This an update to the advise given at the ITSYSMAN meeting in October.

A few considerations if your deploying a Shibboleth entity (Identify or Service Provider) within the next few months.

Forget about Shibboleth 1.3

It goes end of life in June 2010, concentrate your efforts on Shibboleth 2.0.  For those with existing Shib 1.3 installs, then you need to start looking at upgrading your installation.

SSL Certificates for Shibboleth

Important Update – as a result an announcement from JANET (see this comment )- As a result you could apply for a JANET SCS Cert between now and 11th December 2009, and it will still be valid for it’s full term.  However, the following will advise is valid should you ever need to change your certificate, and the advise regarding Self-signed certificates still stands.

Due to the changes in the JANET SCS, then it could be worth hanging back on “go live” with your Shibboleth install until you can get the new certificates (probably from January 2010).

You could go live with an existing JANET SCS cert, but you will need to change it before 6th April 2010 (when all the existing JANET SCS certifcate expire).  The complexity of the change will depend whether you just use the certificate for the webserver (Tomcat, Apache or IIS) – which should be fairly simple.  But if you use the certificate with Shibboleth itself then this could cause some unavailablity of your Shibboleth IdP; whilst the federation metadata is updated and then whilst the service providers obtain that update.

That leads me onto the next piece of advise, which was recommended to those of us on the JANET Shibboleth courses in Llandindod Wells, by the trainer Rhys Smith from Cardiff University.  For you Shibboleth configuration you should use self-signed certificates which should be signed for an extended period (e.g. 10 years)

My advise on self-signed certificates is one make some very careful notes of the process (and the passphrase).  Ensuring that the certificates are fully backed up – including backing up the private key file BEFORE signing the certificate request.

You should continue to use the JANET SCS or similar certificates on the webservers concerned (unless you want your users to get some error messages!).

Tags: certificates, self-signed, Shibboleth, UK FAM

This entry was posted on Monday, November 2nd, 2009 at 11:10 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.