Authentication and SSL

Overview
Version 2.1 introduces two types of security of the Remote interface.
 * SSL will allow all communications to run in a secure manner
 * Authentication which will require a userid and password for access to the components which can change a service.

SSL
To make the Remote access run in a secure manner ssl certificates need to be provided to OpenLP. This is completely optional. On Linux you will need the "openssl" package installed. On Mac OS X openssl should be installed by default. On Windows you will need to download OpenSSL for Windows.

First create a configuration file for OpenSSL named :

[ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = des3 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name [ req_distinguished_name ] 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 countryName_default = -- stateOrProvinceName_default = None localityName_default = Everywhere 0.organizationName_default = OpenLP organizationalUnitName_default = Remote commonName_default = 0.0.0.0 emailAddress_default = openlp@localhost
 * 1) -openssl.cnf
 * 1) Variable name   Prompt string
 * 1) ---Edit this section--

Then generate your keys and certificate:

echo openlp | openssl genrsa -passout stdin -des3 -out openlp.key 1024 cp openlp.key openlp.key.bak echo openlp | openssl rsa -passin stdin -in openlp.key.bak -out openlp.key openssl req -new -key openlp.key -out openlp.csr -config openlp.cnf -batch openssl x509 -req -days 365 -in openlp.csr -signkey openlp.key -out openlp.crt

The crt and key files need to then be placed in {data}/remotes directory.

Authentication
It is now possible to set a userid and password to lock access to the updates parts of OpenLP remote. The stageview url http://url:4316/stage is not secure as it is read only.

The main url http://url:4316/ is can be made secure. In the remote setting tab tick the authentication option and set the userid and password.