...
Then whenever a program (the Browser) looks for the name "auth.yale.edu" it goes to address "128.36.64.90" (the address of the pre-production VM for Shibboleth) instead of "130.132.35.36".You cannot meaningfully point this name to any other address
. For one thing, the server responding to this address has the Yale Certificate and private key for that host name, so the only two addresses you can point your browser to with "https://These two addresses are the only computers in the world that have both the "https"//" Certificate/Key for the name "auth.yale.edu" and connect without a big nasty security message from the browser are also the Certificate/Key to digitally sign messages in a way that other applications will trust that the message came from the Yale Shibboleth server.
Testing
It is generally a good idea to make two copies of the "hosts" file to two subdirectories, which I will call "saved" and "test" . Edit "test\hosts" to add the one line with "128.36.64.90 and 130.132.35.36 because the network accepts that both these addresses have the "90 auth.yale.edu" name. As a second check, both servers run the same configuration of production Shibboleth and both generate digital signatures using identical copies of a second protected secret digital key file. Without the signature, no application will believe the message comes from Shibboleth. So this technique can only be used to switch a computer temporarily from the "production" Shibboleth server to the "pre-production" version of the server". To copy "test\hosts" to "C:\windows\system32\drivers\etc" (or to copy test/hosts to "/etc") you need administrative (or root) privileges. On Windows, simply copy and paste or drag and drop the file from test\hosts to C:\windows\system32\drivers\etc. First you will be asked if you want to replace the old file. Then you will be asked to approve the use of administrative privilege to change a system directory.
To test your application you
- save Copy the old test "hosts" file make this one line change to the "hostsetc" filedirectory.
- login to your application using the browser. If it works, the test is sucessfulsuccessful.
- restore Copy the original copy of the file.
Security
...
- saved file to the "etc" directory.
What happens if you do not restore the original copy of the file? The pre-production version of Shibboleth is protected by the same security as production Shibboleth. It is just changed more easily and quickly. Unfortunately, there are a few other applications that you can access that appear to be on the "auth.yale.edu" server, but only Shibboleth (that is "https://auth.yale.edu/idp") is supported by the test machine at 128.36.64.90. So if you forgetleave the test configuration, and then a few days later you accidentially try to access use some application that was configured years ago to use a obscure alias of CAS as "https://auth.yale.edu/somethingelsecas" then that CAS URL will failnot be found. So generally it is a good idea to run one quick test and put things back to normal.
Security
The hosts file has been in every system that uses the Internet. On Windows it goes back at least as far as the mid 1990's. What we are doing here was once very common.
Them malware came along, and today a lot of malware programs try, among other things, to change the hosts file. So this file is somewhat more carefully protected, and it is certainly regarded as evil for some program to try and change it behind your back. If you go to edit the file, and you did not make any intentional changes, and it is full of non-comment lines, then you may have been hacked.
So today we regard it as unfortunate that this test cannot be performed easily without changing the hosts file. Twenty years ago such a change would have been routine, but now because of the common association with malware, we try to leave the hosts file alone when possible.
Is There Another Way to Do This?
All Browsers have an Advanced section of their Options where under Network you can configure a Proxy Server. A Proxy Server will be created that points the "auth.yale.edu" name to the pre-production address. This does essentially the same thing, but uses only a temporary change to the Browser configuration instead of a change to the operating system.
However, changing the hosts file is easy to do and trivial to understand.