>>> wrote:
>>>>>>>> Should be fixed…
>>>>>>> Yup, works great.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Tom
>>>>>>>
>>>>>>>>> On 27 Oct 2016, at 13:04, Rhys Smith
>>>>>>>>> <>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Oh bo*****s. Yes, sorry, that’s v6 at play. The UKf infrastructure
>>>>>>>>> is v4 only hosted in azure, with a set of v6 proxies hosted on our
>>>>>>>>> own infrastructure that proxies to the v4 for the MD dist and CDS.
>>>>>>>>> I set up the MDQ stuff on the servers themselves, and forgot to
>>>>>>>>> update the v6 proxy config accordingly.
>>>>>>>>>
>>>>>>>>> Thanks for pointing this out :-). I’ll fix that later so v6 works
>>>>>>>>> as well.
>>>>>>>>>
>>>>>>>>> Rhys.
>>>>>>>>> --
>>>>>>>>> Dr Rhys Smith
>>>>>>>>> Chief Technical Architect, Trust & Identity
>>>>>>>>> Jisc
>>>>>>>>>
>>>>>>>>> T: +44 (0) 1235 822145
>>>>>>>>> M: +44 (0) 7968 087821
>>>>>>>>> Skype: rhys-smith
>>>>>>>>> GPG: 0x4638C985
>>>>>>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>>>>>>>
>>>>>>>>> jisc.ac.uk
>>>>>>>>>
>>>>>>>>> Jisc is a registered charity (number 1149740) and a company limited
>>>>>>>>> by guarantee which is registered in England under Company No.
>>>>>>>>> 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One
>>>>>>>>> Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>>>>>>>
>>>>>>>>>> On 27 Oct 2016, at 12:47, Tom Scavo
>>>>>>>>>> <>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> On Thu, Oct 27, 2016 at 2:09 AM, Rhys Smith
>>>>>>>>>> <>
>>>>>>>>>> wrote:
>>>>>>>>>>>> On 27 Oct 2016, at 01:28, Tom Scavo
>>>>>>>>>>>> <>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 26, 2016 at 5:11 PM, Rhys Smith
>>>>>>>>>>>> <>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> On 26 Oct 2016, at 22:04, Rhys Smith
>>>>>>>>>>>>>> <>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> UKf Test IdP: curl --compress
>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>>>> UKf Test IdP (SHA1 query): curl --compress
>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D9bbc0354ea6f33ee008fcbe3c7680c0460e9cd1b
>>>>>>>>>>>>> Sorry, that second one should be: curl --compress
>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D52e2065fc0d53744e8d4ee2c2f30696ebfc5def9
>>>>>>>>>>>> The latter two URLs work fine, the first one does not.
>>>>>>>>>>> Does not in what way? Seems to work for me.
>>>>>>>>>> That's weird, I get 404 not found:
>>>>>>>>>>
>>>>>>>>>> $ curl --version
>>>>>>>>>> curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0
>>>>>>>>>> SecureTransport zlib/1.2.5
>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap
>>>>>>>>>> ldaps
>>>>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>>> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
>>>>>>>>>> NTLM_WB SSL libz UnixSockets
>>>>>>>>>>
>>>>>>>>>> $ curl --verbose --compress
>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>> * Trying 2001:630:1:174::83...
>>>>>>>>>> * Trying 52.169.160.61...
>>>>>>>>>> * Connected to mdq.ukfederation.org.uk (2001:630:1:174::83) port
>>>>>>>>>> 80 (#0)
>>>>>>>>>>> GET
>>>>>>>>>>> /entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>> HTTP/1.1
>>>>>>>>>>> Host: mdq.ukfederation.org.uk
>>>>>>>>>>> User-Agent: curl/7.43.0
>>>>>>>>>>> Accept: */*
>>>>>>>>>>> Accept-Encoding: deflate, gzip
>>>>>>>>>>>
>>>>>>>>>> < HTTP/1.1 404 Not Found
>>>>>>>>>> < Date: Thu, 27 Oct 2016 11:43:49 GMT
>>>>>>>>>> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
>>>>>>>>>> < Content-Length: 258
>>>>>>>>>> < Content-Type: text/html; charset=iso-8859-1
>>>>>>>>>> <
>>>>>>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>>>>>>> <html><head>
>>>>>>>>>> <title>404 Not Found</title>
>>>>>>>>>> </head><body>
>>>>>>>>>> <h1>Not Found</h1>
>>>>>>>>>> <p>The requested URL
>>>>>>>>>> /entities/https://test-idp.ukfederation.org.uk/idp/shibboleth was
>>>>>>>>>> not
>>>>>>>>>> found on this server.</p>
>>>>>>>>>> </body></html>
>>>>>>>>>> * Connection #0 to host mdq.ukfederation.org.uk left intact
>>
>



Archive powered by MHonArc 2.6.19.

Top of Page