Söll

Hooray, skiing!

We drove North from Venice. The satnav found it a little challenging - sometimes suggesting that our preferred route included unsealed roads, sometimes getting confused on hairpin bends, and telling us that we should "turn around when possible". The navigation was a combination of following signs and following the machine's directions. It meant that we didn't take the shortest route, but it was scenic. We came across a couple of Italian ski resorts, where people were skiing down to the road's edge. And the general mountain views were quite spectacular.

We drove through Kitzbühel, Kirchberg, Westendorg, Wörgl, and finally made it to Pension Klammerhof, a farmhouse on the outskirts of the village of Söll. The family was very friendly - only Mother spoke English.

The first activity was tobogganing. We headed off to the back paddock, and had an exhausting but fun time for nearly an hour. Then we decided to drive into Söll itself to see if any ski hire places were still open at 6pm, and also to find some dinner. We ended up in another guest house where they usually only serve their guests, but found space for us.

Thursday was a skiing day. Our hosts lent us a pants & parka set, which was very friendly. It seems that hiring clothes is not the done thing in Austria. So we purchased a couple of sets of ski pants, and hired skis, poles, and boots, bought lift tickets, and headed half way up the hill in the gondola. Caught a chairlift up, and found our way down an beginner/intermediate run. It was challenging for all of us - particularly holding Helen between my legs. Decided to take the gondola to the very top. But when all the runs from there turned out to be advanced, most of us sensibly took the gondola back down. The steep bumpy slope wasn't the best way to warm up or recollect all those tips from lessons past.

We decided that a lesson for the girls was definitely in order. It was the last day for any ski school in Söll, so there wouldn't be many further opportunities. This introduced a sudden requirement for cash, which could only be met by taking the lift to the bottom, clomping all the way to the car, driving to the ATM, driving back, and gondola-ing up again. I only just made it in time for the girls to join a lesson. Joanna and I managed to explore some nice runs in the two hours before collecting the girls at 3:30. We did some easy runs together, and then tried to ski home on an intermediate run. I'm sure it was excellent physical training (with plenty of "gain") getting us all down.

For dinner, we walked to the restaurant three houses away. There was schnitzel for the girls, and Kalbshaxe(?) (a pork joint) to share for the adults. Very filling. And banana splits for dessert.

Friday morning, we decided that Westendorf was an enticing place, with more chance of a ski-school than Söll. So after getting ready, we zoomed off, and made our way without maps or navigational aids to the ski lift there. Just as we started to put boots on, we realised that our boots were back in the drying room at Pension Klammerhof. I don't think we've ever had to drive ourselves to a ski lift before, so we'd never had to remember to pack the boots. After collecting them, making another 20 minute drive into the next valley to Westendorf didn't seem sensible, and as our hosts had suggested that Scheffau (the next village in the other direction) was a good base for child-friendly skiing, we went there. It was true - we had a lovely day, exploring many of the runs. By late morning, we had found the Helen Hill, labelled as an intermediate run, that we could all enjoy. We ventured to the next valley by interconnecting lifts and runs, and almost found ourselves in the village of Brixen im Thale. But the best snow was on the north-facing slopes of Helen Hill.

We had arranged to patronise the same restaurant as the previous night, this time for Fondue. We had a dish of molten cheese, and one of oil for cooking the meat (chicken, pork, beef, and mushroom). It was more of a novelty than a delicacy, but we had a good time. And we even managed to squeeze in a dessert. There was a certain lack of self control as far as diet was concerned. Lunch on the slopes had been almost unnecessary - but our selection of pancake soup, spaghetti bolognese, wiener schnitzel, and sausage & bread was quite tasty too.

