AAF logo AUSTRALIAN ACCESS FEDERATION

Removal of port 8443 for IdPs - Actions for AAF IdP administrators

The AAF wishes to advise our subscribers of a deprecation in the recommended configuration for Identity Providers operating within the AAF and/or within eduGAIN. This change will assist in ensuring the longer term security of your Identity Provider.

Actions for AAF IdP administrators

If you have an Identity provider in the AAF Test environment we recommend applying the following changes to this IdP and then repeating the changes on your production IdP, once you are satisfied that there has been no impact to your Test IdP.


The following steps are a guide to safely removing the back-channel endpoints from your IdP. If issues occur at the end of any step, reversing the change should resolve the issue and allow you to investigate why the issue occurred. At any point you can contact Support@aaf.edu.au for advice and assistance.


Step 1 - Remove endpoints from your IdPs Metadata

  • Using the AAF Federation Registry, disable all pre-existing endpoints that utilize port 8443.

These will generally be the Artefact Resolution Services and the Attribute Services.

Note: It will take up to 24 hours for the change to propagate around the federation and up to 48 hours to propagate around eduGAIN connected services.

  • Remove SAML v1 endpoints.

Search through all your active endpoints looking for endpoints that include "shibboleth:1.0" or "SAML:1.0" and disable these.

  • Take a copy of your IdPs metadata from the AAF Federation Registry and use this copy to update the local version on your IdP.

The local version of your metadata is, on occasion, retrieved by bi-lateral service providers through the URL that is your entityID. See updating local metadata for more details.

  • Provide your new metadata to locally attached bi-lateral service providers.

Many locally attached bi-lateral service providers will not be using the endpoints that utilize port 8443. This step is just attempting to catch those that do.


Step 2 - Block access to port 8443

We recommend performing this step after at least 2 weeks without any incidents being reported for your IdP in relation to the changes in Step 1.


  • Remove any firewall rules that allow access to port 8443 on your IdP.

This may include the local firewall that is running on your IdP, your corporate, dmz and border firewalls that may have rules referencing the port.

  • Using the AAF Federation Registry, delete the disabled endpoints that utilize port 8443.


Step 3 - Remove configuration for port 8443 from your IdP

This step removes the configuration from your IdP that enables the back-channel endpoints that listen on port 8443. Depending on how you have configured your IdP, you may or may not need to make changes to the following software components configuration.


Note: For AAF IdP administrators that utilize the AAF IdP Installer, the next version that will upgrade your IdP to version 3.4.3 that is now available, provides an option to remove the config automatically. On new installs port 8443 has been turned off as default.


Note: This step will require a restart of your IdP


To disable port 8443, you need to add the enable_backchannel variable and set its value to ‘false’ on your existing IdP's configurations.

  • add enable_backchannel: "false" to the end of the file /opt/shibboleth-idp-installer/repository/host_vars/[YOUR-SERVER-NAME]
  • run update_sh script.

This will stop the IdP using 8443.


After running the update script, check the port status by running

netstat -tunlp


If you are not using the AAF installer, follow the steps below to remove the configurations.

Manual configurations

Apache

If your IdP uses Apache to perform the client verification (Service provider verification) and then proxy to the IdP (Generally IdPv2 config)

  • Find the VirtualHost that listens on port 8443 and remove the entire VirtualHost config
  • Remove the ‘Listen 8443’ configuration line.
  • Restart Apache


Jetty

For IdPs using Jetty as the Java Server-Let container there may be a number of files you will need to remove the following file and restart jetty.

  • start.d/backchannel.ini - remove if it exists
  • etc/jetty-backchannel.ini - remove if it exists
  • modules/backchannel.mod - remove if it exists
  • Restart Jetty


Step 4 - Final clean up

We are almost done. There is some final cleaning up required. These activities will occur in the Federation Registry and may require the updating of your local metadata, see updating local metadata for more details.


  • Delete the back-channel certificate from your IdPs metadata.

Caution is required here, as it may not be clear which certificate is the back-channel certificate particularly if one certificate is performing multiple roles which was typical in IdP2.

The back-channel will have a Key Type of signing and will match the back-channel certificate on your IdP. If you are uncertain DO NOT delete anything and contact support@aaf.edu.au for advice before attempting this step.



Your IdP is now running without a back-channel.

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list