- Notice: Undefined variable: token in bb_coveo_search_ui_block_page_attachments() (line 53 of modules/custom/bb_widgets/bb_coveo_search_ui/bb_coveo_search_ui_block.module).
- Warning: array_flip(): Can only flip STRING and INTEGER values! in Drupal\Core\Entity\EntityStorageBase->loadMultiple() (line 312 of core/lib/Drupal/Core/Entity/EntityStorageBase.php).
Transport Layer Security (TLS) is a protocol for protecting Internet communications. TLS ensures that a communication is not read or changed by another entity. Blackboard Learn uses TLS to secure communications between the Web server and the client machine. Without TLS enabled, there is no encryption provided for passwords or session cookies. Encryption protects passwords and sessions cookies from being captured and used maliciously.
TLS may also be used to secure the connection between Blackboard Learn and a separate server for authentication (such as an Active Directory server). If TLS will be used both for connecting to an authentication server and for client sessions, TLS for the authentication server must be configured first. To learn more about configuring TLS for securing with an integrated authentication server, see About the Authentication Framework.
TLS is the successor of Secure Sockets Layer (SSL). Blackboard Learn 9.1 Service Pack 8 and later support SSL Offloading. See SSL Offloading.
How does TLS work?
TLS works through public key encryption. Transmissions are decrypted and encrypted using certificates. The steps below outline the process for establishing a connection over TLS:
- Client contacts the server with a list of encryption methods.
- The Server returns its certificate and a public key. These initial communications are scrambled with random data.
- Client validates the certificate.
- Client creates a secret string using an encryption method recognized by both the client and the server. The string is combined with the server's public key and sent back to the server.
- Both the client and server create session keys based on the secret string.
- The client sends a message to the server that it will now use the session key to encrypt and decrypt communications.
- The server responds that it will also use the session key.
- After each side confirms, the session keys are used to encrypt and decrypt communications during the session.
Obtain a certificate
The simplest way to obtain a certificate for use with a web site is through a vendor known as a Certifying Authority (CA). You're responsible for working with a widely accepted vendor to purchase a certificate. Blackboard doesn't assist with purchase or renewal of your certificate. The process, shown in the steps below, is relatively simple.
- Generate a certificate request.
- Send the request to a CA.
- The CA creates and registers a certificate.
- Make this certificate available to the Web Server (IIS or Apache™).
Certificates created in this way are usually registered and good for one year. After one year the certificate will no longer work and a new certificate must be obtained.
To remain secure, Blackboard recommends certificates with RSA key sizes at least 2048 bits in length. As per the National Institute of Standards and Technology (NIST) guidelines for Key Management (SP 800-57), Table 4 for recommended algorithms and minimum key sizes, certificates with RSA key sizes at or under 1024 bits are no longer considered secured and a minimum 2048 bits is considered secure through 2030.
If using a self-signed certificate, the certificate must be added to the list of allowed certificates on the client machine. If this is not done, the multi-upload feature will fail, as will a few other features that use TLS.
How does TLS appear to users?
TLS works with the Hypertext Transfer Protocol (HTTP) to secure connections between Blackboard Learn Web server and the client machines. It is fairly easy to see when a Web page is using TLS to secure transmissions because an "s" is appended to the HTTP at the beginning of the address.
Without TLS: http://blackboard.yourinstitution.com
With TLS: https://blackboard.yourinstitution.com
It is important to understand that if TLS is used to secure the Web page in this example then the first URL (without TLS) is invalid and will return a 404 error.
With the release of Blackboard Learn, Release 9.1 Service Pack 10, TLS Choice (formerly known as SSL Choice) is deprecated. It was removed in the SP12 release.
To meet industry best practices for protecting internet communications, Blackboard Learn content is deliverable only over TLS. The TLS Choice option has been completely removed from Blackboard Learn. If you are not already running Blackboard Learn over TLS, you must now configure Blackboard Learn with TLS.
TLS offloading relieves the Blackboard Learn application of the processing burden of encrypting and decrypting traffic sent via TLS. Offloading TLS is accomplished by connecting the TLS terminating system to the Learn application 8081 port and passing the required X-FORWARDED-FOR and X-FORWARDED-PROTO HTTPS header elements. For more information on TLS configuration, see the Post Install and Upgrade Tasks Optional - TLS Configuration, Optional - Front Learn with a Webserver, or Optional - Set Up Load Balancing for Multiple Application Servers.
We recommend using only high strength ciphers. Please follow the Apache Tomcat SSL/TLS Configuration How-To guide to configure high strength ciphers. Blackboard Learn 9.1 release October 2014 and later ships with high strength ciphers configured via the bb-config.properties item:
Support for HTTP Strict Transport Security (HSTS)
This feature is available in Blackboard Learn 9.1 Q4 2016 and later.
HTTP Strict Transport Security (HSTS) is an optional security feature that is sent in HTTP response headers that tells browsers to connect to the current site over TLS only for a set amount of time. It prevents downgrade attacks, cookie hijacking, and other types of attacks that rely on an insecure connection.
HSTS is disabled by default. To enable HSTS, open bb-config.properties and locate the following piece of code:
## HTTP Strict Transport Security ##
Change false to true, save the file, and run PushConfigUpdates.