Foundry Portal now available with Secure HTTP

[rarified]

I've created a self-signed certificate and opened SSL access to all portal services, with the base URL changed to https://foundry.OpenUru.org. If you use this portal, your username and passwords will no longer be sent in the clear.

All of the tools, including the Repositories and Atlassian tools can be accessed with HTTPS.

_R

[JWPlatt]

Yet more progress over at the Foundry.

Thanks!

[Mac_Fife]

We're going to need a note to tell people how to install the certificate on various browsers

Elsewise we'll get people screaming that their browser threw up a big red box saying "it isn't trusted" !

[JWPlatt]

A way to download the certificate would be handy, with instructions on how to install it.

Also, rarified, I set JIRA to use the new OpenUru.org Foundry icon a while back. Now browsers are getting a warning from it because I used a link to our site styles folder, and no other OU resource is using https. Could you copy the icon onto the Foundry server to load the icon internally? (Also reported under issue OUORG-5).

[Mac_Fife]

Obviously the certificate and instructions would need to be available from the main site using "vanilla HTTP", to avoid a chicken and egg scenario. I guess we'd need instructions for the main browsers (I think Nalates' post in the Site Integration thread gives us the "big five" here), plus current TortoiseHg and TortoiseSVN repo clients.

[rarified]

As mentioned in JIRA OUORG-6 (I think), I've put a copy of the Foundry's CA Cert at http://foundry.OpenUru.org/assets/Foundry/foundry.crt. I'd put the contents of that file (it's not big, 1773 bytes of text) on the Wiki somewhere. It should have the server configured to specify it's Content-Type as application/x-x509-ca-cert.

I've verified that in Opera V11 (Win 7), Firefox 3.6 (Solaris and Win7), and IE 8, that simply clicking on a link to that file will cause those browsers to bring up the dialog box to install the certificate in the trust store. Other browser/environment combinations I'll leave to volunteers

_R

[JWPlatt]

FYI - There is an OpenUru.org asset subdomain for purposes similar to the Foundry asset path. It is partly used to maintain archival quality content on OpenUru.org. That's not to say it need be applied in the case of this cert, because the Foundry cert is not domain-wide, but the asset subdomain is there as a standard place for domain assets of all kinds. In fact, anything under https, as is all of Foundry, should NOT sourced from http://assets.OpenUru.org because it is strictly http. The only caveat regarding things stored in the assets subdomain is that there are htaccess rules implemented which restrict use of the assets to within the domain. Hotlinks won't work.

[Mac_Fife]

If the Foundry hosted certificate can be pulled and installed by a browser without triggering all sorts of panic inducing red flashing lights and sirens in the browser then that would seem ideal, since it leaves the certificate under rarified's control, should it need to be amended. The default behaviour (in IE at least) when it encounters an "untrusted" certificate in the course of browsing and how you then get it to accept the certificate is off-putting to say the least, so if it's a simple "Click here and then follow the browser's instructions before visiting the Foundry" then that makes documenting the process a lot simpler . If avoiding warnings means we need to move the certifcate download to somewhere else then so be it; just need to decide where is the appropriate place to put it. Or create an httpd rewrite cond to exclude this file from the HTTPS rewrite.

Rarified also wrote up a set of instructions for me, so I just need to migrate that onto the wiki page I've started: http://wiki.openuru.org/index.php?title ... stallation - just a "sketch" for now.

[VonGrippen]

I just wanted to drop a note here about the SSL certificates:
Have you guys taken a look at StartSSL? You can get single domain signed SSL certificates from them for free. Their CA is present in all of the major browsers and platforms already. (The unfortunate part is that the certificates are technically in the personal name of the account holder.)

Thought I might mention them, since I've noticed one or two people are a little bit confused about the whole certificate issue.

[rarified]

Thanks for the pointer. I had not looked at StartSSL before.

I think at this point I consider keeping what we have in place a higher priority than replacing the certificate which will impact everyone who already has accepted the self signed certificate.

But if you do find a large episode of confusion going on, please send them over here to post questions and we'll work with them to make things work for them. And it sounds like you're familiar enough with certificate concepts that I hope you'll help with the explanations!

_R