use net-tools repository for the CentOS stream.

see: http://unix.stackexchange.com/questions/146190/commands-not-found-netstat-nmap-on-centos-7

and
https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/#netstat

Support CentOS7 as a deployment platform for the IdP Installer

The reference jdk for Shibboleth operation is the Oracle Jdk. The IdP Installer should be current and in alignment with the reference implementation to ensure best operation and support profile

When selecting regular LDAP usage, use uid instead of sAMAccountname via the gui.

It would be nice to be able to have the installer to automate the VLAN assignment for local users to be different than eduroam roamers.

Enabling ECP facilitates non web Federated Single Sign On use cases. Verify that it is appropriately configured as a default configuration

New JVM options of -Xmx1024 and more vebose garbage collection are applied in in /etc/defaults/jetty

It would be nice to have a pre-flight verification of server reachability beyond just ping, but that of verifying the necessary ports are open to prevent installation failures downstream.

Specifically the Active Directory servers and fetching of certificates

An error in status.log appears:

Starting mysqld: [ OK ]

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Buildfile: src/installer/resources/build.xml

and what is happening is that the mysql driver does not get fetched properly.
Please fix

BC's Telus CDMA cellular carrier has discontinued CDMA and the servers were removed from service.
These discontinued servers should be replaced with the national time servers from NRC:
tic.nrc.ca
tac.nrc.ca

Installation problem statement:
Post installation, managing the java keystore is sometimes challenging especially when dealing with multiple domain controllers which have their own certificates.
It may be useful to have the ability to 'load' the JKS with a given servers certificate as well as the removal of one so that the challenge of fetching, loading, and maintaining them are diminished.

This same Interface, if possible, would also be useful to load a commercial certificate for the servlet container.

A new version of Shibboleth has come out and recommend supporting it as the preferred 3.0.0-CAF build.
One key notable difference is that jetty-base has been changed and is now located for the 3.2.0 release in the embedded directory.
Support in future versions of the Idp will see the jetty-base disappear from the release.

Support Ubuntu 14.04LTS as a deployment platform for the IdP

Reference additional log locations for key components

SWAMID has a slight tweak for the GUI for multiple LDAP configuration support (space separated items)

The feature for FTICKS is now native:
https://issues.shibboleth.net/jira/browse/IDP-501

but is not configured upon installation and needs to be per federation operator install.

See: https://wiki.shibboleth.net/confluence/display/IDP30/AdvancedLogging

and use the logback configuration.

Sometimes LDAP certificates expire and require the javakeystore to refresh in order to preserve secure communication of the IdP to the Directory Store.

The request is to have some form of health monitor for the IdP to check the certificate validity and whether or not it is up and coming for expiration.

This check may be part of other overall IdP Health checks to permit automated operation or enhanced standalone continuous operation.

eduPersonTargetedID should be derived from the database

update attribute-resolver.xml around line 246 to sourceAttributeID="persistentId" and line 247 as Dependancy ref="StoredId"

This setting should be in place regardless of new install or migrated installation such that the salt is preserved.

grep: /etc/sysconfig/iptables: No such file or directory
/idp-installer-CAF/files/script.functions.sh: line 1177: /etc/sysconfig/iptables: No such file or directory
iptables: unre

This happens during installation or sometimes when aacli.sh from /opt/shibboleth-idp/bin is attempted to be executed

UseConsent may not be the desired installation default behaviour of the IdP and should have an option in the installer to recognize it's status as enabled or disabled.

Update metadata aggregates to appropriately use the certificate validation and metadata refresh policies for the CAF production aggregates and the necessary test aggregates

Function enableJettyOnRestart only runs if $dist != "ubuntu"

Adding the following in the function would fix:
else
update-rc.d jetty defaults

Branch: develop

See: https://wiki.shibboleth.net/confluence/display/IDP30/SecretKeyManagement for details of required cronjob

The initial non production installation does not have trust to the self-signed certificate and needds to be loaded into the keystore

Several functions has only support for ubuntu and centos version 7 and no support for either centos version 6 or redhat.

When choosing the non-interactive installation item in the GUI, the deploy_idp.sh still requires interactivity in the following spots:

1. The preflight check 'hit enter to continue'
2. the ok dialog to proceed with eduroam install
3. the dialog with 'successful eduroam install, now join the domain'

To be fully non-interactive the following needs to happen:
mitigation item:
1 - do not require entire, but fail to proceed if error state happens
2. - dialog to proceed can be skipped
3. - dialog can be skipped, but alert to end user and status.log that the user must join the machine to the domain should be there. Documentation should also be updated for headless/non-interactive/unattended installation.

