Removal of port 8443 for IdPs - Actions for AAF IdP administrators
The AAF wishes to advise our subscribers of a deprecation in the recommended configuration for Identity Providers operating within the AAF and/or within eduGAIN. This change will assist in ensuring the longer term security of your Identity Provider.
If you have an Identity provider in the AAF Test environment we recommend applying the following changes to this IdP and then repeating the changes on your production IdP, once you are satisfied that there has been no impact to your Test IdP.
The following steps are a guide to safely removing the back-channel endpoints from your IdP. If issues occur at the end of any step, reversing the change should resolve the issue and allow you to investigate why the issue occurred. At any point you can contact Support@aaf.edu.au for advice and assistance.
Step 1 - Remove endpoints from your IdPs Metadata
These will generally be the Artefact Resolution Services and the Attribute Services.
Note: It will take up to 24 hours for the change to propagate around the federation and up to 48 hours to propagate around eduGAIN connected services.
Search through all your active endpoints looking for endpoints that include "shibboleth:1.0" or "SAML:1.0" and disable these.
The local version of your metadata is, on occasion, retrieved by bi-lateral service providers through the URL that is your entityID. See updating local metadata for more details.
Many locally attached bi-lateral service providers will not be using the endpoints that utilize port 8443. This step is just attempting to catch those that do.
Step 2 - Block access to port 8443
We recommend performing this step after at least 2 weeks without any incidents being reported for your IdP in relation to the changes in Step 1.
This may include the local firewall that is running on your IdP, your corporate, dmz and border firewalls that may have rules referencing the port.
Step 3 - Remove configuration for port 8443 from your IdP
This step removes the configuration from your IdP that enables the back-channel endpoints that listen on port 8443. Depending on how you have configured your IdP, you may or may not need to make changes to the following software components configuration.
Note: For AAF IdP administrators that utilize the AAF IdP Installer, the next version that will upgrade your IdP to version 3.4.3 that is now available, provides an option to remove the config automatically. On new installs port 8443 has been turned off as default.
Note: This step will require a restart of your IdP
To disable port 8443, you need to add the enable_backchannel variable and set its value to ‘false’ on your existing IdP's configurations.
This will stop the IdP using 8443.
After running the update script, check the port status by running
If you are not using the AAF installer, follow the steps below to remove the configurations.
If your IdP uses Apache to perform the client verification (Service provider verification) and then proxy to the IdP (Generally IdPv2 config)
For IdPs using Jetty as the Java Server-Let container there may be a number of files you will need to remove the following file and restart jetty.
Step 4 - Final clean up
We are almost done. There is some final cleaning up required. These activities will occur in the Federation Registry and may require the updating of your local metadata, see updating local metadata for more details.
Caution is required here, as it may not be clear which certificate is the back-channel certificate particularly if one certificate is performing multiple roles which was typical in IdP2.
The back-channel will have a Key Type of signing and will match the back-channel certificate on your IdP. If you are uncertain DO NOT delete anything and contact firstname.lastname@example.org for advice before attempting this step.
Your IdP is now running without a back-channel.