On Saturday morning, we remembered the boots from the ski room, and headed off to Westendorf. Unsurprisingly, the lift system had changed. The gondolas allowed people in/out at a Mittelstation, which seemed like a fancy piece of engineering. We stayed in until the top, and then warmed up on a the Talkaser slope. (I can't see that name without thinking of Islay and Jim.) It was labelled intermediate too, and set a few nerves on edge initially, but soon became the day's favourite. We explored to the edges of the Skiwelt area, over towards Kirchberg and Kitzbuhel, but found that many of those intermediate slopes were beyond the level of confidence (although not competence) of the family as a whole. A couple of attempts to point skis in the direction of a gluhwein spot we'd seen from the chairlift were unsuccessful, so we ended up back at the top of the main Westendorf Alpenrosenbahn gondola for lunch. Again, there was a slight overindulgence, this time incorporating the longed-for gluhwein, as well as a Germknödel that had provoked some curiosity the previous day. After lunch, we explored the top half of the southern slope's Westendorf anschluss (home trail), but discovered that it was at the advanced end of the rather wide spectrum that could be called intermediate. The two youngest seemed to show very little sign of nerves. Perhaps they don't have the self-preservation instinct yet. Although challenging, the snow was rather sloshy, so we felt that we could reasonably avoid making any further adventures there. Most of the afternoon was spent around the Talkaser (not Talisker) slopes, and then we (like most others) resorted to taking the lift down at the end of the day, which was also the end of the skiing.

In future, if I had a car, I'd be happy to stay at any of the villages in the Skiwelt area. There's good variety, with inter-linking trails (all on one lift ticket). I still have memories of a long (8km?) but very scenic road/trail from Kitzbühel to some spot where one had to be rescued by bus. I didn't notice such a run here, so maybe we'd have to try going back to Kirchberg/Kitzbuhel sometime. Or maybe, by the time we get back, both Kitzbühel and Skiwelt will be accessible on the same lift ticket. Skiing in Tirol is certainly much more scenic than any Australian resort I've seen. The long stretches of valleys, the jagged alps, and the little villages add a lot to the experience.

We had a chat with our hosts about the best thing to do on Sunday. We had thought about exploring some parts of the German Alpinstrasse, including Füssen and Neuchwanstein/Hoheschwanstein, but it seems there would not be enough time for this, so we will explore some different Ludwig schloss-heritage, in the Chiemsee.

Venice

Left Ljubljana at about 8:40, having bought groceries. Oh, should have mentioned the Slovenian wine, made by Dolfo in Kakovostno, a 2002 Cabernet Sauvignon. Quite good for one of these cold climate places. Snow had fallen last night, took some photos from the car. No border formalities - very different from the Hungary/Croatia and Croatia/Slovenia borders. Did have to pay motorway tolls in various places though.

Since it's a working day, called Budget and Opel about the oil light that was coming on in the car. It wasn't the red light, only the yellow one. The book indicated (in what German I could understand) that it was only a warning, not an urgent problem. We'd checked the oil when it came on yesterday, and the level was exactly half way between minimum and maximum. And the light only came on after driving a couple of hours. They didn't offer any advice - only wanted to inspect the car. So we had to wait until we were parked, so that they could call the Italian auto club. Eventually, we made it to Venice, and arranged to have the auto club come. We made arrangements for contacting/meeting, and the girls went off with the camera, while I waited with the car to meet the mechanicco. Nobody in the car parks spoke any more English than was functionally necessary for 95% of their job, and my Italian was worse (verging on non-existent!), so it was a little disastrous. I moved from an expensive carpark to a cheaper one.

Eventually, the mechanic arrived. When he found that the car didn't have a flat battery, and could be started, he was surprised, but asked me to fetch it (from upstairs in the car park). My worst thoughts were realised when he motioned for me to drive the car onto his tow-truck. We drove to the nearest Opel dealer - about 10km back onto the mainland. We arrived at about 12:20, and it became apparent that the service department only opened after lunch at 2pm. So I had the pleasure of spending my Venetian lunch hour sitting in the car in a car yard, reading a book. Eventually, I found my way into the service area. Of course, none of them spoke English either. After much motioning, pointing to pictures in the book, and attempting to get people to understand foreign languages, and the service people finding an equivalent chapter in an Italian book, they convinced me that it wasn't a problem with the oil, but a problem with the sensor. So I should just keep driving. So then I had the opportunity to navigate myself (with the satnav!) back to Venice. I guess it's better to check these things out, but it felt like a big waste of four daylight hours.

So Joanna, the girls, and the camera took the bus-boat to Piazza San Marco, and went exploring through the streets(?) and gelateria while they waited. Eventually we found each other amongst the crowds in the square. We took a boat out to the San Giorgio Maggiore church, and then the lift up the tower, from where we could look back at the main Venice island. It was very pleasant, especially with the snowcapped Dolomiti in the (distant) background. I've got a 10-image stitch, but it's too big for the blog.

