Versions Compared

Version Old Version 3 New Version 4
Changes made by

Howard Gilbert

Howard Gilbert

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Then whenever a program looks for the name "auth.yale.edu" it goes to address "128.36.64.90" (the address of the pre-production VM for Shibboleth) instead of "130.132.35.36".

You cannot meaningfully point this name to any other address. For one thing, the server responding to this address has the Yale Certificate and private key for that host name, so the only two addresses you can point your browser to with "https://auth.yale.edu" and connect without a big nasty security message from the browser are 128.36.64.90 and 130.132.35.36 because the network accepts that both these addresses have the "auth.yale.edu" name. As a second check, both servers run the same configuration of production Shibboleth and both generate digital signatures using identical copies of a second protected secret digital key file. Without the signature, no application will believe the message comes from Shibboleth. So this technique can only be used to switch a computer temporarily from the "production" Shibboleth server to the "pre-production" version of the server.

To test your application you

  1. save the old hosts file
  2. make this one line change to the "hosts" file
  3. login to your application using the browser. If it works, the test is sucessful.
  4. restore the original copy of the file.

...

What happens if you do not restore the original copy of the file? The pre-production version of Shibboleth is protected by the same security as production Shibboleth. It is just changed more easily and quickly. Unfortunately, there are a few other applications that you can access that appear to be on the "auth.yale.edu" server, but only Shibboleth (that is "https://auth.yale.edu/idp") is supported by the test machine at 128.36.64.90. So if you forget, and a few days later you accidentially try to access "https://auth.yale.edu/somethingelse" then that will fail. So generally it is a good idea to run one quick test and put things back to normal.

Is There Another Way to Do This?

All Browsers have an Advanced section of their Options where under Network you can configure a Proxy Server. A Proxy Server will be created that points the "auth.yale.edu" name to the pre-production address. This does essentially the same thing, but uses only a temporary change to the Browser configuration instead of a change to the operating system.