Note that the SDSS Federation no longer accepts new applications to join. Applications should instead be made to join the UK Federation. The information on this page is of historical interest only.
Metadata is signed using a Java program supplied with the origin distribution called metadatatool.
You can find the scripts that run metadatatool in the origin source distribution in bin/metadatatool and bin/metadatatool.bat.
These scripts rely on having a JVM around, obviously, pointed to by JAVA_HOME. This is used to figure out what the java command is.
In addition, they use the SHIB_HOME environmental variable (defaulting to the current directory if not set) to try and find two things:
$SHIB_HOME/endorsedis where they expect to find the endorsed Java libraries that are installed as endorsed libraries for use by Tomcat.$SHIB_HOME/libis where they expect to find the utility.jarfile.
You need to go into the origin source tree and type ant build-util to build the utility .jar file. Then, saying bin/metadatatool will work from that location even with SHIB_HOME not set.
Keystore Work
Make an empty keystore:
keytool -keystore sdss.jks -genkey -dname "cn=temp" -alias temp
-storepass xxxxxxxx
keytool -keystore sdss.jks -delete -alias temp -storepass xxxxxxxx
Build a JKS file for the sdss.ac.uk certificate, in order to use it as a test signer.
openssl pkcs8 -in sdss.ac.uk.key -topk8 -nocrypt
-outform DER -out sdss.ac.uk.key.pk8
cat sdss.pem globalsign/*.crt >bundle.pem
bin/extkeytool -importkey -keystore sdss.jks -alias sdss
-storepass xxxxxxxx -keyfile sdss.ac.uk.key.pk8
-certfile bundle.pem
-provider org.bouncycastle.jce.provider.BouncyCastleProvider
Order of certificates in the bundle is not significant in the extkeytool step. You may get some errors about Bouncy Castle DataLengthExceptions, but it seems that they can be ignored.
Verification requires that you supply only the raw end certificate: no other text is permitted in the file, including any textual form of the certificate, or any other certificates.