The experience of visiting the IdP post configuration should be improved from the 404 error page that it shows.
Recommendation is if at all possible to provide a blank default war to present at the root that then the site admin could customize as needed without disrupting the idp installation process.

the function ldapwhoami which is used in the preflight check for directory reachability fails mysteriously against Active Directory 2003.
This is substantiated with this bugzilla report from RedHat:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=916195

The work around is to use ldapsearch:
files/script.bootstrap.functions.sh:

`#${Echo} "ldapwhoami -vvv -H ldaps://${ldapserver} -D "${ldapbinddn}" -x -w """ >> ${statusFile}

ldapwhoami -vvv -H ldaps://${ldapserver} -D "${ldapbinddn}" -x -w "${ldappass}" &>> ${statusFile}

${Echo} "ldapsearch -LLL -x -w "" -H ldaps://${ldapserver} -D "${ldapbinddn}" -b "${ldapbinddn}"" '(objectclass=*)' >> ${statusFile}

ldapsearch -LLL -x -w "${ldappass}" -H ldaps://${ldapserver} -D "${ldapbinddn}" -b "${ldapbinddn}" '(objectclass=*)' &>> ${statusFile} `

The MySQL connect string needs to be improved to allow for:

• singular binding to ipv4 127.0.0.1 (remove localhost)
• reduced timeout settings of 1800 ms and Timeout of 2s
• tune autoReconnect=true and autoReconnectForPools=true

Resulting string should be
jdbcURL="jdbc:mysql://127.0.0.1:3306/shibboleth?autoReconnect=true&localSocketAddress=127.0.0.1&connectTimeout=1800&initialTimeout=2&logSlowQueries=true&autoReconnectForPools=true"

in attribute-resolver.xml

In the standard JRE distribution, the cryptography is regionally limited but the Service Providers in the metadata may require higher standards of cryptography.
This is called out on the idp install page here:
https://wiki.shibboleth.net/confluence/display/IDP30/Installation

The IdP-installer when it downloads the JRE should also download the extra cryptography settings and install the appropriate jars per instructions from download here:

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

If you don't do the JCE tweak for Unlimited Strength Jurisdiction Policy File step, the IdP will operate normally until an SP requiring this tweak is used (such as wiki.shibboleth.net) with the following warning/error fingerprint in your logs

2015-06-05 00:00:00,605 WARN [org.opensaml.saml.saml2.profile.impl.EncryptAssertions:140] - Profile Action EncryptAssertions: Error encrypting assertion

org.opensaml.xmlsec.encryption.support.EncryptionException: Error encrypting XMLObject

at org.opensaml.xmlsec.encryption.support.Encrypter.encryptElement(Encrypter.java:543)

Caused by: org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size

at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1186)

Caused by: java.security.InvalidKeyException: Illegal key size

at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1034)

2015-06-05 00:00:00,689 - ERROR [org.opensaml.profile.action.impl.DecodeMessage:73] - Profile Action DecodeMessage: Unable to decode incoming request

Reference material on this problem: http://shibboleth.net/pipermail/users/2014-June/016098.html

The default behaviour for ldap.properties should have LDAPS with startTLS set the following:

Connection properties

idp.authn.LDAP.ldapURL= ldaps://AD-FQDN
idp.authn.LDAP.useStartTLS= false
idp.authn.LDAP.useSSL= true

current configuration has useStartTLS=true which fails to negotiate

It would be of more utility for not only authenticating users but also doing authorization with LDAP groups and have this feature enabled or described how to extend freeRADIUS specific to the installation by the installer.

Investigate if there is a way to have a default way to monitor the installation for version and health status.

Right now it is limited to localhost connections. The enhancement would be to:

• add a IdP admin consent option for
  'enable CAF to remotely observe the IdP application health? Yes/no

(Note that the Federation Operator needs to take into consideration that different software platforms (ADFS, simpleSAMLPHP Ping Federate, etc) do not have this function.

Now that Shibboleth 3.2.0 supports F-TICKS, the 'overlay' done by the IdP-installer results in double logging the anonymized identifier when it should be a singular entry.

