Signing the metadata for the SDSS federation is normally performed by IanYoung using a custom environment running inside Eclipse. In extreme cases, for example when IanYoung is not available, new metadata file versions can be signed by holders of a "Signing Kit". Each signing kit is contained on a 256MB USB flash drive; there are two copies, one held by FionaCulloch and the other by Sandy Shaw.

Signing Kit Contents

The signing kit flash drives contain:

  • A folder called SDSS-Fed containing a copy of the Eclipse project mentioned above.
  • A folder called apache-ant-1.6.5 containing the Apache Ant tool modified by the addition of a module allowing use of the scp Ant task.
  • A folder called jre1.5.0_06 containing a Java runtime.
  • A Windows command file called go.bat.

Preparing For Use

  • Locate a machine running Windows 2000 or Windows XP.
  • Insert your signing kit into a USB port on the machine. Note that the flash drives we have claim to require 500mA, which is unusually high for a flash drive. This means that they probably won't work in unpowered hubs, such as those found in many keyboards. Instead, locate a port on a powered hub or a port directly on the machine's system unit.
  • Wait for the drive to be recognised by Windows, and note the drive letter assigned, usually D: or E:.
  • Open what we old timers like to refer to as a "DOS box". For example, type Windows+R, type "cmd" in the field, hit Enter.
  • In the command window, select the drive by typing E: (Enter). Replace E: with the appropriate drive letter if required.
  • In the command window, type go (Enter).
  • On most machines, you should find that the command prompt has changed to include SDSS-Fed.
  • Your signing kit is now ready for commands.

Where Are The Files?

Under the SDSS-Fed directory, there is a directory called xml which you will see already contains a set of 16 metadata files: the master file sdss-metadata-unsigned.xml and the 15 files that will be derived from it in each signing operation. The files already on your signing kit are just a snapshot of whatever the kit was previously used for.

Signing Kit Operations

There are three operations available to the holder of a signing kit: pull, process and push.

  • Invoke the "pull" operation by typing: ant pull. You will be prompted for the remote password, and the result will be that the local copy of the metadata master file will be overwritten with a fresh copy of the current unsigned master file.
  • Invoke the "process" operation by typing: ant process. You will be prompted for the keystore password, and the result will be that the local copy of the metadata master file will be used to generate the full set of signed and unsigned metadata files for the SDSS federation. This includes versions for Shibboleth 1.1, 1.2 and 1.3, as well as files using previous naming conventions.
  • Invoke the "push" operation by typing: ant push. You will be prompted for the remote password, and the result will be that the local copies of the full set of metadata files for the SDSS federation will be pushed out to the remote site, where they become available for download by federation participants.

For reasons of space, the Java runtime included in the signing kit does not include the Java compiler. This means that you may see messages warning you that the tools.jar file can not be located. Ignore these helpful messages, as you do not require the compiler to be available for what you are doing.

Signing Kit Scenarios

Scenario 1: Edit and Sign

  • Use the pull operation to acquire an up-to-date unsigned master file.
  • Edit the unsigned master file.
  • Use the process operation to generate the full set of files.
  • Use the push operation to publish the modified metadata.
  • Tell IanYoung that the metadata has been modified so that he can take copies into his CVS archive.

Scenario 2: Sign Edited Metadata

  • Use the pull operation to acquire an up-to-date unsigned master file.
  • Receive a candidate unsigned master file from the editor.
  • Carefully compare the new unsigned master with the old one, to make sure that the changes achieve the desired effect.
  • Manually overwrite the copy of the master file in the xml sub-directory with the copy you have been sent by the editor.
  • Use the process operation to generate the full set of files.
  • Use the push operation to publish the modified metadata.
  • Tell IanYoung that the metadata has been modified so that he can take copies into his CVS archive.