Versions Compared

Old Version 17

changes.mady.by.user Unknown User (anders@hig.se)

Saved on

compared with

New Version 18

changes.mady.by.user Unknown User (anders@hig.se)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

...

Log format

...

Log format

The F-TICKS format implemented by this log appender is a generalization of the eduroam F-TICKS format:

...

Name

Description

TS

the login time stamp

RP

the relying party entityID

AP

the asserting party entityID (typcially the IdP)

PN

a sha256-hash of the local principal name and a unique key

AM

the authentication method URN

The unique key is stored in a key file and is automatically generated if missing. If this key is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this!

...

 

 

The instruction is know to work for Shibboleth Identity Provider version

...

3.

...

1 or later.

...

...

Configuration

Configuration is done in loggingidp.xmlproperties:

Appender

Add an appender definition to logging.xml close to where the other appenders are (before the loggers).

Code Block
titleLinux
<appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender">
   <syslogHost>syslog.swamid.se</syslogHost>
   <federationIdentifier>SWAMID</federationIdentifier>
   <version>2.0</version>
   <keyFile>/opt/shibboleth-idp/conf/fticks-key.txt</keyFile>
   <blacklist>^monitor$$</blacklist> <!-- no logging for user monitor -->
</appender>
Code Block
titleWindows
<appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender">
   <syslogHost>syslog.swamid.se</syslogHost>
   <federationIdentifier>SWAMID</federationIdentifier>
   <version>2.0</version>
   <keyFile>C:/Program Files (x86)/Internet2/Shib2IdP/conf/fticks-key.txt</keyFile>
   <blacklist>^monitor$$</blacklist> <!-- no logging for user monitor -->
</appender>

Change the keyFile to point to where you want to store your random key for protecting local principal names.

Salt

Use the following command to generate a salt

Code Block
openssl rand -base64 36 2>/dev/null
Warning

Do not lose this salt

Warning

Do not loose this file once you've started to generate logs. If this salt is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this!

 The other options should be self-explanatory.

Enable the

...

logging

Add the appender to the Shibboleth-Audit logger by changing

Code Block
<logger name="Shibboleth-Audit" level="ALL">
   <appender-ref ref="IDP_AUDIT" />
</logger>

to

Code Block
<logger name="Shibboleth-Audit" level="ALL">
   <appender-ref ref="IDP_AUDIT" />
   <appender-ref ref="IDP_FTICKS" />
</logger>

This assumes that you haven't changed logging.xml from the default.

Build software

To build fticks, you need git, maven and Java JDK.

Code Block
titleLinux
# git clone git://github.com/leifj/ndn-shib-fticks.git
# cd ndn-shib-fticks
# mvn
... build finishes ...
Code Block
titleWindows (Git Bash)
$ cd Desktop
$ git clone git://github.com/leifj/ndn-shib-fticks.git
$ cd ndn-shib-fticks
$ export JAVA_HOME="/c/Program Files (x86)/Java/jdk1.7.0_25"
$ /c/apache-maven-3.1.0/bin/mvn
... build finishes ...

The target directory should contain a jar-file. This is what you need for the next step.

Install software

Copy the jar-file to

Code Block
titleLinux
shibboleth-identity-provider-2.2.x/lib
Code Block
titleWindows
C:/Program Files (x86)/Internet2/Shib2IdPInstall/lib

...

following options to id.properties

Code Block
idp.fticks.federation=SWAMID
idp.fticks.algorithm=SHA-256
idp.fticks.salt=<salt>
idp.fticks.loghost=syslog.swamid.se