Australian Access Federation Support Desk

Migrating your SP to highly available Metadata

by Bradley Beddoes Follow

Recently the AAF has completed building our highly available Metadata distribution service across a number of servers situated throughout Australia.

This article will guide you through the modifications necessary to make your SP utilise this service instead of the older manager[.test].aaf.edu.au URL.

This is change we recommend you do during a maintenance window. Please contact AAF support if you need any further details.

To get started locate your Shibboleth SP configuration directory, generally /etc/shibboleth

Updates for Metadata

 

  1. Edit the file shibboleth2.xml
  2. Find the following within the MetadataProvider tag:
    uri="http://manager[.test].aaf.edu.au/metadata/metadata.aaf.signed.xml"

    (you might also have metadata.aaf.signed.minimal.xml or metadata.aaf.signed.xml in your URL these are all roughly equivalent and all need to use the same new URL below)
  3. Change this to be:
    metadataURL="https://ds[.test].aaf.edu.au/distribution/metadata/metadata.aaf.signed.minimal.xml"

    For example:
    uri="http://manager.test.aaf.edu.au/metadata/metadata.aaf.signed.xml"

    becomes:
    uri="https://ds.test.aaf.edu.au/distribution/metadata/metadata.aaf.signed.minimal.xml"

    and
    uri="https://manager.aaf.edu.au/metadata/metadata.aaf.signed.complete.xml"

    becomes:
    uri="https://ds.aaf.edu.au/distribution/metadata/metadata.aaf.signed.minimal.xml"
  4. Save the file an exit

 

Finishing Up

 

You should now restart your shibd daemon. When it comes back online it will be using the highly available sources for AAF metadata as we've configured above ensuring any chance of outage during maintenance windows or unscheduled outages of core AAF services such as Federation Registry are reduced to almost nil.

NOTE

If you restart shibd, and your metadata is not updating, and you are seeing SSL related errors in shibd's logs, you may need to import the SSL certificate for the Certificate Authority used to sign the certificate on the AAF Distribution Service.  On most recent operating system releases, such as Red Hat Enterprise Linux 6, this should not be necessary, but this may be necessary on older operating systems.  The process is different for each operating system, so if you encounter such an issue, you should log a support call with AAF support support@aaf.edu.au to help you resolve the issue.

Have more questions? Submit a request

Was this article helpful?
0 out of 0 found this helpful

Comments

Powered by Zendesk