Salzburg

Well it seems like ages since I last wrote to you. What's happened since 12 March? Well I've been to visit people at Newcastle University, and had some very enjoyable discussions about information security and economics, and also about formalisation of dynamic coalitions. I've also visited Birminham University, and met some nice people there.

Also, Michael, my co-conspirator from the Bass department back at home is visiting the UK. We managed to synchronise a visit to Worcester Cathedral for a Maundy Thursday "pedilavium" ceremony last night. It was interesting to hear about progress with St John's - the towers are now topped with spires, it seems. And maybe there are even more ambitious plans afoot?

But the main news is undeniably the beginning of our European holiday. We managed to leave home before 4:30am this morning, and to navigate to Coventry airport without any paper map. There were some terribly amicable discussions about how to use the satnav machine, but we got there in the end. The passenger facilities there aren't amazing, but ok for cheap flights. Each piece of hand baggage and the single checked bag were weighed, and although the total weight was ok, we had to do some minor redistribution to meet various requirements. The strong wind, rain, and even lightning observed during the car part of the journey didn't seem to hang around long enough to affect the flight, although the gusty cross-wind on take off caused audible concern amongst several passengers.

But the strong winds pushed us faster and faster towards Salzburg. The snow was falling as we walked to the terminal - a magical beginning. After collecting the hire car, and paying higher insurance for the whole trip because we dared to venture into the Eastern wilds of Hungary and Slovenia, we were off. But we decided to go back to the car park again, and try to set up the car computer to speak to us in English, and set up the GPS to direct us sensibly to Hallein's Salzwelte (Salt World) tourist attraction. After a short intermission, and a misguided tour around some suburbs waiting for the satellite reception to synchronise, we were on our way.

Only one wrong turn marred our journey to Salzwelte. We had some lunch (nice pancake soup - must try this at home one day, plus regular noodle soup and hamburgers) before venturing underground on train rides, a boat ride, and slides. I'll try to upload a photo taken during one of the slides - Helen's face is rather expressive! After that, we checked into our hostel, and went for a walk around the city - seeing a Cathedral, a church, and a market (where we bought bread, ham, cheese, strawberries, and apples for lunch), and then going up the funicular to the castle. We had a rather nice dinner at the top of the mountain, where I also took a few panoramic photos that I plan to stitch together (and post here one day!). The 2004 St Laurent wine, from the Glatzer winery in Carnuntum (near Vienna) proved delicious. I'd never heard of a St Laurent grape, and it was 32 euro, but the waiter commented that it was an extremely wise choice, and that it would improve after 10 minutes of being opened. I couldn't resist that sort of patronisation, so we ordered it, but asked to keep the cork - we would make it last for 2 nights. But the cork wasn't necessary after all...



At the moment, the girls are all off watching The Sound of Music (screens every night here), while I'm going to catch up on sleep before our big drive tomorrow. I had expected to be able to connect to my mobile broadband here, but didn't manage it. Instead, the rather civilized hostel is providing free wireless. Marvellous, really. I don't suppose it will happen too often on the trip, so I'll make the most of it while I'm here. Luckily, I can compose blog entries without being online! Have to let the computer charge now, so that it will be ready to occupy children tomorrow on the long drive. And we want to recharge the camera batteries too.

Happy Easter to all readers!

Surprise

I thought it was interesting to find a Formal Theory of Surprise. I must read it some time. I found it when I was looking at surprise in complex systems - the topic of this book, which I'm also going to try to read. I might find myself in a university library soon.

Goodrich, Brockhampton, Greyfriars

You might get the impression that all we do is jet around to exotic locations. Well, it's not strictly true, because sometimes we just drive. We can even walk! So here's a few pictures from some visits over the last couple of weeks. First, there's the time Joanna, Berenice, and Christopher went to Goodrich Castle, near Ross-on-Wye on the Welsh border.

