Skip to Content.
Sympa Menu

per-entity - Re: [Per-Entity] UKf MDQ server

Subject: Per-Entity Metadata Working Group

List archive

Re: [Per-Entity] UKf MDQ server


Chronological Thread 
  • From: Rhys Smith <>
  • To: Tom Scavo <>
  • Cc: "" <>
  • Subject: Re: [Per-Entity] UKf MDQ server
  • Date: Thu, 24 Nov 2016 19:11:58 +0000
  • Accept-language: en-GB, en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:lFDEzxNLOWrErK4BOIIl6mtUPXoX/o7sNwtQ0KIMzox0K/z4psbcNUDSrc9gkEXOFd2CrakV0KyM4uu5ADxIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZb1/IA+ooQjVucUanJZuJ6UswRbVv3VEfPhby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnDUBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulSwKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcXDFDDIyhdYsCF+oPM/hFoYnhqVUArhW+CgurCuPu1jBHiWT73aIm3+QkCwzG3BAsEtAIvX/JrNv1LqASUeWtwafUzTXCb+hW0irg5ojNcxAhvfGMVq93fMTNyUkuFxjFgk+Np4zgPjOVyuQNvnOZ7+phTuKgl3QrpBttrTS128csiZDEi4QIwV7K8iV5xZw6Jdy+SENjfN6kE5VQuD+HOIRoWMMtWX1ouCc9yr0Ao5K7ezIKyJs/yx7CaPyHfZaH7Q/9W+aLOzh4mHNleLW5hxqo9kig0OL8WtOp0FZJqCdOj9rCtmgV2hDO5cWKS+Fx8lq91TqSzQze6OJJLVopmafYL5Mt2qA8moYPvUjeGyL7l0f7gLOTe0k59Oik9+Dqb7Dlq5CANoJ5jw/zPrggl8CjBOk1MwsDUmyV+em5ybLu8lP1T6lPg/04kaTUs5LXKdwFqqKkDQJZyJsv5hK7Aju8zdgVnXYKIEhbdB6bjYXkPUzFLuriAvelmVuslS9mx/DYMb3lBZXANmbMkKr4cbZm7k5c1BIzwclC6J1KDrEBIezzVVHrtN3YFxM1Lg+5zuL9BNV414MeXHyADbODP6PJrV+E/P4gI+6JZIMNuTb9LeYq5+L2gHMkllIQfLOl0YYLZHylBPhrIUaUbWDxjtoCFWoGpg8+Q/briF2GXz5TfXGyX6ck6zEhCIKnDZzDSpq2gLyE3Se7Ap1Wa3tEClCNCnfna5+IVO0QZy6IP89hkSQIVaK9RI85yRGuqAj6xqJmLurS5iIYspfj1N1y5+3Vjx0y8iZ0D8uE32GVUW50hHoESCEw3KBjoEx91leC3LN8g/xZDtxT++hJXhkgOZ7dyex6F879WhjHftiXVFaqXM+qDi8sQdIskJcyZBNBHNDqtRvKwS3iV6MPjLeCGpsc86TA0mL3KtonjXvKyf9yoUMhR551NXy9zpV69hTTT9rzk1SC0Z2vdLgc9CzM72zFxGHIoUIOA104arnMQX1KPhielt/+/E6XCub2Ubk=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Linked to on the front page of http://mdq.ukfederation.org.uk.

Highlights - sha256 sig alg 4096 bit RSA, expires end 2037.

Rhys.
--
Dr Rhys Smith
Chief Technical Architect, Trust & Identity
Jisc

T: +44 (0) 1235 822145
M: +44 (0) 7968 087821
Skype: rhys-smith
GPG: 0x4638C985
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.

