Secure Sockets Layer (SSL) is a protocol for protecting Internet communications. SSL ensures that a communication is not read or changed by another entity. Blackboard Learn uses SSL to secure communications between the Web server and the client machine. Without SSL enabled, there is no encryption provided for passwords or session cookies. Encryption protects passwords and sessions cookies from being captured and used maliciously.
SSL may also be used to secure the connection between Blackboard Learn and a separate server for authentication (such as an Active Directory server). If SSL will be used both for connecting to an authentication server and for client sessions, SSL for the authentication server must be configured first. To learn more about configuring SSL for securing with an integrated authentication server, see About the Authentication Framework.
Blackboard Learn 9.1 Service Pack 8 and later support SSL Offloading. See SSL Offloading.
How Does SSL Work?
SSL works through public key encryption. Transmissions are decrypted and encrypted using certificates. The steps below outline the process for establishing a connection over SSL:
- Client contacts the server with a list of encryption methods.
- The Server returns its certificate and a public key. These initial communications are scrambled with random data.
- Client validates the certificate.
- Client creates a secret string using an encryption method recognized by both the client and the server. The string is combined with the server's public key and sent back to the server.
- Both the client and server create session keys based on the secret string.
- The client sends a message to the server that it will now use the session key to encrypt and decrypt communications.
- The server responds that it will also use the session key.
- After each side confirms, the session keys are used to encrypt and decrypt communications during the session.
The simplest way to obtain a certificate for use with a Web site is through a vendor known as a Certifying Authority (CA). The process, shown in the steps below, is relatively simple.
- Generate a certificate request.
- Send the request to a CA.
- The CA creates and registers a certificate.
- Make this certificate available to the Web Server (IIS or Apache).
Certificates created in this way are usually registered and good for one year. After one year the certificate will no longer work and a new certificate must be obtained.
To remain secure, Blackboard recommends certificates with RSA key sizes at least 2048 bits in length. As per the National Institute of Standards and Technology (NIST) guidelines for Key Management (SP 800-57), Table 4 for recommended algorithms and minimum key sizes, certificates with RSA key sizes at or under 1024 bits are no longer considered secured and a minimum 2048 bits is considered secure through 2030.
If using a self-signed certificate, the certificate must be added to the list of allowed certificates on the client machine. If this is not done, the multi-upload feature will fail, as will a few other features that use SSL.
How Does SSL Appear to Users?
SSL works with the Hypertext Transfer Protocol (HTTP) to secure connections between Blackboard Learn Web server and the client machines. It is fairly easy to see when a Web page is using SSL to secure transmissions because an “s” is appended to the http at the beginning of the address.
Without SSL: http://blackboard.yourinstitution.com
With SSL: https://blackboard.yourinstitution.com
It is important to understand that if SSL is used to secure the Web page in this example then the first URL (without SSL) is invalid and will return a 404 error.
To meet industry best practices for protecting internet communications, Blackboard recommends enabling SSL system wide instead of in select places. To that end, SSL Choice is deprecated in SP 10. The SSL Choice option will be removed completely from an upcoming release of Blackboard Learn. If you are not already running Blackboard Learn over SSL, start planning to do so with the SP 10 release.
SSL Choice allows an institution to decide if all, none, or some of Blackboard Learn is secured with SSL. If SSL is to be used, it is most effective when applied to the entire web site and not just selected areas.
If you set SSL Choice to use SSL before you configure SSL on the web server, Blackboard Learn will not be accessible. To ensure that users can always log in, configure the web server for SSL prior to changing the SSL Choice security options.
SSL offloading relieves a web server of the processing burden of encrypting and decrypting traffic sent via SSL. If you have a system on your network that handles SSL Offloading you may configure Learn to make use of SSL offloading by editing the bb-config.properties tag:
Set to 'true' if using SSL Offloading.
Further information on setting up SSL Offloading is contained in the Load Balancing documentation pertinent to your environment.
Note: Ensure that Learn's HTTP port cannot be accessed directly from outside the firewall.