Then, there was a family visit to a not-quite-so-ruined Lower Brockhampton Manor. Apparently the National Trust caretaker still lives in the back part of the house. It's set on 1000 acres and has several walks through various woods, although it was too chilly for us. (We spent a little while in the tea house. Unfortunately the person in front of us bought the last scones, so we had to cope with apple pie, chocolate fudge cake, and the like.) The house is surrounded by a little moat, with entrance through a quaint gatehouse. There was also a stable full of cows that Christopher liked watching.

Yesterday, Joanna and Christopher went to Worcester to visit Greyfriars, another National Trust place.

And Christopher had dinner on Wednesday evening. Oh, and I thought we'd better have an "early spring" photo of one of the flowering shrubs in our yard.

Blog editors

Well you can see that I've been playing around with a rather large entry recently. It got me onto the idea of using some blog editing software - might make the pictures and wysiwyg stuff a bit easier too. How hard can it be? I consulted a list of Top 6 Free Desktop Blog Editors and a Blog Clients Review.

Tried Windows Live Writer. It kept trying to install other parts of Windows Live, and wanted to install itself as a Windows Update. I don't want something like that burying itself so deeply in my system, so I gave up.

Tried W.Bloggar - but it only has an HTML editor. That's not what I want. And it wouldn't keep a list of recent posts.

Tried Bleezer. When I unzipped it, it came out as a file that wanted to be encrypted, and my machine started warning me to backup my encryption keys. Scared me off! I think I had a quick go at using it too, but didn't get past the logging into the blog.

Tried Qumana. Seemed to rate well. It detected my blog nicely, but then froze. I couldn't get it past the splash screen. Seems many others have this problem. I reported it to the Qumana people, but we'll see what happens.

Tried BlogDesk. Doesn't work with Blogger.

Tried ZoundryRaven. Detected the blog, but had a few runtime errors. Wouldn't download any existing blog postings.

Tried Post2Blog. Clicked on the download button, but this software wasn't available any more.

Tried Semagic. Took me a good half hour of googling to be able to connect it to Blogger - not very helpful community (probably a bad sign). I saw a list of lots of previous posts, and could edit them, but only in HTML. Perhaps I can create new posts wysiwyg-ly, but that's not enough.

Tried ScribeFire. It's a firefox plugin, which isn't really what I wanted, but maybe. Discovered my blog nicely, and downloaded the 10 most recent posts. While ScribeFire was open, I posted a version of this entry, and then I couldn't get ScribeFire to notice the change. Minor point, though. I found it difficult to cope with the image upload process though. Difficult enough that I decided to try Windows Live Writer (WLW) again.

WLW was possibly the nicest interface I've seen so far. Once I accepted the fact that I'd need a Picasa web album set up, the image upload was smooth, too. Unfortunately, although it stores both thumbnails and bigger images on the Picasa, it doesn't work as nicely as when I upload the pictures directly in Blogger. I like to be able to click on a thumbnail and see the bigger image. With WLW, if I click on a photo, it just offers a chance to download the picture. Not what I want at all. So I've uninstalled Windows Live Writer. And the Windows Live Sign-in Assistant. And the Windows Live installer. (And you have to accept that it's an "unknown publisher" when you want to uninstall - much riskier than installing, apparently.)

Current plan is to use the Blogger web interface to upload photos, and then try editing text/layout in ScribeFire.

2008-03-14 Update: ScribeFire 1.4.7 now claims to support native Bloggger image upload. This could be good.

2008-03-31 Tried the image upload (in 1.4.8). Unfortunately, same problem as WLW - no thumbnail function.

Weather

We've been having rather changeable weather here for the last week. It's been rather cool, with sunny spells, cloudy periods, rain showers, drizzle, and today saw the week's second hailstorm. It was very tiny hail - almost rice-grain sized, I suppose. I started to wonder about the differences between hail and sleet, and with Google in front of my, quickly found myself metaphorically flooded with precipitous vocabulary.

Tomorrow sees Steph on an outwards sleepover, with Helen hosting an inwards sleepover. I'd best get up some sleep credit now, I suppose.

Virgin Wines

Somehow I ended up as a prospective customer on the Virgin Wines list. It may have been something to do with a discount voucher that I got from an online book purchase through Amazon or Book Depository (which I recommend). Not that I'm complaining. I'm happy to subscribe to lists, as long as I can unsubscribe when it's no longer interesting.

