How to Migrate from Level 1 to Level 2 of the Testbed Federation

For members of the Level-1 Federation, it is advisable if you have connected your IdP to your institutional LDAP to move to Level-2 of the Testbed Federation for greater security. Similarly, if you have shibbolized some applications that are for production, eg. the mini-grant applicants, you should also move your SP to Level 2.

The prerequisites for moving to Level-2 are:

• A commerical certificate for your host from one of the supported Certificate Authorities
• Verifiable post, phone and email addresses for the admin.
• A production DNS name for your host (applies to the certificate as well)
  • Good examples
    • idp.institution.edu.au
    • sso.organisation.org.au
    • twiki.uni.edu.au
  • Bad examples
    • test.uni.edu.au - test is ok for level-1, but not level-2
    • mams-sp.school.edu.au - having mams in the hostname is not recommended

To see the actual certificates, you can download the Federation Level 2 metadata from http://www.federation.org.au/level-2/level-2-metadata.xml and see the CA certificates there. Naturally these CAs are also trusted by Level-1 of the Testbed Federation.

Note that if you have a certificate from another commercial CA that you wish to include, please send an email to support@federation.org.au and we might include that CA in the list above.

If you satisfy the above, then to move to Level 2 of the Federation, you need to do the following:

1. Login to the Federation Manager (http://www.federation.org.au/FedManager/jsp/login.jsp), edit your IdP or SP and request to change it to Level-2.
2. Download the latest metadata for Level-2 from http://www.federation.org.au/level-2/level-2-metadata.xml and make sure your idp.xml or shibboleth.xml uses the new level-2 metadata (look for element). If you are running an SP, you need to change your WAYF url (wayfURL) in shibboleth.xml to point to the URL for the Level-2 WAYF: "https://www.federation.org.au/level-2-wayf/WAYF"
3. Set up a regular task (eg. cron job for unix) to regularly download the above metadata for your IdP or SP. Please follow this guide UpdateMetadata to ensure you have up-to-date metadata for your IdP and SP.
4. If you setup an IdP for Level 2, you can test it by going to this URL (https://www.mams.org.au/level-2), login at your IdP and you should see a "reflector" page showing that you have sucessfully logged in and any attributes that you are releasing to the Federation.

How to Migrate from Level 1 to Level 2 of the Testbed Federation

Digital Certificates

You will need both a frontend commercial SSL certificate, and a backend SSL certificate (in some cases these will be the same). The following steps are for a typical migration for an Australian education domain.

If you have no commercial cert

If you don't have commercial certificate but wish to get a free one (free for Higher Education), then IPSCA is offering such free certificate, follow the steps below. If you already have commercial certificate, then you can just simply use your certificate and skip to "Securing IdP-SP back-channel communication" section

• Acquire a frontend SSL certificate
  • Generate a new CSR (and possibly a new key in the process)

cd /etc/certs
openssl req  -new -key `hostname`-key.pem -out `hostname`-csr.pem
##  Make sure the CN field matches the FQDN of the host
cat `hostname`-csr.pem

• • Goto http://certs.ipsca.com/srvc/Buy.asp
  • Fill in the form, selecting a free "Education (2 years $0)"
  • The rest of the steps are:

1) The first step in the enrollment process will be to generate a CSR (Certificate Signing Request) file. This task must be performed by the administrator of the server, it could be you or the ISP where your server is located.

2) Fill the form with your information, the technical contact information and the Certificate options.

3) An email message will be sent to you to confirm your request.

4) Upon your email confirmation, an email message will be sent to the Administrative Contact, Technical Contact, Billing Contact for the domain you are requesting the certificate for.

5) One of the Contacts of the domain must reply to the email message to authorize the request

6) After we receive the authorization email, a new message will be sent to you, payment information must be introduced at this stage. Company information validation will be done after payment (if the certificate requires payment).