Remediation is expected to be -- augment the overlay to be aware of Shib v3.2.0 implementation of F-TICKS and provide a relevant version of the template and re-verify the logging experience.

Connecting to localhost is problematic and requires an extra iptables definition to be applied

If there was a way to do the installation only consuming the config file looking for the variable:

installer_interactive=y

for interactive to use whiptail interfaces as expected
and if
installer_interactive=n

this would have this behaviour:

1. suppress main menu and just proceed with installs of 'all selected features' as specificied in 'installer_section0_buildComponentList' variable in the config file
2. suppress password asks for FedSSO Mysql, the keystore for shibboleth, and the https jks keystore
3. A form of communication in the log about the passwords that were chosen should be logged.

Assumptions for successful headless install

• Preflight check MUST pass and bail only on ERROR
• all variables are provided are accurate and ok. (the key here is that if there's error validation on values, it should happen in the GUI first.

There are materially different settings needed for Jetty 9.3 support than Jetty 9.2 requires in order to pass the CI unit tests.

The attribute-filter for the dev V3 branch has arbitrary attribute release policy configurations. Update the attribute filters to provide the best operating practices for the CAF IdP installations.

The colour indicators may not always change depending on usage approach.

Replace tomcat for Jetty as the java container to align with Shibboleth's usage of Jetty as the reference implementation.

These attributes are not needed in the current build for v3 but remain present in the GUI but commented out.

Jetty installations MAY encounter a browser dialog asking the end user for a client certificate when it shouldn't anytime a TLS connection is established with the server, such as logging in or processing a SAML redirection.

The origin of the issue has been identified as a setting not being properly observed in all installations.
The 'fix' is to ensure there is a setting to avoid that in case something tries to override it.

The scope of the bug is not fully known as it was reported on an older version of the software (IdP-Installer 2.2.x on CentOS6.5). Performing this alteration will help ensure the problem does not re-occur

Details on how to check and reproduce and mitigate were provided by Alvin Yeung from Ryerson.ca:

This jar: jetty9-dta-ssl-1.0.0.jar may set the getWantClientAuth() method to true.
To mitigate this, update the jetty.xml.caf template to force it to false

Quick example of how this may reveal itself:
compile this and use the full classpath that jetty9 and shibboleth use:

import net.shibboleth.utilities.jetty9.DelegateToApplicationSslContextFactory;
public class JettyDTASSLTest {
    public static void main(String[] args) {
        DelegateToApplicationSslContextFactory factory = new DelegateToApplicationSslContextFactory();
        System.out.println("getNeedClientAuth=" + factory.getNeedClientAuth());
        System.out.println("getWantClientAuth=" + factory.getWantClientAuth());
    }
}

Result

getNeedClientAuth:false
getWantClientAuth:true

So this class actually override jetty's default for WantClientAuth. "false" was the default.

On my jetty I have to change "wantClientAuth" back to false for the shibContextFactory2 section.
/opt/jetty/base/etc/jetty-shibboleth.xml

<New id="shibContextFactory2" class="net.shibboleth.utilities.jetty9.DelegateToApplicationSslContextFactory">
    <Set name="KeyStoreType">pkcs12</Set>
    <Set name="KeyStorePath">/opt/shibboleth-idp/credentials/https.p12</Set>
    <Set name="KeyStorePassword">...</Set>
    <Set name="wantClientAuth">false</Set>
    <Set name="EndpointIdentificationAlgorithm"></Set>
    <Set name="excludeProtocols">
      <Array type="String">
         <Item>SSLv3</Item>
      </Array>
    </Set>
  </New>

this part of the code came from the installer:
idp-installer-CAF-2.2.1-CAF/xml/CAF/server.xml.jetty Line 21-31

Feedback has been left that it is unclear precisely what was installed by the installer. Additional text or indicators of what was installed would be beneficial to be added.

When importing an existing config servlet container can be changed.
appserv='blargh' in config import will cause an failure.

There is a desire to have the configuration to be applied to the windows environment.

Warnings appear in the startup of the v3 IdP startup sequence and should use a different provider for the crypto work

see: https://issues.shibboleth.net/jira/browse/IDP-623 for more details.

Anywhere X509Filesystem appears, X509ResourceBacked should be used.

The file /etc/sysconfig/iptables does not exist on Ubuntu.
Branch: develop