TLS for Apache HTTP Server

To use TLS to secure Blackboard Learn the Apache™ HTTP Server (Web server) must first be set to use TLS.

Successful completion of this process requires that Solaris users are running Solaris 10, Solaris 9, or Solaris 8 with patch 112438-02. Blackboard Learn no longer supports application servers running Solaris. For more information, visit Behind the Blackboard.

Configuring TLS should only be done by an experienced administrator.

Configure TLS for Apache HTTP server

1. Log in to the Web/application server as root.
2. Set the PATH to include the OpenSSL provided by Blackboard with the following commands:

   PATH=/blackboard_home/apps/openssl/bin:$PATH
   
   export PATH

3. Test that OpenSSL is in the PATH by executing openssl. If OpenSSL is set in the PATH correctly, an OpenSSL> prompt will appear. Enter 'q' to exit the prompt. If another instance of openssl is installed on the operating system make sure that the version supplied by Blackboard is the version that appears in the PATH.
4. Create a directory to store certificates. Then change directories. For example:

   mkdir /blackboard_home/apps/httpd/conf/certs/
   
   cd /blackboard_home/apps/httpd/conf/certs/

5. Create a RSA private key:

   openssl genrsa -out server.key 2048

   where server is a variable for the file name. Typically the server name is used. To learn more about RSA key size recommendations, see How to Obtain a Certificate.

6. Backup this file and make sure that only root has read permissions on it. Make sure that the password is secure and can be recalled when necessary. (need to recall to start the server).
7. Create a Certificate Signing Request (CSR) for the server RSA private key with the following command:

   openssl req -new -days 365 -key server.key -out server.csr

   The -days option sets the expiration of the certification. Most Certifying Authorities will only sign a certificate for 1 year. At that time the certificate must be resigned.

8. View the details of the CSR with the following command:

   openssl req -noout -text -in server.csr

   When submitting the request, it may be necessary to view the file and copy text from it for submission to the Certifying Authority (CA).

9. Send the CSR to a Certifying Authority for signing. There are several commercial options available or you can sign your own if you have the capability. The output of either process is a server.crt file.
10. Edit the /blackboard_home/apps/httpd/conf/httpd.conf file to include the following directive:

    Include conf/ssl.conf

11. Edit the /blackboard_home/config/bb-config.properties file by modifying the following attributes, as shown below.

    bbconfig.unix.ssl.certificatefile=/path/server.crt
    
    bbconfig.unix.ssl.certificatekeyfile=/path/server.key

    More on bb-config.properties File

12. Edit the /blackboard_home/apps/httpd/conf/ssl.conf file to use designate the level of encryption. Blackboard recommends the use of strong encryption, for example:

    SSL Protocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:!MEDIUM:!SSLv2

13. Run PushConfigUpdate as shown below.

    blackboard_home/tools/admin/PushConfigUpdates.sh

    More on PushConfigUpdates.

14. The SSL Choice feature can now be used to select which areas of Blackboard Learn use TLS.