sourCEntral - mobile manpages

pdf

SITEREFRESH

NAME

siterefresh − Maintains metadata files referenced by shibboleth.xml.

SYNOPSIS

siterefresh −−url < URL > −−out <pathname> [−−noverify] [−−cert <pathname>] [−−schema <pathname>] [−−rootns < XML Namespace>] [−−rootname < XML element name>]

DESCRIPTION

siterefresh is a simple tool used to maintain metadata files referenced by shibboleth.xml. It will return 0 only on success, and a negative number on failure and logs errors to stderr. If the data in the new metafile is unusable, schema invalid, or the signature is invalid, the existing copy is kept and not overwritten. The SP stats all metadata files each time the data is used, allowing it to detect and utilize updates in real-time during system operation.

OPTIONS

siterefresh takes the following command-line options.
−−url
URL

Specifies the URL of the remote metadata file with which to update the local file. https:// is not supported at this time.

−−out pathname

Specifies the local file to which to write the new metadata.

−−noverify

Explicitly disables the requirement for the file to be signed and allows the certificate parameter to be ommitted. If the file is signed, the signature will be verified using whatever key is supplied inside it, and an invalid signature will still result in an error, but if the file is unsigned or has a valid signature, only a warning will be logged, and the result will be success.

−−cert pathname

Specifies the location of a certificate stored in PEM format used to validate the signature of the metadata file. Since much of Shibboleth’s security flows from metadata files, this should always be used when possible, and the certificate used should be verified independently in some out of band fashion.

−−schema pathname

Optionally defines a base path for schemas to use when validating the file. Defaults to a location based on the installation path on Unix, or \opt\shibboleth\etc\shibboleth on Windows.

−−rootns XML namespace

Optionally defines the XML namespace of the root element expected in the new file. Normally unused, provided to support alternative metadata formats that may be backported to older releases.

−−rootname XML namespace

Optionally defines the name of the root element expected in the new file. Normally unused, provided to support alternative metadata formats that may be backported to older releases.

EXAMPLES

A complete command issued to siterefresh might take the form:

 /opt/shibboleth/bin/siterefresh −−out IQ−sites.xml −−cert inqueue.pem \
   −−url http://wayf.internet2.edu/InQueue/IQ−sites.xml

It is recommended that a similar command be added to a crontab to keep the metadata files refreshed. Frequent updates will improve the security of an installation by providing immediate notification in the case a federation member becomes compromised.

AUTHORS

siterefresh is part of the Internet 2 Shibboleth project written by Scott Cantor <cantor DOT 2 AT osu DOT edu>.

COPYRIGHT AND LICENSE

Copyright 2005, 2006 Internet2/MACE

This program is free software; you may redistribute it and/or modify it under the terms of the Apache 2.0 License <http://www.apache.org/licenses>.

pdf