LON-CAPA LON-CAPA Help

LON-CAPA Help

There are two different contexts in which a LON-CAPA server may communicate via SSL (Secure Sockets Layer):

Encrypted web pages served by Apache via port 443. In this case, client requests will be for URLs beginning https://.
Encrypted internal communication between LON-CAPA servers via port 5663.

Apache SSL

In the case of Apache, the steps required depend on the Linux distro.

CentOS/RedHat/Scientific Linux/Fedora:
yum install mod_ssl
SuSE/SLES:
Check that ssl is included in the list of modules in the APACHE_MODULES string in /etc/sysconfig/apache2.
Debian/Ubuntu LTS:
a2enmod ssl

For all distros you will need to install a key, generate a certificate signing request with that key, and have the certificate signed. You will also want to disable the passphrase prompt on web server restart by removing the password from the copy of the key you use with Apache, e.g.,

openssl rsa -in server.key -out server.key.nopass

You will then put the the (nopass) key and certificate files in locations accessible to Apache, and include information about the locations of those files in a config file containing the following lines:

SSLCertificateFile < path to signed certificate >

SSLCertificateKeyFile < path to key >

replacing < path to ... > with the path to the location of the particular file.

Which Apache config file contains these entries depends on the distro:

CentOS/RedHat/Scientific Linux/Fedora:
/etc/httpd/conf.d/ssl.conf
SuSE/SLES
/etc/apache2/vhosts.d/vhost-ssl.conf

(copied from vhost-ssl.conf with the entry for DocumentRoot changed to "/home/httpd/html").
Debian/Ubuntu LTS
/etc/apache2/sites-available/000-default-ssl

If you want to use rewrite rules to ensure that all external web requests are served using SSL, you should verify that mod_rewrite is enabled:

CentOS/RedHat/Scientific Linux/Fedora
Verify that the following entry in /etc/httpd/conf/httpd.conf is not commented out: LoadModule rewrite_module modules/mod_rewrite.so
SuSE/SLES
Check that rewrite is included in the list of modules in the APACHE_MODULES string in /etc/sysconfig/apache2.
Debian/Ubuntu LTS
a2enmod rewrite

You will also need to copy the rewrites/loncapa_rewrite_on.conf file to loncapa_rewrite.conf with the following commands:

CentOS/RedHat/Scientific Linux/Fedora
cp /etc/httpd/conf/rewrites/loncapa_rewrite_on.conf /etc/httpd/conf/loncapa_rewrite.conf
SuSE/SLES/Debian/Ubuntu LTS
cp /etc/apache2/rewrites/loncapa_rewrite_on.conf /etc/apache2/loncapa_rewrite.conf

and then reload the web server:

CentOS/RedHat/Scientific Linux/Fedora
/etc/init.d/httpd reload
SuSE/SLES/Debian/Ubuntu LTS
/etc/init.d/apache2 reload

To disable rewriting of external web requests to https://, copy rewrites/loncapa_rewrite_off.conf to loncapa_rewrite.conf and reload the web server.

You will need to open the server's Firewall to allow inbound traffic on port 443.

CentOS/RedHat/Scientific Linux
/usr/bin/system-config-securitylevel-tui
Fedora
/usr/bin/system-config-firewall-tui
SuSE/SLES
yast - > Security and Users - > Firewall
Debian 6/Ubuntu LTS
ufw allow 443/tcp

Note: changing firewall settings will cause iptables to reload, which means the rules to allow connections from other LON-CAPA servers via port 5663 will need to be re-established (if the LON-CAPA daemons were already running) by doing: /etc/init.d/loncontrol restart as root.

Internal LON-CAPA SSL

In the case of encrypted internal communication between LON-CAPA servers, you will need command line access as either root or www and enter the following commands:

cd /home/httpd/lonCerts

sh request_ssl_key.sh

Important: for the Common Name you should enter the lonHostID. This is displayed on the log-in page (Server: ) and is also an entry in the loncapa.conf file in /etc/httpd/conf (CentOS RedHat Scientific Linux Fedora) or /etc/apache2 (SuSE SLES Debian Ubuntu LTS). An example would be msul1.

By running request_ssl_key.sh you will:

Generate a private/public key pair.
The private key will be stored in /home/httpd/lonCerts/lonKey.pem It will be set so that only www can read this file. (You will want to make sure this file stays secret).
Automatically send an e-mail to the LON-CAPA certificate authority. containing your public key so LON-CAPA can sign it.

Your certificate will be signed by the certificate authority and an e-mail will be sent to the e-mail address you gave when prompted for one when you ran request_ssl_key.sh.

Save the e-mail you receive to a file, remove the headers from it, and run it (as the www user).

If it successfully completes you will have:

/home/httpd/lonCerts/lonhostcert.pem
(your signed public key)
/home/httpd/lonCerts/loncapaCA.pem
(the public key of the Lon-CAPA certificate authority)

Now when you machine connects to another server in the LON-CAPA network it will try to do so over an SSL connection. You can verify this by doing:

ps auxwww | grep lonc

You should see something like:

lonc: msul1 Connection count: 1 Retries remaining: 5 (ssl)

where before you saw something like:

lonc: msul1 Connection count: 1 Retries remaining: 5 (insecure)