Hi Graham,

One way round this might be to register the SP in the UK federation and 
both entities would then be able to pick up the other's metadata from 
the signed federation metadata file.

Cheers,

Steve


On 27/02/13 15:30, Seaman, Graham wrote:
> Hi Alex
>
> That got us part way there: the OALA Admin console accepted the (now
> signed) metadata, popped up an alert box to ask if we wanted to trust
> it, and then saved the certificate under 'Trusted certificates'
> automatically. Hooray!
>
> So thinking 'problem solved' we applied the change and published to the
> IdP server. The new configuration file, including the new certificate,
> is on the IdP server, and looks OK. Unfortunately, it kills the IdP.
> Apache no longer starts, giving us an error message:
>
> [27/Feb/2013 14:06:35.154 +0000] [20117] ERROR curl  : Couldn't fetch
> data from URI
>
> '_https://primo-xxx.hosted.exlibrisgroup.com/Shibboleth.sso/Metadata_':
>
> Peer certificate cannot be authenticated with given CA certificates: SSL
> certificate problem, verify that the CA cert is OK. Details:
>
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>
> verify failed
>
> The certificate is from Go Daddy. As far as we can tell, the CA files in
> use are specified in /etc/openathens/atacama/idp-atacam-config.xml as
> being in /usr/share/atacama-platform/trust (this is the 'trustFile'
> parameter for the apache curl_module), and the bundle we have in there
> includes Thawte and Verisign but not Go Daddy. I've tried going to the
> Go Daddy website and adding their 'certificate bundle for cPanel,
> ..Apache1.x and Apache2.x' to the bundle we already had, but it made no
> difference. Any other ideas?
>
> Thanks
>
> Graham
>
> ------------------------------------------------------------------------
>
> *From:*OpenAthens LA Users discussion group
> [mailto:[log in to unmask]] *On Behalf Of *Collins, Alex
> *Sent:* 26 February 2013 16:12
> *To:* [log in to unmask]
> *Subject:* Re: local SP and metadata
>
> Hi
>
> On your SP you need to tell it to Sign the Metadata
>
> In the Shibboleth2.xml you need a line something like:
>
> <!-- Extension service that generates "approximate" metadata based on SP
> configuration. -->
>
>              <Handler type="MetadataGenerator" Location="/Metadata"
> signing="true"/>
>
> I would expect that this would be close to the Top of the file.
>
> --
>
> Alex Collins. Library Systems and Support Officer.
>
> Rivermead Library.              Tel: 0845 196 3722
>
> [log in to unmask]     http://libweb.anglia.ac.uk
>
> This product is printed with 100% recycled electrons !
>
> *From:*OpenAthens LA Users discussion group
> [mailto:[log in to unmask]] *On Behalf Of *Seaman, Graham
> *Sent:* 26 February 2013 16:08
> *To:* [log in to unmask]
> *Subject:* local SP and metadata
>
> Hi
>
> Having got our Ezproxy running OK as an SP with our  OpenAthensLA IdP,
> we've moved on to trying to configure the IdP to work with a more
> conventional SP, protecting Primo. ExLibris have set the Primo SP up for
> us (I believe this is just a standard Shibboleth SP), and we can access
> the SP metadata OK. However,  the IdP Admin panel rejects the metadata
> with the error message 'This metadata is not signed. Please ensure it is
> from a trusted source'. The way I read this is: 'This metadata is not
> signed. If you are going to use unsigned metadata, then the IdP needs to
> know you trust the source. The way to do that is by installing a
> certificate to match the metadata'.
>
> Anyone know if that is the right way to read this, and if so, which
> certificate to use? We asked ExLibris for a pem file, and they sent us a
> file identical to the X509 certificate embedded in the metadata. We
> installed this, but still had the same error message.
>
>   Any advice welcome... (I also have a ticket in with Eduserv; if we get
> a solution from them I'll post it here for future reference!)
>
> Thanks
>
> Graham
>
> ------------------------------------------------------------------------
>
> EMERGING EXCELLENCE: In the Research Assessment Exercise (RAE) 2008,
> more than 30% of our submissions were rated as 'Internationally
> Excellent' or 'World-leading'.
> Among the academic disciplines now rated 'World-leading' are Allied
> Health Professions & Studies; Art & Design; English Language &
> Literature; Geography & Environmental Studies; History; Music;
> Psychology; and Social Work & Social Policy & Administration.
>
>
> Visit www.anglia.ac.uk/rae <http://www.anglia.ac.uk/rae>
> <http://www.anglia.ac.uk/rae>  for more  information.
>
>
>
> This e-mail and any attachments are intended for the above named
> recipient(s) only and may be privileged. If they have come to you in
> error you must take  no action based on them, nor must you copy or show
> them to anyone: please reply to this e-mail to highlight the error and
> then immediately delete the e-mail from your system. Any opinions
> expressed are solely those of the author and do not necessarily
> represent the views or opinions of Anglia Ruskin University.
> Although measures have been taken to ensure that this e-mail and
> attachments are free from any virus we advise that, in keeping with good
> computing practice, the recipient should ensure they are actually virus
> free. Please note that this message has been sent over public networks
> which may not be a 100% secure communications.
>


-- 
Steve Glover: SDSS, EDINA, Causewayside House, 160 Causewayside EH9 1PR
e:[log in to unmask] t:0131 650 2908 f:0131 650 3308 m:07961 446 902

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.