...
- The
metadataURLXML attribute on the<MetadataProvider>element should point to the HTTP location of the new production metadata aggregate. - Securely download and install a copy of the new metadata signing certificate.
Actually, the The second step above is optional (since the new signing certificate contains the same key as the old signing certificate) but it is a recommended practice nonetheless. See the Metadata Consumption wiki page for instructions how to securely obtain a copy of the new metadata signing certificate.
...
If you're running the Shibboleth SP software on a non-Windows platform, the software depends on the whatever version of OpenSSL is built into the underlying operating system. If Shibboleth is installed on top of an unsupported OS platform, it is likely you are running an old version of OpenSSL that doesn’t support SHA-2. For instance, RHEL 4 was built with OpenSSL version 0.9.7, which is known to be incompatible with SHA-2. In this case, you have no choice but to upgrade to a supported OS platform.
...
- The
urlXML attribute on the<MetadataProvider>element should point to the HTTP location of the new metadata aggregate. - Securely download and install a copy of the new metadata signing certificate.
Actually, the The second step above is optional (since the new signing certificate contains the same key as the old signing certificate) but it is a recommended practice nonetheless. See the Metadata Consumption wiki page for instructions how to securely obtain a copy of the new metadata signing certificate.
| Note | ||
|---|---|---|
| ||
If your Shibboleth SP deployment is not compatible with SHA-2, and you migrate to the new fallback metadata aggregate, start planning now to upgrade your system and migrate to the new production metadata aggregate ASAP (but no later than June 30, 2014). |
How does this implementation plan affect simpleSAMLphp deployments?
...