diff --git a/build.xml b/build.xml index 4a657181..275baf53 100644 --- a/build.xml +++ b/build.xml @@ -609,7 +609,7 @@ @@ -702,7 +702,7 @@ - + @@ -1261,28 +1261,6 @@ - - - Extracting key authorities - - - - - - Checking authority certificates - - - - - diff --git a/build/check_embedded.pl b/build/check_embedded.pl index 8268a246..f356636c 100755 --- a/build/check_embedded.pl +++ b/build/check_embedded.pl @@ -41,12 +41,10 @@ # my %issuerMark; -# From the UK federation trust roots document. -$issuerMark{'AddTrust External CA Root'} = 'R'; -$issuerMark{'UTN-USERFirst-Hardware'} = 'i'; -$issuerMark{'TERENA SSL CA'} = 'i'; - # ex-roots +$issuerMark{'AddTrust External CA Root'} = 'X'; +$issuerMark{'UTN-USERFirst-Hardware'} = 'x'; +$issuerMark{'TERENA SSL CA'} = 'x'; $issuerMark{'GlobalSign Root CA'} = 'X'; $issuerMark{'GlobalSign Organization Validation CA'} = 'x'; $issuerMark{'GlobalSign Primary Secure Server CA'} = 'x'; @@ -143,18 +141,23 @@ sub comment { @args = split; $entity = $args[1]; $keyname = $args[3]; + + # + # Tidy entity ID if it includes a UK ID as well. + # + if ($entity =~ /^\[(.+)\](.+)$/) { + $entity = $2 . ' (' . $1 . ')'; + } # # Output header line. # - $oline = "Entity $entity "; + $oline = "Entity $entity"; $hasKeyName = !($keyname eq '(none)'); + push(@olines, $oline); if ($hasKeyName) { - $oline .= "has KeyName $keyname"; - } else { - $oline .= "has no KeyName"; + error("descriptor has unexpected KeyName $keyname"); } - push(@olines, $oline); # # Start building a new blob. @@ -280,7 +283,6 @@ sub comment { # if ($notAfter =~ /(\d\d\d\d)/) { my $year = $1; - $expiryYear = $year; if ($year > $maxYear) { $maxYear = $year; } @@ -362,101 +364,6 @@ sub comment { } - # - # Check KeyName if one has been supplied. - # - if ($hasKeyName && !defined($names{lc $keyname})) { - my $nameList = join ", ", sort keys %names; - error("KeyName mismatch: $keyname not in {$nameList}"); - } - - # - # Use openssl to ask whether this matches our trust fabric or not. - # - my $error = ''; - $serverOK = 1; - $cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslserver $filename |"; - open(SSL, $cmd) || die "could not open openssl subcommand 2"; - while () { - chomp; - if (/error/) { - $error = $_; - $serverOK = 0; - } - } - close SSL; - $clientOK = 1; - $cmd = "openssl verify -CAfile ../mdx/uk/authorities.pem -purpose sslclient $filename |"; - open(SSL, $cmd) || die "could not open openssl subcommand 3"; - while () { - chomp; - if (/error/) { - $error = $_; - $clientOK = 0; - } - } - close SSL; - - # - # Irrespective of what went wrong, client and server results should match. - # - if ($clientOK != $serverOK) { - error("client/server purpose result mismatch: $clientOK != $serverOK"); - } - - # - # Reduce error if possible. - # - if ($error =~ m/^error \d+ at \d+ depth lookup:\s*(.*)$/) { - $error = $1; - } - - # - # Now, adjust for our expectations. - # - if (!$hasKeyName) { - # - # Pretty much any certificate is fine if we don't have a KeyName. - # - if ($error eq 'self signed certificate') { - $error = ''; - comment("self signed certificate"); - } elsif ($error eq 'unable to get local issuer certificate') { - $error = ''; - comment("unknown issuer: $issuerCN"); - } elsif ($clientOK) { - # $error = "certificate matches trust fabric; add KeyName?"; - } - } else { - # - # If a KeyName is present, we must match the trust fabric. - # - if ($error eq 'self signed certificate') { - $error = 'self signed certificate: remove KeyName?'; - } elsif ($error eq 'unable to get local issuer certificate') { - $error = "non trust fabric issuer: $issuerCN: remove KeyName?"; - } - - # - # KeyName with an expired certificate indicates some kind of misconfiguration. - # Either the KeyDescriptor isn't working, or the expired