>Will I just fail to be able to access anything and be sat
>scratching my head as to what could be wrong?
If our experience is anything to go by you will end up with things not
working and once you turn logging upto debug you will get hard to
understand errors reported in log files. After spending 2 days trying to
figure out the cause you might have an epiphany (or in our case SDSS had
one for us) and you work out the cause
In our case the error was 3 mistakes which combined
1) make sure you get the "TLS SureServe" certs from ukerna not the
generic SSL ones
2) get the csr generation right, TLS certs don't need an email address
so either enter a . when asked or make yourself an openssl.cnf file that
doesn't ask for one, see the ssl section of
http://www.ncl.ac.uk/iss/web/infrastructure/weblogin/shib-httpd.php and
the example file
http://www.ncl.ac.uk/iss/web/infrastructure/weblogin/openssl.cnf.txt
3) old style SP registrations from years ago have the full certificate
in the <ds:KeyName> (e.g. CN=chcc.essex.ac.uk, OU=UK Data Archive, etc)
So when you get a certificate which has stuff about email addresses at
the front shibboleth gets confused and assumes it is being lied to. New
registrations with <ds:KeyName>thing.ncl.ac.uk</ds:KeyName> style just
seem to pattern match for the CN section containing the right string so
are more robust.
The ssl validation part of shibboleth is what has caused us the most
grief over the years and I can't stress enough how much you will benefit
from getting all your ssl procedures right and set in stone at the
start.
>Any advice please?
>Thanks
>Heather
|