[LON-CAPA-admin] Time to go to SSL connections
Guy Albertelli II
guy at albertelli.com
Fri Dec 17 13:00:00 EST 2004
Lon-capa 1.2 (and 1.3) supports ssl encrypted intra server
This is a key feature for improving the security of the system.
The procedure below is safe to do on active servers. It will require
no restarting of any services or processes, lonc and lond will notice
the ssl keys and start using them automagically.
It is likely that MSU servers will start refusing any connections from
non ssl servers sometime over the holidays.
And if all goes well 1.3 may have this as the default option.
1) get this script and place in /tmp
2) run it as www
IMPORTANT: When is asks for 'Common Name' please enter you loncapa
hostid (For example "msul1" or "fsul2")
(it will generate a private/public key pair, the private key will be
stored in /home/httpd/lonCerts/lonKey.pem
It will be set so that only www can read this file. You will want to
make sure this file stays secret)
3) the script will automaticaly send an email with your public key in
it to certificate at lon-capa.org so Lon-CAPA can sign it. Note that
the signing procedure involves a human being intervening so be
patient it may take a day or two to get back to you.
4) after signing you will receive an email at whatever email address
you specified in 2
5) save this email to a file, remove the headers from it and as www
run it. (It is a shell script that installs files.)
6) if it successfully completes you will have
/home/httpd/lonCerts/lonhostcert.pem (your signed public key)
/home/httpd/lonCerts/loncapaCA.pem (the public key of the Lon-CAPA
7) Now when you machine connects to another machine it will try to do
so over an ssl connection. You can verify this by doing
ps auxwww | grep lonc
You should see something like:
lonc: msul1 Connection count: 1 Retries remaining: 2 (ssl)
Where before you saw:
lonc: msul1 Connection count: 1 Retries remaining: 2 (insecure)
guy at albertelli.com LON-CAPA Developer 0-7-3-2-
More information about the LON-CAPA-admin