So I received an email from RowanG, the founder of Virgin Wines, that started:

I am not a sensitive person by nature, but I have to say that I am feeling a little hurt. You came to visit our site, but as yet, you have not bought anything.

So, I’d like to make you an offer you can’t refuse.

For this week only, I'm offering you your first, trial, Discovery Club case HALF PRICE at just £39.99 (that's a ridiculously low £3.33 a bottle!). Plus, two FREE gifts, worth £35. That's an overall saving of £75.

and ended

Still not sure?

What is the worst thing that can happen? If you don't like the wines, I promise to refund you instantly, without any fuss whatsoever. If you agree that these wines are a big step better than you can get in the supermarket, you can look forward to a lifetime of feeling superior to non-members.

So, I signed up. A few days later, I had a case with 3 each of:
- 2006 "McPherson's Paddock" McLaren Vale Merlot;
- 2006 Du Clos "Les Garriques" from Coteaux de Languedoc;
- 2006 Tokerau Cabernet Sauvignon from Rapel Valley, Chile.
- 2001 Castillo de Anna "Gran Riserva" from Valencia; and

I've tried one of each of them now (in the order listed). I didn't take careful notes of the first two, but since there are two more bottles of each, there'll be a chance for me to add the details into this post later.

Last night, I opened the Tokerau. I'm not sure if it was just the bottle I chose, or the whole batch (I didn't open the other two), but I'm going to send it back. There was no body, and almost zero fruit. The only real scent was a hint of acetone.

I couldn't leave that taste in my mouth, so I opened the Castillo de Anna. What a contrast - body, fruit, berries... that bottle didn't last long at all. I'm not quite sure what the returns arrangement is going to be, but if they want to replace the Tokerau with three more of this one, I'll be satisfied.

Stay tuned for further updates.

Setting up Shibboleth Identity Provider on Windows XP (Part 1)

I'm setting up a small Shibboleth Identity Provider to test some ideas. Although I plan to use virtual ubuntu servers eventually, I'm using Windows for now. The official guidance from Internet2 is written for Linux, and is a little terse, so I thought I'd try to document the process carefully in case it helps anyone else (or in case I need to do it again!).

Most of the differences that I've found relate to paths - where things are stored on Windows, and the silly spaces that Microsoft loves in filenames. The jsp-examples path seems to be examples/jsp on my version of Tomcat.

Basic Installation of Apache HTTPD, Tomcat, Java

1. Download the latest Apache2.2 and do a "typical" install, accepting all default options. I used version 2.2.8

2. Download the latest Java SE JDK, and do a "typical" install with default options. I used version jdk-6u5

3. Download the latest Tomcat, and install with all defaults, except install the Examples as well. My version was 6.0.16. I had to supply an administrator password during installation. I noticed that it proposed an HTTP connector at port 8080.

4. Download the mod_jk. (This lets Apache talk to Tomcat.) I selected win32, jk-1.2.26, and then found the "so" file mod_jk-1.2.26-httpd-2.2.4.so. Save or copy this file into C:\Program Files\Apache Software Foundation\Apache2.2\modules

5. Create the file C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\mod_jk.conf with the following contents. Note that the last two lines show URL pathnames that will be routed to Tomcat.

<Ifmodule !mod_jk.c>
LoadModule jk_module modules/mod_jk.so
</ifmodule>
JkWorkersFile "C:/Program Files/Apache Software Foundation/Tomcat 6.0/conf/workers.properties"
JkLogFile logs/mod_jk.log
JkLogLevel emerg

JkMount /shibboleth-idp/* ajp13
JkMount /examples/* ajp13

6. Create the file C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf\workers.properties with the following contents:

# Define 1 real worker using ajp13
worker.list=ajp13
# Set properties for the ajp13 workerworker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=50
worker.ajp13.cachesize=1
worker.ajp13.cache_timeout=600
worker.ajp13.socket_keepalive=1
worker.ajp13.recycle_timeout=300

7. Include the new jk_mod.conf into the main conf, by appending the following lines to C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf :

# Add mod_jk settings for shibboleth IdP
Include conf/extra/mod_jk.conf

8. Test that Apache starts, using the Apache Service Monitor, which is accessible from one of the feather icons in the System Tray (there's one for Apache HTTP server, and one for Tomcat). If there is a typo or some other problem, you'll see a dialog box saying "The requested operation has failed!", with no indication about the error. You can find the error by Start > All Programs > Apache HTTP Server 2.2 > Configure Apache Server > Test Configuration. This will show a command window with any errors -- for about 30 seconds: enough time to work out what the mistake is.