7) Finally a new message will be sent to you. with the signed certificate

• Installing the frontend certificate
  • Once issued, download the CA files http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.CRT to the CA bundle file
  • You'll need to make reference to the CA bundle file in your Apache config

cd /etc/certs
wget "http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.CRT"
vi /etc/apache2/sites-enabled/003-ssl-vhost.conf
##  Add this line to the SSL config section:
SSLCACertificateFile /etc/certs/IPS-IPSCABUNDLE.crt

• • Save the issued certificate to /etc/certs and make sure the following are set correctly in your apache ssl config (003-ssl-vhost.conf):

    SSLCertificateFile /etc/certs/mycert.pem
    SSLCertificateKeyFile /etc/certs/mykey.pem

Securing IdP-SP back-channel communication

You can use your front-end certificate for SOAP SSL communication (back-channel) if your certificate supports "client ssl" purpose (read this FAQ to see how to check this), otherwise you will need to get a different back-channel certificate as issued by AusCert^? as shown in steps below. You only need to do this part of configuration if you are configuring SP. IdP can use their commercial certificate for the back-channel (though feel free to get an AusCert^? certificate for it, if you like to maintain separate certificate).

Note that if you have commercial certificates, then they typically issue supported certificate purposes, hence you can use them for the back-channel. The only exception is that IPSCA does not issue client-ssl purpose, hence if you are getting your front-end cert from IPSCA, you must get back-channel cert from AusCert^?.

• Acquire a backend SSL certificate
  • Visit the eSecurity website and follow the instructions: http://www.esecurity.edu.au/how-to-obtain-a-certificate-under-the-aaf
  • Specifically, download the configuration file from that site, edit it as appropriate (for SP or IdP)
  • Generate a new CSR (or you can use the same CSR and key from your front-end cert)

cd /etc/certs
wget "http://esecurity.edu.au/docs/openssl_shiblvl3ca_certs.cnf"
vi openssl_shiblvl3ca_certs.cnf
openssl req -new -config openssl_shiblvl3ca_certs.cnf -out `hostname`_esecurity.csr
cat `hostname`_esecurity.csr

• • Attach CSR to an email to pilot-level3-shibca@auscert.org.au?Subject=Shibboleth Security Request (cut and paste the following)

Email:
Hostname:
IP Address:
DNS Name:

User Data:
Name:
Email:
Department:
Telephone:

• • Don't forget to attach the CSR to the email

• Installing the backend certificate
  • Once the certificate is issued, put it in /etc/certs
  • Refer to this certificate in /usr/local/shibboleth-idp/etc/idp.xml and /usr/local/shibboleth-sp/etc/shibboleth/shibboleth.xml and make sure you include the CA of your certificate for completeness purpose, i.e. see below

    <FileResolver Id="testfed_level_2_cred">
         <Key>
             <Path>file:/etc/certs/mykey.pem</Path>
         </Key>
         <Certificate>
             <Path>file:/etc/certs/mycert.pem</Path>
             <CAPath>file:/etc/certs/ca-bundle.pem</CAPath>
         </Certificate>
    </FileResolver>

Configuration Files

• Change any "level-1" references to "level-2" in /usr/local/shibboleth-idp/etc/idp.xml and /usr/local/shibboleth-sp/etc/shibboleth/shibboleth.xml.

Federation Manager

• Login to the Federation Manager
• Edit your IdP or SP and request an upgrade from level 1 to level 2
• Await approval

Testing

• Ensure you have the latest metadata file
• Restart services
• Test services. SP test servers: https://demo.federation.org.au/level-2. If you are an SP and not having any IdP to test against, let us know and we'll test your SP.

Certificate Authorities supported in the Federation

The following Certificate Authorities (CAs) are supported:

• AddTrustUTNServerCA
• Comodo InstantSSL CA
• Entrust Secure Server CA
• Equifax
• GlobalSign Root CA
• GTE Global CyberRoot
• InCommon
• IPS Seguridad
• IPS SERVIDORES
• Pilot AusCERT Root CA
• Thawte Premium Server CA
• Thawte Server CA
• Thawte SGC CA
• Verisign Class 3 Public Primary CA
• Verisign Intermediate CA
• Verisign Intermediate PRO CA
• Verisign/RSA Commercial CA
• Verisign/RSA Secure Server CA

to top