Per-Entity Metadata Working Group

[Tom Scavo <>]

Thanks Rhys. Can you give a pointer to the new signing certificate?
I'm curious to know the size of the key (among other things).

Tom

On Thu, Nov 24, 2016 at 12:15 PM, Rhys Smith 
<>
 wrote:
> FYI, for those interested.
>
> Finally found the time to switch the signing key used for the UKf MDQ to a 
> new one.
>
> So the UKf aggregates are at http://metadata.ukfederation.org.uk/foo and 
> signed by our old key, imported into and held on the HSM; MDQ is at 
> http://mdq.ukfederation.org.uk/foo and signed by our new key, generated on, 
> and held on, the HSM.
>
> So the UKf’s MDQ service is now essentially production ready and live, and 
> we’ll start to get customers to start using it in anger soon.
>
> Still interested in ways we can work together to share things and make 
> things more resilient, though, as I suspect you all know :-).
>
> Rhys.
>
>
>> On 28 Oct 2016, at 15:08, Nicholas Roy 
>> <>
>>  wrote:
>>
>> Thanks Rhys, makes sense.
>>
>> Nick
>>
>> On 10/28/16 6:12 AM, Rhys Smith wrote:
>>> This is a temporary work around until Azure adds native v6 support. When 
>>> it does, we can get rid of it.
>>>
>>> The v6 proxies are a redundant pair of VMs, so yes, they are introducing 
>>> an extra point of failure, but it’s been designed so it’s a fairly low 
>>> risk of failing. The two VMs are geographically resilient, and all they 
>>> are is apache servers proxying requests to the v4 servers, so there’s not 
>>> much to go wrong at the application level.
>>>
>>> For us, not supporting v6 was not an option - we’ve had v6 support on our 
>>> MD dist servers for many years now, and didn’t want to make refreshing 
>>> the infrastructure introduce retrograde steps.
>>>
>>> Rhys.
>>> --
>>> Dr Rhys Smith
>>> Chief Technical Architect, Trust & Identity
>>> Jisc
>>>
>>> T: +44 (0) 1235 822145
>>> M: +44 (0) 7968 087821
>>> Skype: rhys-smith
>>> GPG: 0x4638C985
>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>
>>> jisc.ac.uk
>>>
>>> Jisc is a registered charity (number 1149740) and a company limited by 
>>> guarantee which is registered in England under Company No. 5747339, VAT 
>>> No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower 
>>> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>
>>>> On 27 Oct 2016, at 22:37, Nicholas Roy 
>>>> <>
>>>>  wrote:
>>>>
>>>> Is the addition of in-house infrastructure that proxies v6 introducing 
>>>> an additional point of failure?  Do you think the risk is worth 
>>>> supporting v6 right now?
>>>>
>>>> Thanks,
>>>>
>>>> Nick
>>>>
>>>> On 10/27/16 12:55 PM, Tom Scavo wrote:
>>>>> On Thu, Oct 27, 2016 at 12:22 PM, Rhys Smith 
>>>>> <>
>>>>>  wrote:
>>>>>> What’s weird is that the first two worked at all… Unless your client 
>>>>>> decided to do v4 for those queries for some reason. If it did work 
>>>>>> over v6, I have *no* idea how!
>>>>> After you made the patch, I can confirm that all three use IPv6.
>>>>> However, I don't have verbose output that pre-dates your patch, sorry.
>>>>>
>>>>> Tom
>>>>>
>>>>>>> On 27 Oct 2016, at 13:37, Tom Scavo 
>>>>>>> <>
>>>>>>>  wrote:
>>>>>>>
>>>>>>> On Thu, Oct 27, 2016 at 8:25 AM, Rhys Smith 
>>>>>>> <>
>>>>>>>  wrote:
>>>>>>>> Should be fixed…
>>>>>>> Yup, works great.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Tom
>>>>>>>
>>>>>>>>> On 27 Oct 2016, at 13:04, Rhys Smith 
>>>>>>>>> <>
>>>>>>>>>  wrote:
>>>>>>>>>
>>>>>>>>> Oh bo*****s. Yes, sorry, that’s v6 at play. The UKf infrastructure 
>>>>>>>>> is v4 only hosted in azure, with a set of v6 proxies hosted on our 
