Transport Layer Security (TLS) is a protocol for protecting Internet communications. TLS ensures that a communication is not read or changed by another entity. Blackboard Learn uses TLS to secure communications between the Web server and the client machine. Without TLS enabled, there is no encryption provided for passwords or session cookies. Encryption protects passwords and sessions cookies from being captured and used maliciously.
TLS may also be used to secure the connection between Blackboard Learn and a separate server for authentication (such as an Active Directory server). If TLS will be used both for connecting to an authentication server and for client sessions, TLS for the authentication server must be configured first. To learn more about configuring TLS for securing with an integrated authentication server, see About the Authentication Framework.
TLS is the successor of Secure Sockets Layer (SSL). Blackboard Learn 9.1 Service Pack 8 and later support SSL Offloading. See SSL Offloading.
How does TLS work?
TLS works through public key encryption. Transmissions are decrypted and encrypted using certificates. The steps below outline the process for establishing a connection over TLS:
- Client contacts the server with a list of encryption methods.
- The Server returns its certificate and a public key. These initial communications are scrambled with random data.
- Client validates the certificate.
- Client creates a secret string using an encryption method recognized by both the client and the server. The string is combined with the server's public key and sent back to the server.
- Both the client and server create session keys based on the secret string.
- The client sends a message to the server that it will now use the session key to encrypt and decrypt communications.
- The server responds that it will also use the session key.
- After each side confirms, the session keys are used to encrypt and decrypt communications during the session.
Obtain a certificate
The simplest way to obtain a certificate for use with a web site is through a vendor known as a Certifying Authority (CA). You're responsible for working with a widely accepted vendor to purchase a certificate. Blackboard doesn't assist with purchase or renewal of your certificate. The process, shown in the steps below, is relatively simple.
- Generate a certificate request.
- Send the request to a CA.
- The CA creates and registers a certificate.
- Make this certificate available to the Web Server (IIS or Apache™).
Certificates created in this way are usually registered and good for one year. After one year the certificate will no longer work and a new certificate must be obtained.
To remain secure, Blackboard recommends certificates with RSA key sizes at least 2048 bits in length. As per the National Institute of Standards and Technology (NIST) guidelines for Key Management (SP 800-57), Table 4 for recommended algorithms and minimum key sizes, certificates with RSA key sizes at or under 1024 bits are no longer considered secured and a minimum 2048 bits is considered secure through 2030.
If using a self-signed certificate, the certificate must be added to the list of allowed certificates on the client machine. If this is not done, the multi-upload feature will fail, as will a few other features that use TLS.
Export existing TLS certificates
UNIX
Blackboard Learn now uses a keystore format. The existing commercial certificates need to be combined into a keystore to be applied to Learn.
After upgrade if a directory inside /usr/local/blackboard was used for the location of the existing certificate files, these will be in the backups directory after the install has completed. (for example /usr/local/blackboard/backups/20140328-120821/apps/httpd/conf/). This directory also has a copy of the old bb-config.properties if the location of the original certificates was not known.
bbconfig.unix.ssl.ca.certificatefile=/usr/local/blackboard/apps/httpd/conf/ssl.crt/ca-bundle.crt
bbconfig.unix.ssl.certificatefile=/usr/local/blackboard/apps/httpd/conf/ssl.crt/server.crt
bbconfig.unix.ssl.certificatekeyfile=/usr/local/blackboard/apps/httpd/conf/ssl.key/server.key
- Navigate to the location of the existing certificates.
- Use openssl to create a keystore from the existing bundles.
A decode of the x509 certificate may be necessary to format it as pem
openssl x509 -inform der -in ./ssl.crt/server.crt -out server.pem
Use openssl to create a PKCS12 keystore passing in the certificate file, certificate key and any intermediate certificate bundles.
openssl pkcs12 -export -in server.pem -inkey ./ssl.key/server.key -certfile ./ssl.crt/ca-bundle.crt -out bb-certificates.pfx
- When prompted type a password to protect exported certificate. (Make a note of this password as it will be required later)
- Copy the bb-certificates.pfx file to /usr/local/blackboard/config/keystores/
Windows
Export IIS TLS certificate
You can use the Microsoft Management Console (MMC) with the Certificates snap-in to export the entire certificate path: TLS server certificates, Intermediates certificates, and Trusted Root CA certificates.
