Janet Moonshot Pilot Participant Migration Guide
If your organisation was part of the Janet Moonshot Pilot and you would like to migrate your existing pilot infrastructure to Jisc Assent, please follow the below steps:
- Familiarise yourself with the Jisc Assent portal by reading the Jisc Assent Portal Quick Primer
- Log into the Jisc Assent Portal.
- Define your ID Provider and Service Realms.
- Define your domain constraints in the Service Realms section.
- Then email assent@jisc.ac.uk to have an Assent administrator approve your realms and constraints.
While you're waiting for your realms and constraints to be approved, download and re-import your new credential, and check your existing FreeRADIUS and TID configurations:
On Debian or Ubuntu:
- Update to the latest Moonshot packages by running
apt-get update, thenapt-get upgrade. You may need to refresh the repository's GPG key as per the announcement here. - As root, delete '/etc/freeradius/.local/share/moonshot-ui/identities.txt'.
- As freerad, import your new credential:
- Run
unset DISPLAY - Run
moonshot-webp -f credentials.xml - Check that the credential has been correctly imported:
cat /etc/freeradius/.local/share/moonshot-ui/identities.txt
- Run
- The trust_router setting in '/etc/freeradius/mods-available/realm' is now set to tr.moonshot.ja.net.
- The default_community setting in '/etc/freeradius/mods-available/realm' is now set to ov-apc.moonshot.ja.net.
- The rp_realm setting in '/etc/freeradius/mods-available/realm' matches the domain constraints and service realm that you created in the Jisc Assent portal.
- The trust_router_coi setting in '/etc/freeradius/sites-available/abfab-tls' is now set to ov-apc.moonshot.ja.net.
- The gssname setting in '/etc/default/trust_router' is now set to trustrouter@ov-apc.moonshot.ja.net.
On RedHat, CentOS or Scientific Linux:
- Update to the latest Moonshot packages by running
yum update. You may need to refresh the repository's GPG key as per the announcement here. - As root, delete '/var/lib/radiusd/.local/share/moonshot-ui/identities.txt'.
- As radiusd, import your new credential:
- Run
unset DISPLAY - Run
moonshot-webp -f credentials.xml - Check that the credential has been correctly imported:
cat /var/lib/radiusd/.local/share/moonshot-ui/identities.txt
- Run
- The trust_router setting in '/etc/raddb/mods-available/realm' is now set to tr.moonshot.ja.net.
- The default_community setting in '/etc/raddb/mods-available/realm' is now set to ov-apc.moonshot.ja.net.
- The rp_realm setting in '/etc/raddb/mods-available/realm' matches the domain constraints and service realm that you created in the Jisc Assent portal.
- The trust_router_coi setting in '/etc/raddb/sites-available/abfab-tls' is now set to ov-apc.moonshot.ja.net.
- The gssname setting in '/etc/sysconfig/tids' is now set to trustrouter@ov-apc.moonshot.ja.net.
Once your realm and domain constraints have been approved (in the portal they will no longer show a warning triangle next to them), you can run the TIDC tests again. Please note that your trust router is tr.moonshot.ja.net and the APC is ov-apc.moonshot.ja.net.
To test your basic trust router connection: tidc tr.moonshot.ja.net [your rp_realm] ov-apc.moonshot.ja.net ov-apc.moonshot.ja.net
To test connection to another ID Provider: tidc tr.moonshot.ja.net [your rp_realm] dev.ja.net ov-apc.moonshot.ja.net
Note: Even if you only provide an ID Provider at the moment, i.e. you do not have a Moonshot service, you must still have a Service Realm for the ID Provider to use. Without a Service Realm, the ID Provider will not be able to identify itself to Jisc Assent.
