[LON-CAPA-cvs] cvs: loncom / loncapa.conf

foxr lon-capa-cvs@mail.lon-capa.org
Wed, 26 May 2004 10:17:49 -0000 

foxr		Wed May 26 06:17:49 2004 EDT

  Modified files:              
    /loncom	loncapa.conf 
  Log:
  Add variable definitions for secure lonc/lond.
  
  
Index: loncom/loncapa.conf
diff -u loncom/loncapa.conf:1.8 loncom/loncapa.conf:1.9
--- loncom/loncapa.conf:1.8	Thu May  8 18:08:18 2003
+++ loncom/loncapa.conf	Wed May 26 06:17:49 2004
@@ -1,7 +1,7 @@
 ##
 ## loncapa.conf -- Apache HTTP LON-CAPA configuration file
 ##
-## $Id: loncapa.conf,v 1.8 2003/05/08 22:08:18 albertel Exp $
+## $Id: loncapa.conf,v 1.9 2004/05/26 10:17:49 foxr Exp $
 ##
 
 # ======================================= Machine Specific / Perl Configuration
@@ -39,3 +39,68 @@
 # Key to issue receipts
  
 PerlSetVar	 lonReceipt   {[[[[lonReceipt]]]]}
+
+#
+#   The variables below control the behavior of secure lond:
+#
+#
+
+#  londAllowInsecure allows lond to fall back to insecure connections
+#  in the event its peer is not yet updated to secure lonc.
+#  If you are certain all the systems you are communicating with
+#  are using secure lonc, uncomment the first definition and
+#  comment the second.
+
+# PerlSetVar londAllowInsecure {[[[[0]]]]}
+PerlSetVar londAllowInsecure {[[[[1]]]]}
+
+# loncAllowInsecure allows lonc to fall back to negotiating an insecure
+# connection with lond in the event the peer is not yet a secure lond.
+# If you are certain that all systems you are communicating with 
+# are using secure lond, uncomment the next line and comment the
+# second:
+
+# PerlSetVar loncAllowInsecure {[[[[0]]]]}
+PerlSetVar   loncAllowInsecure {[[[[1]]]]}
+
+#
+#   Secure lond/lonc require ssl certificate and private
+#   key files to function correctly.  The certificate
+#   files need not be terribly secure, but the private key files
+#   should be set up so that only www (the lonc/lond effective user)
+#   can read them.
+# 
+#   The definition below is the full path to the directory that
+#   contains the certificate and key files:
+#
+PerlSetVar lonCertificateDirectory {[[[[/home/httpd/lonCerts]]]]}
+
+#
+#  Secure lond/lonc require two certificates and a private host key.
+#  The certificates required are that of the lonCAPA certificate authority
+#  and the certificate that authority issued to this host.
+#  lonnetCertificateAuthority is the name of the file that contains the
+#                            lonCAPA certificate authority's certificate.
+#  lonnetCertificate is the name of the file that contains the certificate
+#                    issued to the host by the certificate authority.
+#  Both of these variables are names of files assumed to be in 
+#  lonCertificateDirectory:
+
+PerlSetVar lonnetCertificateAuthority {[[[[loncapaCA.pem]]]]}
+PerlSetVar lonnetCertificate          {[[[[lonhostcert.pem]]]]}
+
+#
+#  To generate the request for a certificate, and to negotiate the
+#  initial ssl connection, the host requires a private key.  This key
+#  is created at lonCAPA install time.  Did we mention above that it
+#  should be set so that only www can read it?  The variale below
+#  is the name of the file relative to lonnetCertificateDirectory
+#  that has the host's private key.  Did we remember to tell you to
+#  keep the permissions on that file set to rw-------  (0600)?
+#  
+
+PerlSetVar lonnetPrivateKey         {[[[[lonKey.pem]]]]}
+
+# Did we mention that the file described above must have
+# permissions really locked down so that it can't be stolen?
+