Marco Malavolti
2014-08-11 13:28:01 UTC
Hi to all, I hope you are fine. :)
Today I have a problem with the MetadataProvider (type:
metadata:FileBackedHTTPMetadataProvider) of my IDP.
I work with VM that has:
- Ubuntu 12.04.4 LTS
- Tomcat 7.0.26-1ubuntu
- Shibboleth IdP 2.4.0 installed
- I have updated my openSAML jar to the version 2.6.1 because I have
followed the advice found on this thread:
https://issues.shibboleth.net/jira/browse/JOST-220
This is my MetadataProvider configuration:
<!-- Metadata Refresh Period
minRefreshDelay == every 1 minutes
maxRefreshDelay == every 3 minutes -->
<metadata:MetadataProvider id="URLMD-Federation"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
minRefreshDelay="PT1M"
maxRefreshDelay="PT3M"
metadataURL="http://www.example.it/metadata-sha256.xml"
backingFile="/opt/shibboleth-idp/metadata/metadata-sha256.xml">
<metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
<metadata:MetadataFilter
xsi:type="metadata:RequiredValidUntil" maxValidityInterval="P5D" />
<metadata:MetadataFilter
xsi:type="metadata:SignatureValidation"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
</metadata:MetadataFilter>
</metadata:MetadataProvider>
Into my environment the Federation's metadata are signed every day and,
in the same time, the EntitiesDescriptor acquires a new validUntil value
valid for the next 5 days.
Is it possible that with this configuration my IdP doesn't retrieve the
new metadata but says to me only:
Beginning refresh of metadata from
'http://www.example.it/metadata-sha256.xml'
12:51:59.446 - DEBUG
[org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:249] -
Attempting to fetch metadata document from
'http://www.example.it/metadata-sha256.xml'
12:51:59.452 - DEBUG
[org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:254] -
Metadata document from 'http://www.example.it/metadata-sha256.xml' has
not changed since last retrieval
12:51:59.452 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:257]
- Metadata from 'http://www.example.it/metadata-sha256.xml' has not
changed since last refresh
12:51:59.452 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:327]
- Computing new expiration time for cached metadata from
'http://www.example.it/metadata-sha256.xml
12:51:59.453 - INFO
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:276]
- Next refresh cycle for metadata provider
'http://www.example.it/metadata-sha256.xml' will occur on
'2014-08-11T10:54:14.447Z' ('2014-08-11T12:54:14.447+02:00' local time)
when the backingFile metadata file is different or not exists?
I have switched off my firewall so that any ports are blocked.
I have tried to understand something on the "idp-process.log" into DEBUG
mode without success because any ERROR appears on it.
I have tried to understand something on Tomcat7 "catalina.out" (without
success because I haven't found any useful information to resolve this
problem)
I have tried to force the download of the remote source metadata by
changing something into the backingFile file. Nothing to do.
I have found that the unique way that I have to correctly retrieve the
remote metadata source file into its backingFile metadata is restart the
Tomcat7 container.
I have understood that the "metadata:FileBackedHTTPMetadataProvider"
works like its brother "metadata:HTTPMetadataProvider", but I have not
understood why the local/backingFile metadatas isn't come updated when
it is different from the remote one.
Help me, please!
Best Regards,
Marco Malavolti
P.S.: Forgive me for my bad English. If you don't understand me I can
try to explain again in a better way I hope.
Today I have a problem with the MetadataProvider (type:
metadata:FileBackedHTTPMetadataProvider) of my IDP.
I work with VM that has:
- Ubuntu 12.04.4 LTS
- Tomcat 7.0.26-1ubuntu
- Shibboleth IdP 2.4.0 installed
- I have updated my openSAML jar to the version 2.6.1 because I have
followed the advice found on this thread:
https://issues.shibboleth.net/jira/browse/JOST-220
This is my MetadataProvider configuration:
<!-- Metadata Refresh Period
minRefreshDelay == every 1 minutes
maxRefreshDelay == every 3 minutes -->
<metadata:MetadataProvider id="URLMD-Federation"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
minRefreshDelay="PT1M"
maxRefreshDelay="PT3M"
metadataURL="http://www.example.it/metadata-sha256.xml"
backingFile="/opt/shibboleth-idp/metadata/metadata-sha256.xml">
<metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
<metadata:MetadataFilter
xsi:type="metadata:RequiredValidUntil" maxValidityInterval="P5D" />
<metadata:MetadataFilter
xsi:type="metadata:SignatureValidation"
trustEngineRef="shibboleth.MetadataTrustEngine"
requireSignedMetadata="true" />
</metadata:MetadataFilter>
</metadata:MetadataProvider>
Into my environment the Federation's metadata are signed every day and,
in the same time, the EntitiesDescriptor acquires a new validUntil value
valid for the next 5 days.
Is it possible that with this configuration my IdP doesn't retrieve the
new metadata but says to me only:
Beginning refresh of metadata from
'http://www.example.it/metadata-sha256.xml'
12:51:59.446 - DEBUG
[org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:249] -
Attempting to fetch metadata document from
'http://www.example.it/metadata-sha256.xml'
12:51:59.452 - DEBUG
[org.opensaml.saml2.metadata.provider.HTTPMetadataProvider:254] -
Metadata document from 'http://www.example.it/metadata-sha256.xml' has
not changed since last retrieval
12:51:59.452 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:257]
- Metadata from 'http://www.example.it/metadata-sha256.xml' has not
changed since last refresh
12:51:59.452 - DEBUG
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:327]
- Computing new expiration time for cached metadata from
'http://www.example.it/metadata-sha256.xml
12:51:59.453 - INFO
[org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:276]
- Next refresh cycle for metadata provider
'http://www.example.it/metadata-sha256.xml' will occur on
'2014-08-11T10:54:14.447Z' ('2014-08-11T12:54:14.447+02:00' local time)
when the backingFile metadata file is different or not exists?
I have switched off my firewall so that any ports are blocked.
I have tried to understand something on the "idp-process.log" into DEBUG
mode without success because any ERROR appears on it.
I have tried to understand something on Tomcat7 "catalina.out" (without
success because I haven't found any useful information to resolve this
problem)
I have tried to force the download of the remote source metadata by
changing something into the backingFile file. Nothing to do.
I have found that the unique way that I have to correctly retrieve the
remote metadata source file into its backingFile metadata is restart the
Tomcat7 container.
I have understood that the "metadata:FileBackedHTTPMetadataProvider"
works like its brother "metadata:HTTPMetadataProvider", but I have not
understood why the local/backingFile metadatas isn't come updated when
it is different from the remote one.
Help me, please!
Best Regards,
Marco Malavolti
P.S.: Forgive me for my bad English. If you don't understand me I can
try to explain again in a better way I hope.