LTI Config

[Nick Baccala]

bigbluebuttonSalt=xxxxxxxxxxxxxxxxxxxxxxxxx

# LTI basic information

#----------------------------------------------------

# This URL is where the LTI plugin is accessible. It can be a different server than the BigBluebutton one

# Only the hostname or IP address is required, plus the port number in case it is other than port 80

# e.g. localhost or localhost:port

ltiEndPoint=bigblue.domain.tld

# The list of consumers allowed to access this lti service.

# Format: {consumerId1:sharedSecret1,consumerId2:sharedSecret2,consumerIdN:sharedSecretN}

##ltiConsumers=bbb:bbb_salt

ltiConsumers=bbb:welcome

I have looked through the documentation about LTI here:

and am confused about this bbb:welcome line. 

For 1. It seems far more secure in the example at the link provided above. On top of that I feel like I can just change it to anything I want in this prop file, restart and be good. 

I also see the comment line above it:

##ltiConsumers=bbb:bbb_salt

so should this be the same as the bigbluebuttonSalt= line?

Also if we have ssl on should this ltiEnpoint = https link? or :443? 

Please assist when you can as we are getting some errors in the lti log and we are unsure if it's an API issue or an LTI config issue.

Thanks,

Nick

[Nick Baccala]

as far as I can tell this is the error message I need to be focused on from the /var/log/bbb/lti log:

[02.09.16 09:15:35.873] DEBUG grails.app.controllers.org.bigbluebutton.ToolController  - Calculated: 7kFlWr61KDXMPQRGiHCPw7ymZhg= Received: Nvs6Ly1RjCPWBGecxr0PjFYmiQw=

[02.09.16 09:15:35.873] DEBUG grails.app.controllers.org.bigbluebutton.ToolController  - The message has NOT a valid signature.

[02.09.16 09:15:35.874] DEBUG grails.app.controllers.org.bigbluebutton.ToolController  - Error [resultMessageKey:'InvalidSignature', resultMessage:'Invalid signature (Nvs6Ly1RjCPWBGecxr0PjFYmiQw=).']

This is what my test end user sees from Blackboard:

[Nick Baccala]

This clear signifies some mismatch between the Blackboard config and the BBB server I stood up so I went back to the standard config of bbb:welcome and am still getting these errors. Again the demo worked find, but LTI is going to be the main entry point and I do need some assistance with trying to understand why the basic setup simply does not work.

Regards,

[Nick Baccala]

It works when I change the LMS placement to go over http instead of https but that is not acceptable 

Also seeing this when looking at the connection:

Mixed Content: The page at 'https://bbwebtest.domain.tld/webapps/blackboard/content/contentWrapper.js…Fblti_placement_id%3D_13_1%26content_id%3D_600421_1%26course_id%3D_29858_1' was loaded over HTTPS, but requested an insecure form action 'http://bigblue.domain.tld/lti/tool'. This request has been blocked; the content must be served over HTTPS.

I can force Chrome or FF to then load the insecure script and then the BBB loads but this wont be acceptable to put into production:

1. HTTPS is a necessity 

2. We cannot ask Stu/Fac/Staff to step through this rigmarole in order to utilize the bbb tool. 

I am not quite sure why we get the "Connection could not be established" splash page over when we point the placement to https://bigblue.domain.tld/lti/tool and can "technically" load it over http (with extra end-user steps to allow insecure scripts)

The same wildcard cert that is installed in our LMS is installed on our BBB site so this is not a self-signed cert issue or anything. When you navigate to https://bigblue.domain.tld you get the proper cert and their are not https warnings or errors. 

This is odd to me.

Regards,

Nick

[Fred Dixon]

Hi Nick,

Thanks for your detailed reports!

We are able to reproduce the issue -- there is something not working correctly with HTTPS vs HTTP.   

We're going to need to take a closer look at this.  Opened an issue to track the progress:

  https://groups.google.com/d/msg/bigbluebutton-setup/gCOgRHix6SA/aL5oH80WGgAJ

Regards,.. Fred

  

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.
To post to this group, send email to bigbluebutton-setup@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

[Nick Baccala]

Thanks for the update Fred.

One quick thing:

Looks like you linked to the group http instead of the issue tracker. Please update when you have a sec. No rush

To post to this group, send email to bigbluebu...@googlegroups.com.

Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[Fred Dixon]

Hi Nick,

Right -- here's the newly created issue:

  https://github.com/bigbluebutton/bigbluebutton/issues/3361

Regards,... Fred

To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsubscribe...@googlegroups.com.

To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebutton-setup@googlegroups.com.

Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[Jesus Federico]

Hi guys,

Sorry for the delay. But you know what, it turned to be easier than I though. It is not a bug in bbb-lti but a config parameter in the tomcat connector.

Turns out that because this is a request served through a proxy, even though Nginx is sending the scheme to Tomcat 

proxy_set_header   X-Forwarded-Proto $http_x_forwarded_proto;

Tomcat is not passing it to the application, so the HttpServletRequest.isSecure() validation (added in December 2014 for supporting https) always returns false.

https://github.com/bigbluebutton/bigbluebutton/blob/master/bbb-lti/grails-app/controllers/org/bigbluebutton/ToolController.groovy#L59

So, the fix is as simple as adding a secure="true" to the tomcat connector in sever.xml.

    <Connector port="8080" protocol="HTTP/1.1"

               connectionTimeout="20000"

               URIEncoding="UTF-8"

               redirectPort="8443" secure="true" />

See:

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

LTI requests with HTTPS are working now on test-install.

Cheers,

Jesus Federico

To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.

To post to this group, send email to bigbluebu...@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

[Nick Baccala]

This change plus a change in the lti props file (tacking on :443 to the ltiEndPoint) seems to resolve it for our environment as well.

Thanks for the help.

[Jesus Federico]

I am glad it worked for you.

Although the cleanest solution would be:

1. Fix the nginx configuration so the X-Forwarded-Proto is really sent to tomcat

proxy_set_header   X-Forwarded-Proto $scheme;

2. Add a valve to server.xml

 <Valve className="org.apache.catalina.valves.RemoteIpValve"

               remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by"

               protocolHeader="x-forwarded-proto" />

You can read my comments here:

https://github.com/bigbluebutton/bigbluebutton/issues/3361

Regards,

JF

[Nick Baccala]

I did step 2 and I am back to the "Connection could not be established" splash page. 

I am assuming I need to do something with your step 1:

1. Fix the nginx configuration so the X-Forwarded-Proto is really sent to tomcat
proxy_set_header   X-Forwarded-Proto $scheme;

But as to what and where I am not clear. Assuming nginx.conf but I am not as familar with nginx as other webservers. 

I will revert to the fix that "worked" for now unless I hear back with more instruction.

Thanks for your time.