>>>>>>>>> own infrastructure that proxies to the v4 for the MD dist and CDS. 
>>>>>>>>> I set up the MDQ stuff on the servers themselves, and forgot to 
>>>>>>>>> update the v6 proxy config accordingly.
>>>>>>>>>
>>>>>>>>> Thanks for pointing this out :-). I’ll fix that later so v6 works 
>>>>>>>>> as well.
>>>>>>>>>
>>>>>>>>> Rhys.
>>>>>>>>> --
>>>>>>>>> Dr Rhys Smith
>>>>>>>>> Chief Technical Architect, Trust & Identity
>>>>>>>>> Jisc
>>>>>>>>>
>>>>>>>>> T: +44 (0) 1235 822145
>>>>>>>>> M: +44 (0) 7968 087821
>>>>>>>>> Skype: rhys-smith
>>>>>>>>> GPG: 0x4638C985
>>>>>>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>>>>>>>
>>>>>>>>> jisc.ac.uk
>>>>>>>>>
>>>>>>>>> Jisc is a registered charity (number 1149740) and a company limited 
>>>>>>>>> by guarantee which is registered in England under Company No. 
>>>>>>>>> 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One 
>>>>>>>>> Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>>>>>>>
>>>>>>>>>> On 27 Oct 2016, at 12:47, Tom Scavo 
>>>>>>>>>> <>
>>>>>>>>>>  wrote:
>>>>>>>>>>
>>>>>>>>>> On Thu, Oct 27, 2016 at 2:09 AM, Rhys Smith 
>>>>>>>>>> <>
>>>>>>>>>>  wrote:
>>>>>>>>>>>> On 27 Oct 2016, at 01:28, Tom Scavo 
>>>>>>>>>>>> <>
>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Oct 26, 2016 at 5:11 PM, Rhys Smith 
>>>>>>>>>>>> <>
>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>> On 26 Oct 2016, at 22:04, Rhys Smith 
>>>>>>>>>>>>>> <>
>>>>>>>>>>>>>>  wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> UKf Test IdP: curl --compress 
>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>>>> UKf Test IdP (SHA1 query): curl --compress 
>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D9bbc0354ea6f33ee008fcbe3c7680c0460e9cd1b
>>>>>>>>>>>>> Sorry, that second one should be:  curl --compress 
>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D52e2065fc0d53744e8d4ee2c2f30696ebfc5def9
>>>>>>>>>>>> The latter two URLs work fine, the first one does not.
>>>>>>>>>>> Does not in what way? Seems to work for me.
>>>>>>>>>> That's weird, I get 404 not found:
>>>>>>>>>>
>>>>>>>>>> $ curl --version
>>>>>>>>>> curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0 
>>>>>>>>>> SecureTransport zlib/1.2.5
>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap 
>>>>>>>>>> ldaps
>>>>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>>> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
>>>>>>>>>> NTLM_WB SSL libz UnixSockets
>>>>>>>>>>
>>>>>>>>>> $ curl --verbose --compress
>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>> *   Trying 2001:630:1:174::83...
>>>>>>>>>> *   Trying 52.169.160.61...
>>>>>>>>>> * Connected to mdq.ukfederation.org.uk (2001:630:1:174::83) port 
>>>>>>>>>> 80 (#0)
>>>>>>>>>>> GET 
>>>>>>>>>>> /entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>  HTTP/1.1
>>>>>>>>>>> Host: mdq.ukfederation.org.uk
>>>>>>>>>>> User-Agent: curl/7.43.0
>>>>>>>>>>> Accept: */*
>>>>>>>>>>> Accept-Encoding: deflate, gzip
>>>>>>>>>>>
>>>>>>>>>> < HTTP/1.1 404 Not Found
>>>>>>>>>> < Date: Thu, 27 Oct 2016 11:43:49 GMT
>>>>>>>>>> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
>>>>>>>>>> < Content-Length: 258
>>>>>>>>>> < Content-Type: text/html; charset=iso-8859-1
>>>>>>>>>> <
>>>>>>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>>>>>>> <html><head>
>>>>>>>>>> <title>404 Not Found</title>
>>>>>>>>>> </head><body>
>>>>>>>>>> <h1>Not Found</h1>
>>>>>>>>>> <p>The requested URL
>>>>>>>>>> /entities/https://test-idp.ukfederation.org.uk/idp/shibboleth was 
>>>>>>>>>> not
>>>>>>>>>> found on this server.</p>
>>>>>>>>>> </body></html>
>>>>>>>>>> * Connection #0 to host mdq.ukfederation.org.uk left intact
>>
>