> On 24 Nov 2016, at 18:23, Tom Scavo
> <>
> wrote:
>
> Thanks Rhys. Can you give a pointer to the new signing certificate?
> I'm curious to know the size of the key (among other things).
>
> Tom
>
> On Thu, Nov 24, 2016 at 12:15 PM, Rhys Smith
> <>
> wrote:
>> FYI, for those interested.
>>
>> Finally found the time to switch the signing key used for the UKf MDQ to a
>> new one.
>>
>> So the UKf aggregates are at http://metadata.ukfederation.org.uk/foo and
>> signed by our old key, imported into and held on the HSM; MDQ is at
>> http://mdq.ukfederation.org.uk/foo and signed by our new key, generated
>> on, and held on, the HSM.
>>
>> So the UKf’s MDQ service is now essentially production ready and live, and
>> we’ll start to get customers to start using it in anger soon.
>>
>> Still interested in ways we can work together to share things and make
>> things more resilient, though, as I suspect you all know :-).
>>
>> Rhys.
>>
>>
>>> On 28 Oct 2016, at 15:08, Nicholas Roy
>>> <>
>>> wrote:
>>>
>>> Thanks Rhys, makes sense.
>>>
>>> Nick
>>>
>>> On 10/28/16 6:12 AM, Rhys Smith wrote:
>>>> This is a temporary work around until Azure adds native v6 support. When
>>>> it does, we can get rid of it.
>>>>
>>>> The v6 proxies are a redundant pair of VMs, so yes, they are introducing
>>>> an extra point of failure, but it’s been designed so it’s a fairly low
>>>> risk of failing. The two VMs are geographically resilient, and all they
>>>> are is apache servers proxying requests to the v4 servers, so there’s
>>>> not much to go wrong at the application level.
>>>>
>>>> For us, not supporting v6 was not an option - we’ve had v6 support on
>>>> our MD dist servers for many years now, and didn’t want to make
>>>> refreshing the infrastructure introduce retrograde steps.
>>>>
>>>> Rhys.
>>>> --
>>>> Dr Rhys Smith
>>>> Chief Technical Architect, Trust & Identity
>>>> Jisc
>>>>
>>>> T: +44 (0) 1235 822145
>>>> M: +44 (0) 7968 087821
>>>> Skype: rhys-smith
>>>> GPG: 0x4638C985
>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>>
>>>> jisc.ac.uk
>>>>
>>>> Jisc is a registered charity (number 1149740) and a company limited by
>>>> guarantee which is registered in England under Company No. 5747339, VAT
>>>> No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
>>>> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>>
>>>>> On 27 Oct 2016, at 22:37, Nicholas Roy
>>>>> <>
>>>>> wrote:
>>>>>
>>>>> Is the addition of in-house infrastructure that proxies v6 introducing
>>>>> an additional point of failure? Do you think the risk is worth
>>>>> supporting v6 right now?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Nick
>>>>>
>>>>> On 10/27/16 12:55 PM, Tom Scavo wrote:
>>>>>> On Thu, Oct 27, 2016 at 12:22 PM, Rhys Smith
>>>>>> <>
>>>>>> wrote:
>>>>>>> What’s weird is that the first two worked at all… Unless your client
>>>>>>> decided to do v4 for those queries for some reason. If it did work
>>>>>>> over v6, I have *no* idea how!
>>>>>> After you made the patch, I can confirm that all three use IPv6.
>>>>>> However, I don't have verbose output that pre-dates your patch, sorry.
>>>>>>
>>>>>> Tom
>>>>>>
>>>>>>>> On 27 Oct 2016, at 13:37, Tom Scavo
>>>>>>>> <>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On Thu, Oct 27, 2016 at 8:25 AM, Rhys Smith
>>>>>>>> <>
>>>>>>>> wrote:
>>>>>>>>> Should be fixed…
>>>>>>>> Yup, works great.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Tom
>>>>>>>>
>>>>>>>>>> On 27 Oct 2016, at 13:04, Rhys Smith
>>>>>>>>>> <>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Oh bo*****s. Yes, sorry, that’s v6 at play. The UKf infrastructure
>>>>>>>>>> is v4 only hosted in azure, with a set of v6 proxies hosted on our
>>>>>>>>>> own infrastructure that proxies to the v4 for the MD dist and CDS.
