[LON-CAPA-admin] PCI Compliance

[Stuart Raeburn]

Hi,

> The hosts.tab already had the https edit shown below.  Perhaps when   
> I ran ./UPDATE after switching the file was modified?

Yes.  Running ./UPDATE and entering https at the following prompt:

  7) Web Server Protocol (http or https):

updates the entry in /home/httpd/lonTabs/hosts.tab on your machine.

> Also, when running ./UPDATE item 13 is "allow only secure   
> connections." Should I change that to yes?  Or does that refer to   
> the internal communications on port 5663?

I would not recommend changing it to "yes".

At this point, not all servers in the LON-CAPA network have followed  
the steps described in section 2.18 of the Domain Coordination manual  
("Encrypting server traffic with SSL") needed to generate the  
certificate which can be used (once signed) to utilize SSL for  
internal communications via port 5663.

However, if you do decide to use SSL for port 5663, and complete the  
necessary steps, traffic between your server and other servers which  
also have certificates signed by the LON-CAPA CA will use SSL, with  
item 13 set still set to the current default of "no".

Leaving it set to "no" also allows an SSL-enabled LON-CAPA server to  
communicate via port 5663 with non-SSL servers in the network.

Stuart Raeburn
LON-CAPA Academic Consortium


Quoting Jon Hall <jdh65 at bellsouth.net>:

> The hosts.tab already had the https edit shown below.  Perhaps when   
> I ran ./UPDATE after switching the file was modified?
>
> Also, when running ./UPDATE item 13 is "allow only secure   
> connections." Should I change that to yes?  Or does that refer to   
> the internal communications on port 5663?
>
>
>
>
> On Jan 13, 2013, at 8:01 PM, Stuart Raeburn wrote:
>
>> Also, I see you have followed my suggestion and installed free SSL   
>> certs from startssl.com.  Accordingly, I have updated the entry for  
>>  jp2l1 to specify https (instead of http) in the authoritative   
>> cluster tables advertised by the LON-CAPA Academic Consortium "DNS"  
>>  servers.
>>
>> You should make the same change in /home/httpd/lonTabs/hosts.tab
>> i.e., replace:
>>
>> jp2l1:jp2:library:physics.jp2hs.org:http:jp2hs.org
>>
>> with
>>
>> jp2l1:jp2:library:physics.jp2hs.org:https:jp2hs.org
>>
>> Lastly, I would encourage you to enable rewrites from http to https  
>>  by doing the following:
>>
>> cd /etc/httpd/conf/
>> cp rewrites/loncapa_rewrite_on.conf loncapa_rewrite.conf
>>
>> /etc/init.d/httpd reload
>>
>> Currently:
>> http://physics.jp2hs.org/
>>
>> reports a 400 error "Bad Request".
>>
>> See section 2.18 "Encrypting server traffic with SSL" on p. 18 of   
>> the domain coordination manual for more information:
>>
>> https://physics.jp2hs.org/adm/help/domain.manual.pdf
>>
>>
>> Stuart Raeburn
>> LON-CAPA Academic Consortium
>>
>>
>> Quoting Jon Hall <jdh65 at bellsouth.net>:
>>
>>> I managed to get many to the PCI failure items correct, but am   
>>> still  getting dinged by the PCI scanning company for cross-site   
>>> scripting  (despite updating my lonsupportreq.pm as suggested by   
>>> Stuart).
>>>
>>> Gerd suggested that I can disable helpdesk in domain   
>>> configuration,  but I have not been able to figure out how to do   
>>> that.  Any pointers?
>>>
>>> Thanks for all assistance,
>>> Jon Hall
>>>
>>>
>>> On Jan 3, 2013, at 7:55 PM, Gerd Kortemeyer wrote:
>>>
>>>>
>>>>
>>>> Can be solved by switched to HTTPS, but to avoid warnings, you   
>>>> need  a purchased certificate. Nothing we can do about it.
>>>>
>>>>
>>>>>
>>>>> web program allows cross-site scripting in query string (/adm/login)
>>>>>
>>>>> web program allows cross-site scripting in query string (/adm/helpdesk)
>>>>
>>>> Disable helpdesk in domain configuration.
>>>>
>>>>>
>>>>> web server allows cross-site tracing
>>>>
>>>> See above.
>>>>
>>>>>
>>>>> cross-site scripting vulnerability in orgurl parameter to /adm/helpdesk
>>>>
>>>> See above.
>>>>
>>>> - Gerd.