certificate is still - # in use (in which case the KeyName is superfluous) or a different certificate - # is in use via PKIX (which means we have the wrong one). - # - if ($days < 0) { - error("expired certificate has KeyName; acquire/ensure correct certificate and remove KeyName"); - } - } - - if ($error eq 'certificate has expired' && $days < 0) { - # an equivalent message has already been issued - $error = ''; - } - - if ($error ne '') { - error($error); - } - # # Handle public key size. # @@ -478,13 +385,6 @@ sub comment { warning("issuer '$issuerCN' suspect; verify"); } } - if ($hasKeyName && ($issuerCN =~ /(Global|Veri)Sign/)) { - warning("issuer \"$issuerCN\" to be retired; certificate expires $notAfter; remove KeyName?"); - $issuerMark{$issuerCN} = '*'; - } - if ($hasKeyName && ($expiryYear > 2014)) { - warning("expires $notAfter, which is later than 2014"); - } # # Count issuers. @@ -497,9 +397,6 @@ sub comment { } else { $issuers{$issuerCN}++; } - if ($hasKeyName) { - $knIssuers{$issuerCN}++; - } } # @@ -544,14 +441,6 @@ sub comment { } print "\n"; - print "KeyName certificate issuers:\n"; - foreach $issuer (sort keys %knIssuers) { - my $count = $knIssuers{$issuer}; - my $mark = $issuerMark{$issuer} ? $issuerMark{$issuer}: ' '; - print " $mark $issuer: $count\n"; - } - print "\n"; - my $first = 1; foreach $fingerprint (sort keys %expiry_whitelist) { if ($expiry_whitelist{$fingerprint} eq 'unused') { diff --git a/build/normalise_fragment b/build/normalise_fragment index 5b9bd582..06f58582 100755 --- a/build/normalise_fragment +++ b/build/normalise_fragment @@ -11,7 +11,7 @@ file: * arranges for all appropriate namespaces to appear on the EntityDescriptor - * arranges for an appropriate collection on schemaLocation values + * arranges for an appropriate collection of schemaLocation values * puts any ID and entityID attributes in the right place @@ -66,6 +66,7 @@ ED_TEMPLATE = Template(''' urn:oasis:names:tc:SAML:2.0:assertion ../xml/saml-schema-assertion-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../xml/shibboleth-metadata-1.0.xsd http://ukfederation.org.uk/2006/11/label ../xml/uk-fed-label.xsd + http://sdss.ac.uk/2006/06/WAYF ../xml/uk-wayf.xsd http://www.w3.org/2001/04/xmlenc# ../xml/xenc-schema.xsd http://www.w3.org/2009/xmlenc11# ../xml/xenc-schema-11.xsd http://www.w3.org/2000/09/xmldsig# ../xml/xmldsig-core-schema.xsd" diff --git a/build/query-entities.pl b/build/query-entities.pl index 917d4b35..1c31b422 100755 --- a/build/query-entities.pl +++ b/build/query-entities.pl @@ -14,7 +14,7 @@ sub help { print<<'EOF'; -usage: query-entities.pl [--help] [--head] [--idonly] [--idp] [--sp] [--reg ] [--notreg ] +usage: query-entities.pl [--help] [--head] [--idonly] [--idp] [--sp] [--reg ] [--notreg ] [--org ] Outputs the entityID, display name(s) and other information about entities in the given SAML metadata aggregate file. @@ -32,6 +32,8 @@ sub help { --notreg - outputs those entities NOT registered by registrationAuthority (By default the script outputs all entities; can only have one of --reg or --notreg) +--org - outputs entities with this OrganizationName (xml:lang="en" only in this version)) + Example 1: To output all SPs in the UK federation metadata which have been imported (i.e. are not registered by the UKAMF registrationAuthority http://ukfederation.org.uk), and to include a header on the CSV file: @@ -42,6 +44,11 @@ sub help { query-entities.pl --head --idp -reg http://ukfederation.org.uk ukfederation-export.xml +Example 3: +To output all entities with OrganizationName 'University of Edinburgh' + +query-entities.pl --org 'University of Edinburgh' ukfederation-metadata.xml + EOF } @@ -52,6 +59,7 @@ sub help { my $help; my $head; my $idonly; +my $org; my $result = GetOptions( "idp" => \$idp, @@ -60,7 +68,8 @@ sub help { "notreg=s" => \$notreg, "help" => \$help, "head" => \$head, - "idonly" => \$idonly + "idonly" => \$idonly, + "org=s" => \$org ); if ($help) { @@ -111,6 +120,7 @@ sub help { if ($sp) { print "sp: $sp\n"; } if ($reg) { print "reg: $reg\n"; } if ($notreg) { print "notreg: $notreg\n"; } + if ($org) { print "org: $org\n"; } } # @@ -129,7 +139,7 @@ sub help { # # print header # -if ($head) { print "# type, entityID, registrationAuthority, OrganizationDisplayName, OrganizationURL\n"; } +if ($head) { print "# type, entityID, registrationAuthority, OrganizationName, OrganizationDisplayName, OrganizationURL\n"; } # # Workhorse @@ -145,11 +155,12 @@ sub help { sub is_entity () { my ($t, $section)= @_; - my ($entityID, $ODN, $URL, $registrationAuthority, $type, $temp); + my ($entityID, $OrganizationName, $ODN, $URL, $registrationAuthority, $type, $temp); $entityID = "No entityID found"; $entityID = $section->{'att'}->{'entityID'}; + $OrganizationName = "No OrganizationName found"; $ODN = "No OrganizationDisplayName found"; $URL = "No URL found"; # Turns out the Organization element is optional @@ -159,12 +170,18 @@ () $ODN = $temp; } } + if ( $section->first_child('Organization')->first_child('OrganizationName[@xml:lang="en"]') ) { + if ( $temp = $section->first_child('Organization')->first_child('OrganizationName[@xml:lang="en"]')->text) { + $OrganizationName = $temp; + } + } if ( $section->first_child('Organization')->first_child('OrganizationURL') ) { if ( $temp = $section->first_child('Organization')->first_child('OrganizationURL')->text) { $URL = $temp; } } } + if ( $org && $org ne $OrganizationName ) { return; } $registrationAuthority = "No registrationAuthority found"; # Even though eduGAIN Metadata profile says entities MUST have MDRPI, turns out the eduGAIN aggregate does not enforce this rule. However, the eduGAIN site allows people to validate federations' incoming aggregates. See http://www.edugain.org/technical/status.php and go to countries' entry 'validate this metadata set' @@ -176,8 +193,7 @@ () } } } - } - + } if ( $notreg && $notreg eq $registrationAuthority ) { return; } if ( $reg && $reg ne $registrationAuthority ) { return; } @@ -189,7 +205,7 @@ () if ($idonly) { print "$entityID\n"; } else { - print "$type, $entityID, $registrationAuthority, \"$ODN\", $URL\n" + print "$type, $entityID, $registrationAuthority, \"$OrganizationName\", \"$ODN\", $URL\n" } } } diff --git a/mdx/_rules/check_mdui.xsl b/mdx/_rules/check_mdui.xsl index 5615990b..796c1d3f 100644 --- a/mdx/_rules/check_mdui.xsl +++ b/mdx/_rules/check_mdui.xsl @@ -28,42 +28,6 @@ --> - - - - mdui:DisplayName must not be empty - - - - - mdui:Description must not be empty - - - - - mdui:Keywords must not be empty - - - - - mdui:IPHint must not be empty - - - - - mdui:DomainHint must not be empty - - - - - mdui:GeolocationHint must not be empty - - - + + + + mdui:Logo contains line break + + + - - - - - mdui: - - ' - - ' is not a valid URL: - - - - + + + + + + mdui: + + ' + + ' is not a valid URL: + + + + + - + + + + SAML 2.0 IDPSSODescriptor does not support HTTP-Redirect SSO binding + + + + + + + + + + + + + + + insecure algorithm in SigningMethod: ' + + ' + + + + + + + + + + + + + + unknown algorithm in SigningMethod: ' + + ' + + + + + + + + + + + insecure algorithm in DigestMethod: ' + + ' + + + + + + + + + + + + + + unknown algorithm in DigestMethod: ' + + ' + + + + + + + + + + + insecure algorithm in EncryptionMethod: ' + + ' + + + + + + + + + + + + + + unknown algorithm in EncryptionMethod: ' + + ' + + + + + diff --git a/mdx/_rules/check_uk_wayf.xsl b/mdx/_rules/check_uk_wayf.xsl new file mode 100644 index 00000000..c2e443cd --- /dev/null +++ b/mdx/_rules/check_uk_wayf.xsl @@ -0,0 +1,46 @@ + + + + + + + + + + + + unknown element name wayf: + + + + + + + + + misplaced wayf:HideFromWAYF element + + + + diff --git a/mdx/at_aconet/beans.xml b/mdx/at_aconet/beans.xml index 4fcf3c37..57c1d42d 100644 --- a/mdx/at_aconet/beans.xml +++ b/mdx/at_aconet/beans.xml @@ -73,15 +73,6 @@ - - - - - + + + + https://zididp.uni-graz.at/idp/shibboleth + + + diff --git a/mdx/cl_cofre/beans.xml b/mdx/cl_cofre/beans.xml index 42b9628d..d7381766 100644 --- a/mdx/cl_cofre/beans.xml +++ b/mdx/cl_cofre/beans.xml @@ -52,15 +52,6 @@ - - - - - + + diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml index 37e99e1f..4e13a575 100644 --- a/mdx/common-beans.xml +++ b/mdx/common-beans.xml @@ -261,6 +261,12 @@ + + + + @@ -272,6 +278,9 @@ + + @@ -285,6 +294,9 @@ + + - - + + + + + + + + + + + + + + + + + - + - + + - + - - + + + + - + - + + - - - + + + + + + @@ -607,9 +641,17 @@ + + + + + + + + - - - @@ -283,23 +297,6 @@ - - - - - - - - - - - - - - - @@ -361,8 +356,19 @@ *************************************** --> - - + + + @@ -479,7 +485,7 @@ Entities in the CDSALL aggregate are restricted to those entities registered by the UK federation plus all identity providers from whatever source. --> - + @@ -569,11 +575,9 @@ - - @@ -634,6 +638,7 @@ + @@ -674,8 +679,8 @@ - - + + @@ -692,6 +697,83 @@ p:id="uk_exportPipeline"> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + https://idp.glowscotland.org.uk/shibboleth + + + + + + + + + + + + @@ -700,7 +782,6 @@ - @@ -731,7 +812,7 @@ *********************************************************** --> - + @@ -740,6 +821,84 @@ p:id="uk_exportPreviewPipeline"> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + https://idp.glowscotland.org.uk/shibboleth + + + + + + + + + + + + @@ -748,7 +907,6 @@ - @@ -1047,7 +1205,7 @@ - + diff --git a/mdx/uk/import.xsl b/mdx/uk/import.xsl index 0acc045d..7e6bd0b5 100644 --- a/mdx/uk/import.xsl +++ b/mdx/uk/import.xsl @@ -73,6 +73,7 @@ urn:oasis:names:tc:SAML:2.0:assertion ../xml/saml-schema-assertion-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../xml/shibboleth-metadata-1.0.xsd http://ukfederation.org.uk/2006/11/label ../xml/uk-fed-label.xsd + http://sdss.ac.uk/2006/06/WAYF ../xml/uk-wayf.xsd http://www.w3.org/2001/04/xmlenc# ../xml/xenc-schema.xsd http://www.w3.org/2009/xmlenc11# ../xml/xenc-schema-11.xsd http://www.w3.org/2000/09/xmldsig# ../xml/xmldsig-core-schema.xsd"> diff --git a/mdx/uk/ns_norm_test.xsl b/mdx/uk/ns_norm_test.xsl index 536de548..23b6bdac 100644 --- a/mdx/uk/ns_norm_test.xsl +++ b/mdx/uk/ns_norm_test.xsl @@ -39,7 +39,7 @@ xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" - exclude-result-prefixes="alg md mdattr saml xenc" + exclude-result-prefixes="alg md wayf xenc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> diff --git a/mdx/uk/statistics.xsl b/mdx/uk/statistics.xsl index 195941e2..ee396fa7 100644 --- a/mdx/uk/statistics.xsl +++ b/mdx/uk/statistics.xsl @@ -15,17 +15,18 @@ xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" + xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" + xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:members="http://ukfederation.org.uk/2007/01/members" - xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF" xmlns:ukfedlabel="http://ukfederation.org.uk/2006/11/label" xmlns:math="http://exslt.org/math" xmlns:date="http://exslt.org/dates-and-times" xmlns:dyn="http://exslt.org/dynamic" xmlns:set="http://exslt.org/sets" xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" - exclude-result-prefixes="xsl alg ds init md mdui xsi members wayf ukfedlabel math date dyn set idpdisc" + exclude-result-prefixes="xsl alg ds init md mdattr mdui saml xsi members ukfedlabel math date dyn set idpdisc" version="1.0"> @@ -42,20 +43,12 @@ - - - - - - - @@ -80,9 +73,6 @@ - - @@ -137,8 +127,8 @@

