AAF logo search

Security Notices and Maintenance

Shibboleth Service Provider Security Advisory (04-May-2016)

Shibboleth has announced a critical security issue that allows an unauthenticated remote attacker to access protected resources, but it affects only a subset of deployers.

Shibboleth SP software feature implemented incorrectly

The Shibboleth SP software contains a feature to specify protection rules and other settings based on evaluating a regular expression against a portion of the requested URL path. It is used by including a element in the construct, in the shibboleth2.xml configuration file.

Note: Deployers that do not make use of the feature are not impacted.

Check your shibboleth2.xml configuration file for the element. If used, check for the ignoreCase attribute in the element.

• If found, reverse the value (true to false, false to true).
• If not found, add ignoreCase=”false” to the element.

Restarting the web server will not be required to effect the change.

Shibboleth information for this Security Advisory can be found here

More information about this feature can be found on the Shibboleth wiki

Java Version 1.7.0_85 and AAF Metadata loading errors

7 August 2015

The recent Java V.1.7.0_85 release affects Identity Providers causing them to fail to download and refresh the AAF Metadata and their Attribute filter over HTTPS. Once you upgrade Java to V1.7.0_85 you may see errors in your idp-process.log file similar to the one shown below.

Error Message:

https://ds.test.aaf.edu.au/distribution/metadata/metadata.aaf.signed.complete.xml javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name:

If this is the case, your IdP is no longer loading AAF Metadata or its Attribute filters and will require a minor modification to the Java options at start up.

What you need to do:

The solution is to modify the behaviour of the SSL verification your IdP performs when loading files from the AAF distribution service. The default behaviour changed as a result of the Java upgrade and needs to be changed back. This can be done in the Tomcat config file (catalina.sh) by adding the following configuration line:

JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.trustNameService=true"

Once this is done, restart your IdP. The issue will then be resolved for both the AAF Metadata and Attribute filter loading.

For more information about this issue, go to Shibboleth announcements.