How to Migrate from Level 1 to Level 2 of the Testbed Federation

Digital Certificates

You will need both a frontend commercial SSL certificate, and a backend SSL certificate (in some cases these will be the same). The following steps are for a typical migration for an Australian education domain.

If you have no commercial cert

If you don't have commercial certificate but wish to get a free one (free for Higher Education), then IPSCA is offering such free certificate, follow the steps below. If you already have commercial certificate, then you can just simply use your certificate and skip to "Securing IdP-SP back-channel communication" section

• Acquire a frontend SSL certificate
  • Generate a new CSR (and possibly a new key in the process)

cd /etc/certs
openssl req  -new -key `hostname`-key.pem -out `hostname`-csr.pem
##  Make sure the CN field matches the FQDN of the host
cat `hostname`-csr.pem

• • Goto http://certs.ipsca.com/srvc/Buy.asp
  • Fill in the form, selecting a free "Education (2 years $0)"
  • The rest of the steps are:

1) The first step in the enrollment process will be to generate a CSR (Certificate Signing Request) file. This task must be performed by the administrator of the server, it could be you or the ISP where your server is located.

2) Fill the form with your information, the technical contact information and the Certificate options.

3) An email message will be sent to you to confirm your request.

4) Upon your email confirmation, an email message will be sent to the Administrative Contact, Technical Contact, Billing Contact for the domain you are requesting the certificate for.

5) One of the Contacts of the domain must reply to the email message to authorize the request

6) After we receive the authorization email, a new message will be sent to you, payment information must be introduced at this stage. Company information validation will be done after payment (if the certificate requires payment).

7) Finally a new message will be sent to you. with the signed certificate

• Installing the frontend certificate
  • Once issued, download the CA files http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.CRT to the CA bundle file
  • You'll need to make reference to the CA bundle file in your Apache config

cd /etc/certs
wget "http://certs.ipsca.com/companyIPSipsCA/IPS-IPSCABUNDLE.CRT"
vi /etc/apache2/sites-enabled/003-ssl-vhost.conf
##  Add this line to the SSL config section:
SSLCACertificateFile /etc/certs/IPS-IPSCABUNDLE.crt

• • Save the issued certificate to /etc/certs and make sure the following are set correctly in your apache ssl config (003-ssl-vhost.conf):

    SSLCertificateFile /etc/certs/mycert.pem
    SSLCertificateKeyFile /etc/certs/mykey.pem

Securing IdP-SP back-channel communication

You can use your front-end certificate for SOAP SSL communication (back-channel) if your certificate supports "client ssl" purpose (read this FAQ to see how to check this), otherwise you will need to get a different back-channel certificate as issued by AusCert^? as shown in steps below. You only need to do this part of configuration if you are configuring SP. IdP can use their commercial certificate for the back-channel (though feel free to get an AusCert^? certificate for it, if you like to maintain separate certificate).

Note that if you have commercial certificates, then they typically issue supported certificate purposes, hence you can use them for the back-channel. The only exception is that IPSCA does not issue client-ssl purpose, hence if you are getting your front-end cert from IPSCA, you must get back-channel cert from AusCert^?.

• Acquire a backend SSL certificate
  • Visit the eSecurity website and follow the instructions: http://www.esecurity.edu.au/how-to-obtain-a-certificate-under-the-aaf
  • Specifically, download the configuration file from that site, edit it as appropriate (for SP or IdP)
  • Generate a new CSR (or you can use the same CSR and key from your front-end cert)

cd /etc/certs
wget "http://esecurity.edu.au/docs/openssl_shiblvl3ca_certs.cnf"
vi openssl_shiblvl3ca_certs.cnf
openssl req -new -config openssl_shiblvl3ca_certs.cnf -out `hostname`_esecurity.csr
cat `hostname`_esecurity.csr

• • Attach CSR to an email to pilot-level3-shibca@auscert.org.au?Subject=Shibboleth Security Request (cut and paste the following)

Email:
Hostname:
IP Address:
DNS Name:

User Data:
Name:
Email:
Department:
Telephone:

• • Don't forget to attach the CSR to the email

• Installing the backend certificate
  • Once the certificate is issued, put it in /etc/certs
  • Refer to this certificate in /usr/local/shibboleth-idp/etc/idp.xml and /usr/local/shibboleth-sp/etc/shibboleth/shibboleth.xml and make sure you include the CA of your certificate for completeness purpose, i.e. see below

    <FileResolver Id="testfed_level_2_cred">
         <Key>
             <Path>file:/etc/certs/mykey.pem</Path>
         </Key>
         <Certificate>
             <Path>file:/etc/certs/mycert.pem</Path>
             <CAPath>file:/etc/certs/ca-bundle.pem</CAPath>
         </Certificate>
    </FileResolver>

Configuration Files

• Change any "level-1" references to "level-2" in /usr/local/shibboleth-idp/etc/idp.xml and /usr/local/shibboleth-sp/etc/shibboleth/shibboleth.xml.

Federation Manager

• Login to the Federation Manager
• Edit your IdP or SP and request an upgrade from level 1 to level 2
• Await approval

Testing

• Ensure you have the latest metadata file
• Restart services
• Test services. SP test servers: https://demo.federation.org.au/level-2. If you are an SP and not having any IdP to test against, let us know and we'll test your SP.

to top