xmldap.org is down

1 view
Skip to first unread message

Axel Nennker

unread,
Apr 6, 2009, 4:51:30 PM4/6/09
to User-Centric Identity Interop
Hi,

I am sorry to tell you that xmldap.org RP and STS are currently down.
Nulli Secundus was so kind to host our service (Big thank you) as long
as Pamela was their employee but now that Pam has started her own
company the server was reused before Chuck and I could find an
alternative.
Pam gave me some up-front information before she published her step.
Thanks for that too.

Sorry. I hope to find a solution soon.

Axel

John Bradley

unread,
Apr 6, 2009, 5:22:40 PM4/6/09
to user-centric-i...@googlegroups.com
What do you need.  I have a virtual server running IIS at test-id.org.   

Perhaps we could put it there,  I suspect a linux box would work better for you though.

John B.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "User-Centric Identity Interop" group.
To post to this group, send email to user-centric-i...@googlegroups.com
To unsubscribe from this group, send email to user-centric-identit...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/user-centric-identity-interop?hl=en
-~----------~----~----~----~------~----~------~--~---


Axel.N...@telekom.de

unread,
Apr 6, 2009, 5:28:46 PM4/6/09
to user-centric-i...@googlegroups.com
xmldap.org is java based and needs a servlet container like tomcat, jboss, or...
I am quite sure that IIS does not understand JSPs.
I would like to avoid IIS.
 
Linux with java and tomcat is much easier and probably better.
 
Thanks for the offer.
-Axel

Von: user-centric-i...@googlegroups.com [mailto:user-centric-i...@googlegroups.com] Im Auftrag von John Bradley
Gesendet: Montag, 6. April 2009 23:23
An: user-centric-i...@googlegroups.com
Betreff: [Interop] Re: xmldap.org is down

Chuck Mortimore

unread,
Apr 6, 2009, 5:42:58 PM4/6/09
to user-centric-i...@googlegroups.com
I just bit the bullet and purchased some hosting.     We should be back up soon.

- cmort

John Bradley

unread,
Apr 6, 2009, 5:45:15 PM4/6/09
to user-centric-i...@googlegroups.com
Thats what I suspected.  Sorry I cant be of more help.

John B.

Ashish Jain

unread,
Apr 6, 2009, 5:59:48 PM4/6/09
to user-centric-i...@googlegroups.com
I was gonna suggest to give http://www.stax.net/ a try. From what I know, it's free and allows to host Java apps.
Or wait for a few weeks - http://www.techcrunch.com/2009/03/26/get-ready-for-java-on-appengine/
- Ashish

Chuck Mortimore

unread,
Apr 6, 2009, 6:02:58 PM4/6/09
to user-centric-i...@googlegroups.com
I purchased month to month, so we can always switch.     Java App Engine will be nice....doubt it will work for our app....but nice....

- cmort

Axel.N...@telekom.de

unread,
Apr 9, 2009, 7:22:29 AM4/9/09
to user-centric-i...@googlegroups.com
can I help to install, configure, ... the server?
-Axel


Von: user-centric-i...@googlegroups.com [mailto:user-centric-i...@googlegroups.com] Im Auftrag von Chuck Mortimore
Gesendet: Montag, 6. April 2009 23:43

An: user-centric-i...@googlegroups.com
Betreff: [Interop] Re: xmldap.org is down

Chuck Mortimore

unread,
Apr 9, 2009, 11:45:14 AM4/9/09
to user-centric-i...@googlegroups.com
Still getting the host provisioned....should have tomcat manager up and running in a day or two.

- cmort

Mike Jones

unread,
Apr 16, 2009, 2:35:34 AM4/16/09
to Chuck Mortimore, Axel.N...@telekom.de, user-centric-i...@googlegroups.com

I see that xmldap.org is back up but there’s no http://www.xmldap.org/relyingparty page.  There’s a few OSIS and IMI-related tests that xmldap was the ideal site to perform with.  Given that the OSIS in-person interop is on Sunday, any chance of getting it back up by then?

 

                                                                Hopefully,

                                                                -- Mike

Gmail

unread,
Apr 16, 2009, 12:49:27 PM4/16/09
to Mike Jones, Axel.N...@telekom.de, user-centric-i...@googlegroups.com
Yes - just finalizing provisioning with the new host.  

- cmort

Chuck Mortimore

unread,
Apr 16, 2009, 12:54:34 PM4/16/09
to Mike Jones, Axel.N...@telekom.de, user-centric-i...@googlegroups.com
Actually - that brings up a question - it's been so long since I've done the provisioning on this, I forget...does the keypair used for SSL on my endpoint have to match the keypair used to sign my infocards?   In other words, do I have to use the same private key for SSL as I do for card issuance, of can they differ.

Sorry - it's been a couple years since I've had to worry about that, and in too much a hurry today today to go look it up.

thanks

- cmort

Mike Jones

unread,
Apr 16, 2009, 12:55:29 PM4/16/09
to user-centric-i...@googlegroups.com, Axel.N...@telekom.de

They must match.

Axel.N...@telekom.de

unread,
Apr 16, 2009, 1:25:48 PM4/16/09
to Michae...@microsoft.com, user-centric-i...@googlegroups.com
Yes, it seems that they must match. This is one point I really don't like about the CardSpace implementation.
 
Informationcard-Signing-Cert == SSL-token-issuer-cert
 
I wish we would change this in ISIP. Actually I don't know where this is written, but CardSpace insists on it.
 
-Axel


Von: Mike Jones [mailto:Michae...@microsoft.com]
Gesendet: Donnerstag, 16. April 2009 18:55
An: user-centric-i...@googlegroups.com
Cc: Nennker, Axel
Betreff: RE: [Interop] Re: xmldap.org is down

Mike Jones

unread,
Apr 16, 2009, 1:50:05 PM4/16/09
to user-centric-i...@googlegroups.com, Axel.N...@telekom.de

More precisely, they must match for managed backed by self-issued cards.  The reason is that the IssuerID is computed from the cert in the .crd file and is then used to match the correct self-issued card, for which a security token is created to send to the IdP endpoint in the RST.  If the OLSC values and EV status of the issuer and STS certs don’t match, the selector won’t be able to locate the correct self-issued card to use to generate the token to send to the STS in the RST.

 

For other managed card types, the issuer cert and STS cert could be different.

 

                                                                -- Mike

John Bradley

unread,
Apr 16, 2009, 2:03:00 PM4/16/09
to user-centric-i...@googlegroups.com, Axel.N...@telekom.de
Thanks Mike that is what I thought.  

So the issue is the generation of the "Client Pseudonym" for the card.

So if it is a EV or Class 2 cert the appropriate fields from the DN need to match between the certs not the public key itself.

Again changing those fields in the the STS cert after the card is issued will have interesting consequences depending on the selector.
I am guessing that is why CardSpace is caching the "Client Pseudonym"  though the PPID for the p-card when it is sent will be wrong if the p-card is based on the new cert anyway.

I have some tests in mind on this but they have to wait until I am done with the openID stuff for this interop.

John B.
Reply all
Reply to author
Forward
0 new messages