Skip to Content.
Sympa Menu

shibboleth-dev - Re: GridShib software available

Subject: Shibboleth Developers

List archive

Re: GridShib software available


Chronological Thread 
  • From: Tom Scavo <>
  • To: Shibboleth Development <>
  • Subject: Re: GridShib software available
  • Date: Tue, 6 Sep 2005 21:47:35 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=I5sqkstmPUO/UpK4zWet2COXQo/B3gbZ6nHjRrQvG027MtxQ87sPO8zx8lAhcLoxfPfIiCI32f2QvWa+7Lxs1McMueKUcdfADgYAapT6xQ3qPtIcyNrR9sYX/3+Jsapbd9t3twhu1L6OrJ17L8g1ww9Vw5HIDYWC/Xo746jiblg=

On 9/6/05, Von Welch
<>
wrote:
>
> We also include test applications for verifying the configuration of
> the Shibboleth and GT installations.

This is Tim Freeman's AA tester that I mentioned the other day. It
not only tests a GridShib deployment but an arbitrary Shib AA as well.
See the section "Testing" in the GridShib installation notes for some
illustrative examples:

http://viewcvs.globus.org/viewcvs.cgi/playground/java/gridshib/idp/doc/INSTALL.txt?rev=1.4

More documentation is needed of course. In the meantime, you can get
a feel for the various options by typing 'shib-aa-test -h' at the
command line (sample output attached).

Cheers,
Tom
> %IDP_HOME%\bin\shib-aa-test -h
Invoke application: java org.globus.gridshib.idptest.ShibTestClient

Set client cert:
Either PEM: [-p <path> -q <path>]
Or JKS: [-j <path> -k <pass> -l <pass>]

Set trusted server cert(s):
Either PEM: [-r <path>]
Or JKS: [-t <path>]
Or metadata: [-m <path>]

Set query subject: [-f name]

________

Options:
-a,--aaurl <URL> URL of the AA to query (Default

'https://idp.example.org:8443/shibboleth-idp/AA'
)
-d,--debug Enables debug mode
-f,--principal <principal> principal name (Default 'bogus')
-h,--help Displays help
-i,--idp_providerid <URI> The IdP providerId -- NameQualifier of the
SAML NameIdentifier in the SAML subject of
the a
ttribute query. This is
used to qualify the subject of the attribute
que
ry, presumably to ensure
uniqueness. (Default
'https://idp.example.org/sh
ibboleth')
-j,--jks <path> Path to an existing Java keystore (JKS)
with the SSL client certificate to use
-k,--jks_pass <password> Password for an existing JKS with the SSL
client certificate to use
-l,--jks_key_pass <password> Password for the key in an existing JKS
--lh Displays a long help message
-m,--metadata <path> If this option is selected, the
'truststore' and 'pem_truststore' settings
are i
gnored. This metadata
file will be consulted for the AA SSL
certificat
es to trust, adding all
<X509Certificate> in the
<AttributeAuthorityDesc
riptor> element of the
given IdP providerId
-p,--pem <path> Path to a PEM certificate to use for
client authentication
-q,--pk <path> Path to the key for the PEM certificate
-r,--pem_truststore <path> Path to a PEM file of the server's SSL
certificate if is self-signed or if not, the
cer
tificate of the CA that
signed it
-s,--sp_providerid <URI> The SP providerId -- The Resource
attribute of the AttributeQuery element has
this
value. Along with the SSL
credential used to establish the connection
to t
he AA, this identifies the
entity making the attribute query. (Default
'https://sp.example.org/shibboleth')
-t,--truststore <path> Path to an existing Java keystore (JKS)
containing the server's SSL certificate if is
se
lf-signed or if not, the
certificate of the CA that signed it
-u,--keep_keystore If this option is present, the normally
ephemeral client JKS file is not deleted
after t
he query
-v,--keep_truststore If this option is present, the normally
ephemeral server JKS truststore is not
deleted a
fter the query
-w,--new_jks <path> Overrides default path to the ephemeral
JKS created to use for SSL client certificate
(D
efault 'shib_client.jks')
-x,--new_truststore <path> Overrides default path to the ephemeral
JKS created to use for SSL server certificate
ve
rification process. Note:
for password/alias, this uses the same
settings
as client cert store
(alias override is irrelevant when using
metadat
a option for the server
trust information) (Default 'shib_server.jks')
-y,--new_jks_pass <password> Overrides default password for both of the
ephemeral JKS created to use for SSL
certificate
s (Default 'globus')
-z,--new_jks_alias <string> Overrides default alias for the key in
both of the ephemeral JKS created to use for
SSL
certificates (Default
'globus')

Note: options u,v,w,x,y,z are usually not needed




Archive powered by MHonArc 2.6.16.

Top of Page