9. Test that your browser can get to the Apache, by navigating to http://localhost/ . You should see "It works!" in the browser. (This file is C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\index.html)

10. Start Tomcat (using the other feather in the system tray).

11. Check that Tomcat is working by browsing http://localhost:8080/ and http://localhost:8080/examples/jsp/ (note that this path is different from that suggested by Internet2's guidance: localhost/jsp-examples/)

12. Check that the mod_jk connector is working by browsing http://localhost/examples/jsp/

13. To be able to browse these from a different machine, you'll need to make sure the Windows Firewall lets through the right connections. In Control Panel, choose Windows Firewall. On the Exceptions tab, you'll need to "Add Port..." to enter HTTP on port 80, and then again for SSL on port 443. On the Advanced tab, look at the ICMP settings, and tick "Allow incoming echo request" (the top option).

Set up SSL

Note: this section describes how you can get a test implementation of SSL running quickly. You would be unwise to rely on these instructions for "production" systems. For reference info about openssl and keytool, I recommend this guide. There's also some guidance from apache.

1. It would be nice to use java's keytool, but I don't think it quite does everything we need, so best to use openssl. You could download and compile it all from there, but the nice people at Shining Light Productions have made an easy to install version. The Win32 OpenSSL Light version is sufficient. Download and install with defaults. It may ask about having to overwrite a couple of files (libssl32.dll and libeay32.dll). I kept backups of the originals, and made the libeay32.dll file not-readonly (right-click, properties) for this to work.

2. Add c:\opensssl\bin to your path. Windows-break (System properties) > Advanced tab > Environment Variables. Double click on Path, and then at the end of the "value" box, add a semicolon (path separator) and c:\openssl\bin.

3. Start a command prompt (Windows-R cmd), and cd C:\Program Files\Apache Software Foundation\Apache2.2\conf.

4. Generate a private key (in server.key) and self-signed certificate (in server.crt) by typing

openssl req -new -x509 -nodes -out server.crt -keyout server.key

You'll need to supply various information about your server's identity. The common name should ideally be your computer's hostname.

5. Open the httpd-ssl.conf file in C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra and check that the SSLCertificateFile and SSLCertificateKeyFile directives point to the files you've just created. Make sure they are uncommented.

SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.crt"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"

6. In the main http.conf file (in C:\Program Files\Apache Software Foundation\Apache2.2\conf), uncomment the "Include conf/extra/httpd-ssl.conf" directive. Restart Apache. If it fails to start, use the Start > All programs > Apache HTTPD Server 2.2 > Configure Apache Server > Test Configuration to debug.

7. Test Apache SSL, by browsing to https://localhost/ (and finding "It works!"). You should find that your browser doesn't accept the certificate by default. With IE, you can view the certificate, and then choose to install it, so that it will be accepted in the future. This takes a few clicks. You will probably find that you can't browse to also be able to browse to https://localhost/examples/jsp/ , because although we've set up Apache SSL, we now need to set up Tomcat SSL.

8. Tomcat Native could use the same key & certificate files that we've already made for Apache, but we haven't installed Tomcat Native. (You might want to do so eventually for performance.) So we'll use the java keytool to make tomcat's keystore. Add C:\Program Files\Java\jdk1.6.0_05\bin to your path environment variable using the details in step 2 above.
9. Close any existing command window, and start another (to inherit the latest Path). Change to the tomcat configuration directory: cd \Program Files\Apache Software Foundation\Tomcat 6.0\conf and then enter the following command

keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

You'll need to enter a password (twice), and the default tomcat one is "changeit". You'll need to enter all the same information as before, although in the opposite order! Instead of First and Last name, I'd suggest using the computer's hostname.