  • Members by Primary Scope

  • Members Lacking Deployment

  • Shibboleth 1.3 Remnants

    • -

  • Entities with mdui:UIInfo support

    • -

  • Entities in Export Aggregate

    • +

  • Export Aggregate: Entities Opted Out

    • +

  • Export Aggregate: Entities Explicitly Opted In

  • Entities Without SAML 2.0 Support

    • @@ -404,28 +394,6 @@ -

    Additional Non-member Entity Owners

    -

    - In addition, the UK federation operator maintains agreements with certain - other organisations so that metadata for entities belonging to those - organisations can be published within the UK federation metadata for the - benefit of UK federation members. -

    -

    Number of non-member relationships:

    - - - - - - - - - - - - -
    Non-member agreementEntitiesIdPsSPsOSrcScope
    - -

    Entities with mdui:UIInfo support

    - - - +

    Export Aggregate: Entities Opted Out

    + + +
      - +
    • : @@ -1099,6 +1082,14 @@ [SP] + + + [RqA] + + + [!RqA] + + @@ -1110,21 +1101,28 @@ ) + +
        +
      • + No SAML 2.0 support +
        • +
      +
    - -

    Entities in Export Aggregate

    +

    Export Aggregate: Entities Explicitly Opted In

    @@ -1213,8 +1211,17 @@ + + + - +

    Identity Providers Without SAML 2.0 Support

    + + + +     @@ -1337,8 +1344,12 @@ : [not-M] [IdP] - [H] + [H] [SP] + [UIInfo] @@ -1733,10 +1744,21 @@ + + + + + - + - - Shibboleth 1.3 + + Shibboleth 3.x - - + Shibboleth 2.x - + + + Shibboleth 1.3 + + + + + Shibboleth combined diff --git a/mdx/uk/trust-roots.xml b/mdx/uk/trust-roots.xml deleted file mode 100644 index f32a3431..00000000 --- a/mdx/uk/trust-roots.xml +++ /dev/null @@ -1,224 +0,0 @@ - - - - - - - - - - - - - - - MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU - MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs - IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 - MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux - FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h - bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v - dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt - H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 - uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX - mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX - a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN - E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 - WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD - VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 - Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU - cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx - IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN - AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH - YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 - 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC - Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX - c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a - mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= - - - - - - - - - MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv - MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk - ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF - eHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoXDTIwMDUzMDEwNDgzOFow - gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl - IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY - aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0 - LUhhcmR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsffDOD+0 - qH/POYJRZ9Btn9L/WPPnnyvsDYlUmbk4mRb34CF5SMK7YXQSlh08anLVPBBnOjnt - KxPNZuuVCTOkbJex6MbswXV5nEZejavQav25KlUXEFSzGfCa9vGxXbanbfvgcRdr - ooj7AN/+GjF3DJoBerEy4ysBBzhuw6VeI7xFm3tQwckwj9vlK3rTW/szQB6g1ZgX - vIuHw4nTXaCOsqqq9o5piAbF+okh8widaS4JM5spDUYPjMxJNLBpUb35Bs1orWZM - vD6sYb0KiA7I3z3ufARMnQpea5HW7sftKI2rTYeJc9BupNAeFosU4XZEA39jrOTN - SZzFkvSrMqFIWwIDAQABo4GqMIGnMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D - veAky1QaMB0GA1UdDgQWBBShcl8mGyiYQ5VdBzfVhZadS9LDRTAOBgNVHQ8BAf8E - BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8v - Y3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwDQYJ - KoZIhvcNAQEFBQADggEBADzse+Cuow6WbTDXhcbSaFtFWoKmNA+wyZIjXhFtCBGy - dAkjOjUlc1heyrl8KPpH7PmgA1hQtlPvjNs55Gfp2MooRtSn4PU4dfjny1y/HRE8 - akCbLURW0/f/BSgyDBXIZEWT6CEkjy3aeoR7T8/NsiV8dxDTlNEEkaglHAkiD31E - NREU768A/l7qX46w2ZJZuvwTlqAYAVbO2vYoC7Gv3VxPXLLzj1pxz+0YrWOIHY6V - 9+qV5x+tkLiECEeFfyIvGh1IMNZMCNg3GWcyK+tc0LL8blefBDVekAB+EcfeEyrN - pG1FJseIVqDwavfY5/wnfmcI0L36tsNhAgFlubgvz1o= - - - - - - - - - MIIEmDCCA4CgAwIBAgIQS8gUAy8H+mqk8Nop32F5ujANBgkqhkiG9w0BAQUFADCB - lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug - Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho - dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt - SGFyZHdhcmUwHhcNMDkwNTE4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjA2MQswCQYD - VQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRYwFAYDVQQDEw1URVJFTkEgU1NMIENB - MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw+NIxC9cwcupmf0booNd - ij2tOtDipEMfTQ7+NSUwpWkbxOjlwY9UfuFqoppcXN49/ALOlrhfj4NbzGBAkPjk - tjolnF8UUeyx56+eUKExVccCvaxSin81joL6hK0V/qJ/gxA6VVOULAEWdJRUYyij - 8lspPZSIgCDiFFkhGbSkmOFg5vLrooCDQ+CtaPN5GYtoQ1E/iptBhQw1jF218bbl - p8ODtWsjb9Sl61DllPFKX+4nSxQSFSRMDc9ijbcAIa06Mg9YC18em9HfnY6pGTVQ - L0GprTvG4EWyUzl/Ib8iGodcNK5Sbwd9ogtOnyt5pn0T3fV/g3wvWl13eHiRoBS/ - fQIDAQABo4IBPjCCATowHwYDVR0jBBgwFoAUoXJfJhsomEOVXQc31YWWnUvSw0Uw - HQYDVR0OBBYEFAy9k2gM896ro0lrKzdXR+qQ47ntMA4GA1UdDwEB/wQEAwIBBjAS - BgNVHRMBAf8ECDAGAQH/AgEAMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wRAYD - VR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VS - Rmlyc3QtSGFyZHdhcmUuY3JsMHQGCCsGAQUFBwEBBGgwZjA9BggrBgEFBQcwAoYx - aHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VUTkFkZFRydXN0U2VydmVyX0NBLmNy - dDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG - 9w0BAQUFAAOCAQEATiPuSJz2hYtxxApuc5NywDqOgIrZs8qy1AGcKM/yXA4hRJML - thoh45gBlA5nSYEevj0NTmDa76AxTpXv8916WoIgQ7ahY0OzUGlDYktWYrA0irkT - Q1mT7BR5iPNIk+idyfqHcgxrVqDDFY1opYcfcS3mWm08aXFABFXcoEOUIEU4eNe9 - itg5xt8Jt1qaqQO4KBB4zb8BG1oRPjj02Bs0ec8z0gH9rJjNbUcRkEy7uVvYcOfV - r7bMxIbmdcCeKbYrDyqlaQIN4+mitF3A884saoU4dmHGSYKrUbOCprlBmCiY+2v+ - ihb/MX5UR6g83EMmqZsFt57ANEORMNQywxFa4Q== - - - - - - - - - - - - - - - - diff --git a/mdx/uk/trust-roots.xsl b/mdx/uk/trust-roots.xsl deleted file mode 100644 index 88e2bf6c..00000000 --- a/mdx/uk/trust-roots.xsl +++ /dev/null @@ -1,61 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/mdx/uk/ukfederation-2012.jks b/mdx/uk/ukfederation-2012.jks deleted file mode 100644 index 6f3fff5a..00000000 Binary files a/mdx/uk/ukfederation-2012.jks and /dev/null differ diff --git a/mdx/uk/ukfederation-2012.pem b/mdx/uk/ukfederation-2012.pem deleted file mode 100644 index a1f3a57a..00000000 --- a/mdx/uk/ukfederation-2012.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDxzCCAq+gAwIBAgIJANixLkdCTNtvMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV -BAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVudCBGZWRlcmF0aW9u -IGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQDDB1VSyBGZWRlcmF0 -aW9uIE1ldGFkYXRhIFNpZ25lcjAeFw0xMjEwMTEwNzA4MThaFw0xNDExMTYwNzA4 -MThaMHoxCzAJBgNVBAYTAkdCMUMwQQYDVQQKDDpVSyBBY2Nlc3MgTWFuYWdlbWVu -dCBGZWRlcmF0aW9uIGZvciBFZHVjYXRpb24gYW5kIFJlc2VhcmNoMSYwJAYDVQQD -DB1VSyBGZWRlcmF0aW9uIE1ldGFkYXRhIFNpZ25lcjCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAOqtfMvCmBuQudC4/jZFPYkHDNHFyp1FA3KJihIUXppF -vrecrO2wG5CpyqB1mZ+MlKf4jKcTMGBIXC2klD+FyrEdJMBhO6vRmJnNphg3uNZM -ks0NqIaZmtgc7e8435nMhqLHV95UK2oCLcT4gZrTaXa2vt9kukTOijB0KqDIfEG5 -369EHXPItApAEeMlHebbWndl5n2I16nya/LeaoiU9qJ6sVz4xd1UtUesewrmYVKg -PA2JYEpovmnr13sTnGssai5Db/FkrE2NJ4Q4drbPYcwincUo/UXzrtuPclr+l3JE -gjtvDzPrBxxvK0S/gARrbKz5tk4LDLkYsj4PKlwVS+UCAwEAAaNQME4wHQYDVR0O -BBYEFE9HhBuMxrzBYOj1Kj/3gtzAgtUEMB8GA1UdIwQYMBaAFE9HhBuMxrzBYOj1 -Kj/3gtzAgtUEMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAByZ5haR -hr8QqCo8DWO1qgVkUpPR1e/EFl+zV633esn5GJxIkD95va1Lxv84BmLBTD+EtX3T -OkrXccIL1PCUkGmP3xVsh99mzsVEGmfTC0wu8PYDz1UvUwQLcjg6YQDN3GmA1EUW -gt2cL8F4Q4/saowkkYjt0wWGQ/SNhwnGWwpo4ViTnoh3sNgr5gPHlozDGkL1NPG1 -bxdmyxmkr778yExS9xoEC4+Bnm7ApJyv3R2L9fpxCfEjE4tf3rWiSQL0Ss5etZNH -9qmw7sGZ7xX0g6rcki/r5Y9u0v/rRKvIOw8/YGW5B2P3Ij/paJWzasZsdsgj0pDJ -buk20xhyzBW6D/I= ------END CERTIFICATE----- diff --git a/mdx/us_incommon/beans.xml b/mdx/us_incommon/beans.xml index b64b0d3e..1d113c63 100644 --- a/mdx/us_incommon/beans.xml +++ b/mdx/us_incommon/beans.xml @@ -60,18 +60,6 @@ - - - - - + + + + + + + + + + + + + + + + + + + + + + @@ -652,6 +678,18 @@ ******************************************************************* --> + + + + + + + + + @@ -664,6 +702,18 @@ + + + + + + + + + + + + + + + Indicates an entity which should be hidden from the + Central Discovery Service. + + + + +