sorting iq trustxml

Tue, Mar 8, 2005

IQ-trust.xml holds cerificate information on IdPs.

To generate a private/public keypair for your IdP in your keystore:

keytool -keystore idp.jks -genkey -alias idp -keypass idppass

Enter keystore password: keystorepass What is your first and last name?

What is the name of your organizational unit? Unknown:
What is the name of your organization? Unknown:
What is the name of your City or Locality? Unknown:
What is the name of your State or Province? Unknown:
What is the two-letter country code for this unit? Unknown:
Is, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

Note that everything is empty except for the “first and last name”. Shibboleth uses the subject of the X509 certificate to find your IdP’s certificate in IQ-trust.xml. To get your certificate into the SP:

keytool -keystore idp.jks -alias idp -file idpcert.pem -rfc -export

This exports your IdP’s public key in an X509 certificate. Then, to import it into your shibboleth SP: openssl x509 -in idpcert.pem -subject -nameopt RFC2253,sep_comma_plus_space

you should see output to the screeen such as (note, I’ve removed a chunk for security reasons!):


The final step is to copy the text output you see on the screen and bung it into a <KeyAuthority> element in IQ-trust.xml:

<KeyAuthority>   <ds:KeyName></ds:KeyName>   <ds:KeyInfo>     <ds:X509Data>       <ds:X509Certificate>MIIC9zCCArUCBEGrFBYwCwYHKoZIzjgEAwUAMGExCzAJBgNVBAYTAkdCMRIwEAYD VQQIEwlIaWdobGFuZHMxDTALBgNVBAcTBFNreWUxDDAKBgNVBAoTA1VISTEMMAoG A1UECxMDV1dXMRMwEQYDVQQDEwpHdWFueGkgU1NPMB4XDTA0MTEyOTEyMjAzOFoX DTA1MDIyNzEyMjAzOFowYTELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUhpZ2hsYW5k </ds:X509Certificate>     </ds:X509Data>   </ds:KeyInfo> </KeyAuthority>

<ds:KeyName> should be set to your X509 certificate’s subject (CN).

note also the insertion of your IdP’s X509 certificate in <ds:X509Certificate> - you should paste at the end of the element and put the closing </ds:X509Certificate> on the start of a new line.

One thing to note. If the URL of your AA doesn’t match your certificate’s CN then you’ll get the Shibboleth error:

SSL: certificate subject name ‘SOME_SUBJECT_NAME’ does not match target host name ‘’

You’ll get this error if you have your Attribute Authority on: but you’re using a Guanxi auto generated keystore to protect 443 as well as sign assertions.

comments powered by Disqus