Shibboleth Developers

[Tom Scavo <>]

On 9/6/05, Von Welch 
<>
 wrote:
> 
> We also include test applications for verifying the configuration of
> the Shibboleth and GT installations.

This is Tim Freeman's AA tester that I mentioned the other day.  It
not only tests a GridShib deployment but an arbitrary Shib AA as well.
 See the section "Testing" in the GridShib installation notes for some
illustrative examples:

http://viewcvs.globus.org/viewcvs.cgi/playground/java/gridshib/idp/doc/INSTALL.txt?rev=1.4

More documentation is needed of course.  In the meantime, you can get
a feel for the various options by typing 'shib-aa-test -h' at the
command line (sample output attached).

Cheers,
Tom
> %IDP_HOME%\bin\shib-aa-test -h
Invoke application: java org.globus.gridshib.idptest.ShibTestClient

Set client cert:
    Either PEM:      [-p <path> -q <path>]
    Or JKS:          [-j <path> -k <pass> -l <pass>]

Set trusted server cert(s):
    Either PEM:      [-r <path>]
    Or JKS:          [-t <path>]
    Or metadata:     [-m <path>]

Set query subject:   [-f name]

________

Options:
 -a,--aaurl <URL>               URL of the AA to query (Default
                                
'https://idp.example.org:8443/shibboleth-idp/AA'
)
 -d,--debug                     Enables debug mode
 -f,--principal <principal>     principal name (Default 'bogus')
 -h,--help                      Displays help
 -i,--idp_providerid <URI>      The IdP providerId -- NameQualifier of the
                                SAML NameIdentifier in the SAML subject of 
the a
ttribute query.  This is
                                used to qualify the subject of the attribute 
que
ry, presumably to ensure
                                uniqueness. (Default 
'https://idp.example.org/sh
ibboleth')
 -j,--jks <path>                Path to an existing Java keystore (JKS)
                                with the SSL client certificate to use
 -k,--jks_pass <password>       Password for an existing JKS with the SSL
                                client certificate to use
 -l,--jks_key_pass <password>   Password for the key in an existing JKS
    --lh                        Displays a long help message
 -m,--metadata <path>           If this option is selected, the
                                'truststore' and 'pem_truststore' settings 
are i
gnored.  This metadata
                                file will be consulted for the AA SSL 
certificat
es to trust, adding all
                                <X509Certificate> in the 
<AttributeAuthorityDesc
riptor> element of the
                                given IdP providerId
 -p,--pem <path>                Path to a PEM certificate to use for
                                client authentication
 -q,--pk <path>                 Path to the key for the PEM certificate
 -r,--pem_truststore <path>     Path to a PEM file of the server's SSL
                                certificate if is self-signed or if not, the 
cer
tificate of the CA that
                                signed it
 -s,--sp_providerid <URI>       The SP providerId -- The Resource
                                attribute of the AttributeQuery element has 
this
 value. Along with the SSL
                                credential used to establish the connection 
to t
he AA, this identifies the
                                entity making the attribute query. (Default
                                'https://sp.example.org/shibboleth')
 -t,--truststore <path>         Path to an existing Java keystore (JKS)
                                containing the server's SSL certificate if is 
se
lf-signed or if not, the
                                certificate of the CA that signed it
 -u,--keep_keystore             If this option is present, the normally
                                ephemeral client JKS file is not deleted 
after t
he query
 -v,--keep_truststore           If this option is present, the normally
                                ephemeral server JKS truststore is not 
deleted a
fter the query
 -w,--new_jks <path>            Overrides default path to the ephemeral
                                JKS created to use for SSL client certificate 
(D
efault 'shib_client.jks')
 -x,--new_truststore <path>     Overrides default path to the ephemeral
                                JKS created to use for SSL server certificate 
ve
rification process. Note:
                                for password/alias, this uses the same 
settings
as client cert store
                                (alias override is irrelevant when using 
metadat
a option for the server
                                trust information) (Default 'shib_server.jks')
 -y,--new_jks_pass <password>   Overrides default password for both of the
                                ephemeral JKS created to use for SSL 
certificate
s (Default 'globus')
 -z,--new_jks_alias <string>    Overrides default alias for the key in
                                both of the ephemeral JKS created to use for 
SSL
 certificates (Default
                                'globus')

Note: options u,v,w,x,y,z are usually not needed