>>>>>>>>>> I set up the MDQ stuff on the servers themselves, and forgot to
>>>>>>>>>> update the v6 proxy config accordingly.
>>>>>>>>>>
>>>>>>>>>> Thanks for pointing this out :-). I’ll fix that later so v6 works
>>>>>>>>>> as well.
>>>>>>>>>>
>>>>>>>>>> Rhys.
>>>>>>>>>> --
>>>>>>>>>> Dr Rhys Smith
>>>>>>>>>> Chief Technical Architect, Trust & Identity
>>>>>>>>>> Jisc
>>>>>>>>>>
>>>>>>>>>> T: +44 (0) 1235 822145
>>>>>>>>>> M: +44 (0) 7968 087821
>>>>>>>>>> Skype: rhys-smith
>>>>>>>>>> GPG: 0x4638C985
>>>>>>>>>> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>>>>>>>>>>
>>>>>>>>>> jisc.ac.uk
>>>>>>>>>>
>>>>>>>>>> Jisc is a registered charity (number 1149740) and a company
>>>>>>>>>> limited by guarantee which is registered in England under Company
>>>>>>>>>> No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is:
>>>>>>>>>> One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>>>>>>>>>
>>>>>>>>>>> On 27 Oct 2016, at 12:47, Tom Scavo
>>>>>>>>>>> <>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> On Thu, Oct 27, 2016 at 2:09 AM, Rhys Smith
>>>>>>>>>>> <>
>>>>>>>>>>> wrote:
>>>>>>>>>>>>> On 27 Oct 2016, at 01:28, Tom Scavo
>>>>>>>>>>>>> <>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Wed, Oct 26, 2016 at 5:11 PM, Rhys Smith
>>>>>>>>>>>>> <>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> On 26 Oct 2016, at 22:04, Rhys Smith
>>>>>>>>>>>>>>> <>
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> UKf Test IdP: curl --compress
>>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>>>>> UKf Test IdP (SHA1 query): curl --compress
>>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D9bbc0354ea6f33ee008fcbe3c7680c0460e9cd1b
>>>>>>>>>>>>>> Sorry, that second one should be: curl --compress
>>>>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/%7Bsha1%7D52e2065fc0d53744e8d4ee2c2f30696ebfc5def9
>>>>>>>>>>>>> The latter two URLs work fine, the first one does not.
>>>>>>>>>>>> Does not in what way? Seems to work for me.
>>>>>>>>>>> That's weird, I get 404 not found:
>>>>>>>>>>>
>>>>>>>>>>> $ curl --version
>>>>>>>>>>> curl 7.43.0 (x86_64-apple-darwin15.0) libcurl/7.43.0
>>>>>>>>>>> SecureTransport zlib/1.2.5
>>>>>>>>>>> Protocols: dict file ftp ftps gopher http https imap imaps ldap
>>>>>>>>>>> ldaps
>>>>>>>>>>> pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
>>>>>>>>>>> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
>>>>>>>>>>> NTLM_WB SSL libz UnixSockets
>>>>>>>>>>>
>>>>>>>>>>> $ curl --verbose --compress
>>>>>>>>>>> http://mdq.ukfederation.org.uk/entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>> * Trying 2001:630:1:174::83...
>>>>>>>>>>> * Trying 52.169.160.61...
>>>>>>>>>>> * Connected to mdq.ukfederation.org.uk (2001:630:1:174::83) port
>>>>>>>>>>> 80 (#0)
>>>>>>>>>>>> GET
>>>>>>>>>>>> /entities/https%3A%2F%2Ftest-idp.ukfederation.org.uk%2Fidp%2Fshibboleth
>>>>>>>>>>>> HTTP/1.1
>>>>>>>>>>>> Host: mdq.ukfederation.org.uk
>>>>>>>>>>>> User-Agent: curl/7.43.0
>>>>>>>>>>>> Accept: */*
>>>>>>>>>>>> Accept-Encoding: deflate, gzip
>>>>>>>>>>>>
>>>>>>>>>>> < HTTP/1.1 404 Not Found
>>>>>>>>>>> < Date: Thu, 27 Oct 2016 11:43:49 GMT
>>>>>>>>>>> < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
>>>>>>>>>>> < Content-Length: 258
>>>>>>>>>>> < Content-Type: text/html; charset=iso-8859-1
>>>>>>>>>>> <
>>>>>>>>>>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>>>>>>>> <html><head>
>>>>>>>>>>> <title>404 Not Found</title>
>>>>>>>>>>> </head><body>
>>>>>>>>>>> <h1>Not Found</h1>
>>>>>>>>>>> <p>The requested URL
>>>>>>>>>>> /entities/https://test-idp.ukfederation.org.uk/idp/shibboleth was
>>>>>>>>>>> not
>>>>>>>>>>> found on this server.</p>
>>>>>>>>>>> </body></html>
>>>>>>>>>>> * Connection #0 to host mdq.ukfederation.org.uk left intact
>>>
>>
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page