[LON-CAPA-admin] Time to go to SSL connections

Guy Albertelli II guy at albertelli.com
Fri Dec 17 13:00:00 EST 2004

Hi All,

Lon-capa 1.2 (and 1.3) supports ssl encrypted intra server

This is a key feature for improving the security of the system.

The procedure below is safe to do on active servers. It will require
no restarting of any services or processes, lonc and lond will notice
the ssl keys and start using them automagically.

It is likely that MSU servers will start refusing any connections from
non ssl servers sometime over the holidays.

And if all goes well 1.3 may have this as the default option.

1) get this script and place in /tmp

2) run it as www
    su www
    cd /tmp
    sh request_ssl_key.sh

IMPORTANT: When is asks for 'Common Name' please enter you loncapa
hostid (For example "msul1" or "fsul2")

(it will generate a private/public key pair, the private key will be
stored in /home/httpd/lonCerts/lonKey.pem
It will be set so that only www can read this file. You will want to
make sure this file stays secret)

3) the script will automaticaly send an email with your public key in
   it to certificate at lon-capa.org so Lon-CAPA can sign it. Note that
   the signing procedure involves a human being intervening so be
   patient it may take a day or two to get back to you.

4) after signing you will receive an email at whatever email address
   you specified in 2

5) save this email to a file, remove the headers from it and as www
   run it. (It is a shell script that installs files.)

6) if it successfully completes you will have 
/home/httpd/lonCerts/lonhostcert.pem (your signed public key)
/home/httpd/lonCerts/loncapaCA.pem   (the public key of the Lon-CAPA
                                      certificate authority)

7) Now when you machine connects to another machine it will try to do
   so over an ssl connection. You can verify this by doing

ps auxwww | grep lonc

You should see something like:
lonc: msul1 Connection count: 1 Retries remaining: 2 (ssl) 

Where before you saw:
lonc: msul1 Connection count: 1 Retries remaining: 2 (insecure)

guy at albertelli.com  LON-CAPA Developer  0-7-3-2-

More information about the LON-CAPA-admin mailing list