Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
July 30, 2018 11:05
July 30, 2018 11:05
June 11, 2018 16:11
February 19, 2018 12:44
March 19, 2018 15:48

Internet2 MDQ Appliance

This CentOS-based container provides an InCommon Per-Entity Metadata server.

It downloads, validates, and verifies the InCommon aggregate, then creates per-entity metadata files and digitally signs them using a key/cert that is generated dynamically on the first run, unless already present (as a result of a container orchestration system, etc).

The generated self-signed certs (signing + www), if used, are 10-year certificates and you can control the subject of the certificates by setting the following 2 environment variables:
default: /C=US/ST=State/L=City/O=OrgName/
default: /C=US/ST=State/L=City/O=OrgName/

It can be run with the following command (on a docker-enabled linux host):
docker run -d -p 443:443 tier/mdq-appliance

The container will listen on port 443 (https).

The signing cert is available from /cert.

The container will take a few minutes to start on the initial launch. Watch the logs for the message "Metadata generation complete." (or watch the Docker health status)

Per-entity metadata is automatically updated nightly (job time is randomized on container build between midnight and 5am).

To have the container sign metadata using your own key/cert, overlay the following 3 files at run-time:

  • /keys/mda-signing.key
  • /keys/mda-signing.crt
  • /mda/inc/inc-cert/ (copy from existing repo and include the key's password in the '' property)

To have the container use your own SSL certificate (should be different than the signing cert/key), overlay the following 2 files at run-time:

  • /etc/pki/tls/private/mda-signing-ssl.key (should not be password-protected)
  • /etc/pki/tls/certs/mda-signing-ssl.crt

You can test the server with the following curl commands:

The entire aggregate:
curl -k -I

The entire aggregate, with compression:
curl -k -I -H "Accept-Encoding: gzip"

A specific entity via the URLencoded entityID (picked at random):
curl -k -I

A specific entity via the URLencoded entityID, with compression:
curl -k -I -H "Accept-Encoding: gzip"

A specific entity via the SHA1 hash of the entityID:
curl -k -I

A specific entity via the SHA1 hash of the entityID, with compression:
curl -k -I -H "Accept-Encoding: gzip"

The certificate to be used for verification of the signatures on the per-entity metadata:
curl -k -I


CentOS-based container which serves up InCommon metadata via MDQ







No releases published


No packages published