More on exporting TLS Certificate on Windows Servers using MMC
IIS export of server certificate only
- Open IIS Manager and navigate to the server level.
- In Features View, double-click Server Certificates.
- Select a certificate and select Export from the Actions pane.
- In the Export Certificate dialog box, do the following:
- Select the browse button (...) to navigate to C:\blackboard\config\keystores\ and enter the name of a file in which to store the certificate for exporting.(E.g bb-certificates.pfx)
- Type a password in the Password box to protect exported certificate. (Make a note of this password as it will be required later)
Apply the exported certificate keystore to Blackboard Learn
The following steps only need to be performed if running tomcat only and not offloading TLS.
Navigate to the blackboard configuration directory, such as ..\blackboard\config\, and make a backup copy of bb-config.properties.
Always backup the config file before making changes by copying it with the date of the change. For example: bb-config.properties.2014-04-21
- Copy the exported .pfx file to the keystores directory located in the blackboard config directory, e.g.:..\blackboard\config\keystores\
- Open bb-config.properties in a text editor such as vi or Notepad.
Locate the Keystore section and add the details for the certificate
## Keystore configuration for HTTPS ##
bbconfig.appserver.keystore.filename=/usr/local/blackboard/config/keystores/bb-certificates.pfx
bbconfig.appserver.keystore.password=PASSWORD
bbconfig.appserver.keystore.type=PKCS12filename The full path to the exported certificate file. password The password chosen when the keystore was created type The keystore type. Type=PKCS12 for Certificates exported from Windows or keystores created using openssl. - Save the bb-config.properties file.
To propagate the changes navigate to ..\blackboard\tools\admin and execute the PushConfigUpdates.sh|bat script.
How does TLS appear to users?
TLS works with the Hypertext Transfer Protocol (HTTP) to secure connections between Blackboard Learn Web server and the client machines. It is fairly easy to see when a Web page is using TLS to secure transmissions because an "s" is appended to the HTTP at the beginning of the address.
Without TLS: http://blackboard.yourinstitution.com
With TLS: https://blackboard.yourinstitution.com
It is important to understand that if TLS is used to secure the Web page in this example then the first URL (without TLS) is invalid and will return a 404 error.
TLS offloading
TLS offloading relieves the Blackboard Learn application of the processing burden of encrypting and decrypting traffic sent via TLS. Offloading TLS is accomplished by connecting the TLS terminating system to the Learn application 8081 port and passing the required X-FORWARDED-FOR and X-FORWARDED-PROTO HTTPS header elements. For more information on TLS configuration, see the Post Install and Upgrade Tasks Optional - TLS Configuration, Optional - Front Learn with a Webserver, or Optional - Set Up Load Balancing for Multiple Application Servers.
Ciphers
We recommend using only high strength ciphers. Please follow the Apache Tomcat SSL/TLS Configuration How-To guide to configure high strength ciphers. Blackboard Learn 9.1 release October 2014 and later ships with high strength ciphers configured via the bb-config.properties item:
"bbconfig.appserver.https.protocols=TLSv1,TLSv1.1,TLSv1.2"
Support for HTTP Strict Transport Security (HSTS)
This feature is available in Blackboard Learn 9.1 Q4 2016 and later.
HTTP Strict Transport Security (HSTS) is an optional security feature that is sent in HTTP response headers that tells browsers to connect to the current site over TLS only for a set amount of time. It prevents downgrade attacks, cookie hijacking, and other types of attacks that rely on an insecure connection.
HSTS is disabled by default. To enable HSTS, open bb-config.properties and locate the following piece of code:
## HTTP Strict Transport Security ##
bbconfig.appserver.https.sts.enabled=false
bbconfig.appserver.https.sts.maxage=63072000
Change false to true, save the file, and run PushConfigUpdates.