Shibboleth Developers

Phone #:  (800) 541-1710
Pin #:  0142203

Agenda:

1) Quick status review -- java target (if Howard is on the call)

2) Get consensus on the "doc" plan...... ingredients include:

        - the new protocol spec (available from the web page)
        - the "white paper" (to be  published first in Educause Quarterly)
        - the restructured Deploy Guides (hyper-text'ed, web ready)
	- the "2nd level tech description" ( sections 1 and 2 from 
the deploy guides)
        - the install-fest checklists
	- an FAQ (thank you George! -- look here... 
http://stc.cis.brown.edu/~stc/Projects/Shibboleth/Version-3/faq01.html)

how do all of these "fit together" and support one another?

3) Origin Install Fest Checklist -- (see attached)   are there ways 
to insert additional "self-test" steps? are there PKI-related errors 
that occur frequently, that we should test for? Or just tell people 
to start by using bossie, and then move on to using self-signed certs?

Are there other steps we want to take with the checklist? Some notes 
from fest debrief:

At 12:08 PM -0400 7/8/04, 

 wrote:
> provide our tomcat package for people, so we know startup scripts + 
> endorsed + config file + whatever...; also provide jk2  config file 
> for download
>
> links to  complete sample config files
>
> new process -- have people register; then a 2nd deadline they have 
> to have their apache + jk + tomcat operational; they give us a 
> urland we validate;


Notes from last monday's call (topic - how to insert additional tests 
into the checklist)

1) Walter -- during the first install fest, there were really only 
three problems that festers encountered:

a) Apache/Tomcat/JK2
b) Client re-negotiation bug (apache 2 bug)
c) Endorsement Issues

Recommendation: after they've installed the platform, tell folks to 
retrieve https://origin/shibboleth/ This should list the directory. 
People could use either a browser or use curl. Note: lack of trailing 
slash causes unpredictable results. This will test that apache, the 
connector, and tomcat are all configured, and working together (to 
some extent).

2) Provide a command line tool that checks origin.xml syntax. Simpler 
than running Tomcat, and doing something to trigger loading the HS 
servlet.

3) If using apache 2, then check for the infamous apace 2 error -- 
walter - use openssl sclient to connect to web server (trigger the 
problem) ; or perhaps java based tool

4) Provide a built in servlet (similar to the one in twiki  -- 
http://cooke.services.brown.edu/twiki/bin/testenv ) that checks a 
variety of things and provides a report in the browser window -- it 
doesn't run Shib; rather it just tests a bunch of things and reports 
the results. Maybe it only works if the hostname in the url is 
localhost?

problem with tomcat endorsement.....  walter -- use a ps command.... 
or a simple builtin servlet check and say whether it can find right 
version

verify that origin announcing right providerId.... this problem 
didn't occur during fest

5) are there origin side PKI problems? or are they solved by having 
everyone use bossie....?

Attachment: Checklist-04b.doc
Description: MS-Word document