Versions Compared

Old Version 9

changes.mady.by.user Marco Malavolti

Saved on

compared with

New Version 10

changes.mady.by.user Maja Górecka-Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • This guide assumes that the administrator is familiar with Linux, editing text based configuration files and running shell commands.
  • The guide assumes that the administrator has access to a Linux system where Python 2.7 Python  >=3.9 is installed.
  • It is assumed that the installation directory will be ‘/opt/pyff’. Root access might be needed to install this software.
  • It is assumed that the output metadata directory will be ‘/opt/pyff/output’. Root access might be needed to create this directory.
  • In order to run cronjobs more securely, it is recommended to create and use an unprivileged user pyff-user.

...

In the following, we assume that the latest version of the pyFF Federation Feeder is 02.91.45. Please perform a search-and-replace on this document in case a newer version is available. Please inform the author if you find inconsistencies in newer versions.

  1. Follow the instructions provided by pyFF Documentation to install pyFF software.
  2. Create the needed directories:
    cd /opt/pyff ; mkdir output ; mkdir certs ; mkdir scripts
  3. Create the certificate and the key needed to sign the output metadata:
    - Generate Metadata Signer Key: openssl genrsa -out /opt/pyff/certs/sign.key 2048
    - Generate Metadata Signer Certificate: openssl req -key /opt/pyff/certs/sign.key -new -x509 -days 3650 -out /opt/pyff/certs/sign.crt
  4. Download and Check the eduGAIN Signer certificate (see https://technical.edugain.org/metadata):
    wget https://technical.edugain.org/mds-v2.cer -O /opt/pyff/certs/eduGAIN-signer-ca.pem
  5. Check the signature of the eduGAIN signer certificate:
    openssl x509 -fingerprint -in /opt/pyff/certs/eduGAIN-signer-ca.pem
    The SHA1 SHA256 Fingerprint should be 5A:D7:3F:8A

    BD:21:40:48:9A:9B:D7:40:44:DD:68:05:34:F7:78:88:A9:C1:

    0C

    3B:

    74

    0A:

    56

    C1:

    41

    7C:

    77

    4F:

    45

    3A:

    45

    03:

    EB

    6E:

    92

    0F:

    76

    EC:

    1F

    6D:

    3D

    89:

    0D

    99:

    E6:7C

    95

  6. Create the interfederation configuration file(/opt/pyff/interfederation.fd) by adapting this content to your needs:

...

Install a cron job that moves the eduGAIN metadata from the ‘output’ directory to a web server where the eduGAIN-enabled entities of your federation can download it. Because the metadata is signed, it can also be served on an http site.

Useful notes

The version 0.9.4 of pyff signing the output metadata with SHA-1 algorithm by default.
If you want to sign the metadata with another algorithm supported by the software, you must replace the value of 'ALGORITHM_SIGNATURE_RSA_SHA1' and 'ALGORITHM_DIGEST_SHA1' inside the '/opt/pyff/lib/python2.7/ site-packages/xmlsec/__init__.py' file with one of these values:

...