Skip to content
CentOS-based container which serves up InCommon metadata via MDQ
Branch: master
Clone or download
Latest commit fdf43e8 Jul 30, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
container_files MDA update Jul 30, 2018
Dockerfile MDA update Jul 30, 2018
Jenkinsfile remove tests Jun 11, 2018
LICENSE create LICENSE Feb 19, 2018 Update Mar 19, 2018
common.bash add Jenkinsfile and common.bash Jun 11, 2018

Internet2 MDQ Appliance

This CentOS-based container provides an InCommon Per-Entity Metadata server.

It downloads, validates, and verifies the InCommon aggregate, then creates per-entity metadata files and digitally signs them using a key/cert that is generated dynamically on the first run, unless already present (as a result of a container orchestration system, etc).

The generated self-signed certs (signing + www), if used, are 10-year certificates and you can control the subject of the certificates by setting the following 2 environment variables:
default: /C=US/ST=State/L=City/O=OrgName/
default: /C=US/ST=State/L=City/O=OrgName/

It can be run with the following command (on a docker-enabled linux host):
docker run -d -p 443:443 tier/mdq-appliance

The container will listen on port 443 (https).

The signing cert is available from /cert.

The container will take a few minutes to start on the initial launch. Watch the logs for the message "Metadata generation complete." (or watch the Docker health status)

Per-entity metadata is automatically updated nightly (job time is randomized on container build between midnight and 5am).

To have the container sign metadata using your own key/cert, overlay the following 3 files at run-time:

  • /keys/mda-signing.key
  • /keys/mda-signing.crt
  • /mda/inc/inc-cert/ (copy from existing repo and include the key's password in the '' property)

To have the container use your own SSL certificate (should be different than the signing cert/key), overlay the following 2 files at run-time:

  • /etc/pki/tls/private/mda-signing-ssl.key (should not be password-protected)
  • /etc/pki/tls/certs/mda-signing-ssl.crt

You can test the server with the following curl commands:

The entire aggregate:
curl -k -I

The entire aggregate, with compression:
curl -k -I -H "Accept-Encoding: gzip"

A specific entity via the URLencoded entityID (picked at random):
curl -k -I

A specific entity via the URLencoded entityID, with compression:
curl -k -I -H "Accept-Encoding: gzip"

A specific entity via the SHA1 hash of the entityID:
curl -k -I

A specific entity via the SHA1 hash of the entityID, with compression:
curl -k -I -H "Accept-Encoding: gzip"

The certificate to be used for verification of the signatures on the per-entity metadata:
curl -k -I

You can’t perform that action at this time.