10. Edit tomcat's server.xml configuration file (from C:\Program Files\Apache Software Foundation\Tomcat 6.0\conf). Look for the Connector that uses port 8443, and change it from this:

<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" />

to this:

<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/keystore.jks"
keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />

11. Stop tomcat and start it again. (If there are any errors, you should find them in the log file in C:\Program Files\Apache Software Foundation\Tomcat 6.0\logs. Look for the newest "catalina" file.) Try browsing directly to the Tomcat SSL port at https://localhost:8443/examples/jsp/ (you'll probably want to install the certificate again)

12. Finally, we need apache to be able to redirect SSL queries via mod_jk to tomcat. You'll know this works when you can browse to https://localhost/examples/jsp/ . I was stumped for a while, but the underpaid fellow who sits behind me (thanks Dave!) helped to discover that the httpd-ssl.conf file (in C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra) needs to have the two JkMount directives inside the <VirtualHost> block. The end of the block, showing the two new lines in blue looks like this:

JkMount /shibboleth-idp/* ajp13
JkMount /examples/* ajp13
</VirtualHost>

Authentication

1. Modify Tomcat's server.xml (I set all xml files to open with Wordpad by default. At least until I install eclipse!). Tell tomcat that it can rely on authentication provided on this connector, and therefore that it should only accept local connections. Find the line that describes the AJP 1.3 connector

<!-- Define an AJP 1.3 Connector on port 8009
-->
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" />

and replace it with

<!-- Define an AJP 1.3 Connector on port 8009
--><Connector port="8009" protocol="AJP/1.3" redirectPort="8443"
request.tomcatAuthentication="false" address="127.0.0.1" />

2. For now, we'll authenticate from a simple file. Later you may want to use LDAP or similar. In a command window, change to the Apache conf directory C:\Program Files\Apache Software Foundation\Apache2.2\conf. Enter the command
..\bin\htpasswd -c user.db myself
You will be asked to invent a password for the user "myself", and to enter it twice. The "-c" option creates the password database. The next time you use that command, omit the "-c", otherwise you'll be deleting any users you've already created. The Shibboleth IdP example script also creates an "alterego" user (for demo purposes).

3. Adjust apache so that it knows to authenticate users before going off to shibboleth. At the very end of the httpd.conf file (in C:\Program Files\Apache Software Foundation\Apache2.2\conf), add these lines:

<Location>
AuthType Basic
AuthName "Villain Verification Service (VVS)"
AuthUserFile conf/user.db
require valid-user
</Location>

4. Restart apache, and then point your browser to http://localhost/shibboleth-idp/SSO . You should find that the system wants to authenticate you. If you make a mistake once or twice, you should get another chance. But entering a correct password should lead to a 404 error from Tomcat noting that the requested resource is not available. If the request gets to tomcat, that's a success.

You're now up to step 3 of the Internet2 instructions for installing the IdP. If you're in a hurry, you'll have to follow those instructions for now. I'll write more here when I can. One final note: the testshib site that they talk about only works if your system is contactable from the internet. If it's behind a corporate firewall, you may not have any luck.

Am I prolific yet?

I'd just like to point out that this otherwise meaningless paragraph is entry number 100 on the blog. I'm sure none of my professional colleagues can believe I'd be this conscientious at writing reports. And let it be known that today I submitted a paper to a conference - I feel like a regular researcher again! Maybe if it isn't accepted, I'll have to come back and blot out that bit of the record.

The Prague Report

Four days might be too long, or maybe it was the wine. But the Prague memories are no longer fresh. (Note that "fresh" is a technical term in cryptographic protocol logics! Sorry.) Still, we have the photos to reinvigorate the recollections.

We (Joanna and I) walked out of the house last Friday morning, backpacks aloft, off to Prague. Well, across the common to the railway station, via a couple of trains to Birmingham airport, a pseudo train to the terminal, a plane to Prague, a bus almost to the metro line (we accidentally got off too early), a tram the rest of the way to the metro, and then the metro into the Centrum of town, and with a brief period of map orientation and re-orientation, we found our hotel. Quite easy, really, thanks to Brisbane friend Natasha, the guide book, and some Internet preparation.

Then we looked around Prague for a few days, then we came home by almost exactly the reverse route (except for the tram). A nice four days.

