shibboleth-dev - Re: shib design call, TODAY monday (6/23), 3:00 pm edt, noon pdt
Subject: Shibboleth Developers
List archive
- From: "RL 'Bob' Morgan" <>
- To:
- Cc: Shibboleth Design Team <>, Nate Klingenstein <>
- Subject: Re: shib design call, TODAY monday (6/23), 3:00 pm edt, noon pdt
- Date: Mon, 23 Jun 2003 20:28:32 -0700 (PDT)
> f) Origin -- documenting how to use PKI authn
As noted on the call this is actually how to get the AA to ask for client
authn from the SHAR that is trying to get attrs from it ...
> [5:37] ScottC: Then your Apache needs to have the mod_ssl config for
> the AA's URL so that it will pass along my cert
> [5:37] ryan_: ok, I'll turn on mod_ssl for that location
> [5:38] ScottC: <Location /shibboleth/AA>
> [5:38] ScottC: SSLVerifyClient optional
> [5:38] ScottC: SSLOptions +StdEnvVars +ExportCertData
> [5:38] ScottC: </Location>
For the record, when I did this I also had to, on my origin:
* update conf/ssl.crt/ca-bundle.crt with the HEPKI CAs (for my and other
targets that use certs from this CA)
* in httpd.conf, uncomment:
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
and
SSLVerifyDepth 10
since I guess it defaults to a chain length of 1.
Works OK now, as far as I can tell (and I feel much safer ... 8^).
- RL "Bob"
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- shib design call, TODAY monday (6/23), 3:00 pm edt, noon pdt, Steven_Carmody, 06/23/2003
- Re: shib design call, TODAY monday (6/23), 3:00 pm edt, noon pdt, RL 'Bob' Morgan, 06/23/2003
Archive powered by MHonArc 2.6.16.