...
Log
...
format
The F-TICKS
...
format
...
implemented
...
by
...
this
...
log
...
appender
...
is
...
a
...
generalization
...
of
...
the
...
eduroam
...
F-TICKS
...
format:
Code Block |
---|
{code} 'F-TICKS/' federationIdentifier '/' version *('#' attribute '=' value ) '#' {code} In eduroam federationIdentifier is 'eduroam' and version is |
In SWAMID federationIdentifier
is 'SWAMID' and version
is '1.0'.
The attributes exposed are:
Name | Description |
---|---|
TS | the login time stamp |
RP | the relying party entityID |
AP | the asserting party entityID (typcially the IdP) |
PN | a sha256-hash of the local principal name and a unique key |
AM | the authentication method URN |
The instruction is know to work for Shibboleth Identity Provider version 3.1 or later.
Configuration
Configuration is done in idp.properties:
Salt
Use the following command to generate a salt
Code Block |
---|
openssl rand -base64 36 2>/dev/null |
Warning |
---|
Do not lose this salt once you've started to generate logs. If this salt is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this! |
Enable the logging
Add the following options to idp.properties
Code Block |
---|
idp.fticks.federation=SWAMID idp.fticks.algorithm=SHA-256 idp.fticks.salt=<salt> idp.fticks.loghost=syslog.swamid.se This implementation allows these values to be defined. The eduroam pattern SHOULD NOT be reused, instead consider using something that identifies the federation. The attributes exposed are: ||Name||Description|| |TS|the login time stamp| |RP|the relying party entityID| |AP|the asserting party entityID (typcially the IdP)| |PN|a sha256-hash of the local principal name and a unique key| |AM|the authentication method URN| The unique key is stored in a key file and is automatically generated if missing. If this key is lost or reset then all local principal names will appear to have changed to analysis tools so avoid this! h2. Configuration Configuration is done in logging.xml: h3. Appender Add an appender definition to logging.xml close to where the other appenders are. {code} <appender name="IDP_FTICKS" class="net.nordu.logback.FTicksAppender"> <syslogHost>syslog.example.org</syslogHost> <federationIdentifier>swamid</federationIdentifier> <version>1.0</version> <keyFile>/opt/shibboleth-idp/conf/fticks-key.txt</keyFile> </appender> {code} Change the keyFile to point to where you want to store your random key for protecting local principal names. [warn}Do not loose this file once you've started to generate logs{warn} The other options should be self-explanatory. h3. Enable the appender Add the appender to the Shibboleth-Audit logger by changing {code} <logger name="Shibboleth-Audit" level="ALL"> <appender-ref ref="IDP_AUDIT" /> </logger> {code} to {code} <logger name="Shibboleth-Audit" level="ALL"> <appender-ref ref="IDP_AUDIT" /> <appender-ref ref="IDP_FTICKS" /> </logger> {code} This assumes that you haven't changed logging.xml from the default. h3. Build software {code} # git clone git://github.com/leifj/ndn-shib-fticks.git # cd ndn-shib-fticks # mvn ... build finishes ... {code} The target directory should contain a jar-file. This is what you need for the next step. h3. Install software Copy the jar-file to shibboleth-identity-provider-2.2.x/lib and re-run the install.sh script to build and deploy the shibboleth war-file. You may need to restart your entire application container (tomcat) for this to take effekt. If everything works you should start seeing F-TICKS lines on your syslog server! |