Well, maybe I need to give a bit more detail. The place was rather similar to Brugge - perhaps it was a little unfortunate that we visited one so soon after the other. There was architecture from spanning 10th to 20th (21st?) centuries, which was probably the main thing to see. The Vltava river and views from some of the parks were pleasant. The bridges, especially the Karlov Most (Charles IV Bridge) are a big feature. Our guided walking tour was interesting, informative, and humorous. Radek seemed quite bitter about the communist history, and was keen to describe how he had been standing just here in Wenceslas Square during the Velvet Revolution, and how the communists were such poor planners that the country would often run out of toilet paper for a month at a time.

We enjoyed trying lots of local goulashes: all the menus had standard international dishes - some with italian specialty (pizza, pasta), some with steaks, but they all had a Czech Specialties section, which contained variations of 3 main meals: beef goulash, roast duck with cabbage, and roast pork with cabbage. And they all came with various types of dumplings - either made from bread or some kind of mashed potato. I found the goulash much nicer than anything involving sauerkraut.

The castle differentiated Prague from Brugge. We were told it is officially the biggest castle in the world, according to Guinness (the book, not the beer). Joanna doesn't think it's a real castle - it has lots of modernish buildings and even an enormous gothic cathedral inside.

There's a famous clock with a skeleton pulling a bell-rope signifying "time's up", and various evil types shaking their heads - since they've been doing this for 600 years, they must be winning - various apostles who show their faces in a couple of windows, and a rooster crowing. All the tours stop to look at it, and every hour there are hundreds of tourists all pointing their cameras and videos at it. Yes, we did too.

There were Romanesque (round) churches, gothic, baroque, and even modern ones. The stained glass in St Vitus' Cathedral (in the castle, at the top of the hill) was quite impressive, especially with the bright sunshine beaming through.

We managed to hear some nice music. Just by chance, we peeked into a church where they were setting up for a free concert. The little program promised Morales, Agostini, Sedm zamlù kajících, Soriano, and more Morales, so (being a fan of Spanish Renaissance music, espcially Morales), even hunger pangs couldn't drag us out. We tried to choose a comfy pew, but it turned out to be right next to a chilly draught. We weren't exactly sure what a Postní pátky would be. The concert opened with a plainsong procession of 5 people (an ATBarB male quartet, and a priest). The musical items were glorious, the voices blending marvellously and resonating clearly through the marble building, but most of them lasted only 30-90 seconds. And between each one we had the privilege of listening to about 4-5 minutes of generic czech readings, prayers, meditations, or something, from the priest in the pulpit. It did dilute the musical pleasure somewhat. I think Postní pátky is a Lenten meditation.

On Saturday night, we heard a concert from the Royal Czech Philharmonic orchestra playing Smetana's Die Moldau (just the one movement) and 3 movements from Dvořak's From the New World. It seemed a little "mass produced", which is hardly surprising given they play it every second night for the whole month, and probably every month.

Sunday night we heard an organist, a saxophonist, and a soprano, performing various duet arrangements of well known pieces (Bach, Mozart, etc) in the Clementinum chapel. Quite pleasant, a good voice, and a nice venue, but again the music lacked sparkle. Again, these people perform the same program many times during the month.

On Sunday, feeling that we'd covered the major spots in the city, we decided to venture further out. The Karlstejn castle had been our preference, but like several other non-core attractions, it was closed for the winter. We ended up visiting the Troja chateau after a metro and bus adventure. We had hoped to be able to wander around, were led by a non-English speaking guide through one room at a time, given ample opportunity to admire the baroque/classical paintings in each room. It became a little tedious from my point of view. The brief time walking through the gardens and visiting the wine cellar (and paying for a tasting of some genuine Bohemian wines) ended up being the highlights. My choice for the afternoon was the modern art gallery. We saw impressionism, cubism, expressionism, and some really wacky stuff. Joanna enjoyed her conversation with this... sculpture? I can't say I understand a great deal of these periods, but my friend Maris seems to have taught me to enjoy looking at them.

It seems that Prague is popular as a destination for stag and hen parties - cheap booze is probably part of it. We noticed some of it, but it didn't seem to interfere with our tourism. And the weather was perfect too - it just started to drizzle as we headed home, but otherwise the whole weekend was bright and sunny.