Authentication and SSL

From OpenLP
Jump to: navigation, search

Overview

Version 2.1 introduces two types of security of the Remote interface.

  • SSL will allow all communications to run in a secure manner
  • Authentication which will require a userid and password for access to the components which can change a service.

SSL

Note: SSL has been removed from OpenLP 2.8

To make the Remote access run in a secure manner ssl certificates need to be provided to OpenLP. This is completely optional. On Linux you will need the "openssl" package installed. On Mac OS X openssl should be installed by default. On Windows you will need to download OpenSSL for Windows.

First create a configuration file for OpenSSL named openlp.cnf:

#-------------openssl.cnf----------------
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = des3 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
# Variable name   Prompt string
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

#-------------------Edit this section------------------------------
countryName_default = --
stateOrProvinceName_default = None
localityName_default = Everywhere
0.organizationName_default = OpenLP
organizationalUnitName_default = Remote
commonName_default = 0.0.0.0
emailAddress_default = openlp@localhost

Then generate your keys and certificate:

echo openlp | openssl genrsa -passout stdin -des3 -out openlp.key 1024
cp openlp.key openlp.key.bak
echo openlp | openssl rsa -passin stdin -in openlp.key.bak -out openlp.key
openssl req -new -key openlp.key -out openlp.csr -config openlp.cnf -batch
openssl x509 -req -days 365 -in openlp.csr -signkey openlp.key -out openlp.crt

The crt and key files need to then be placed in {data}/remotes directory.

Authentication

It is now possible to set a userid and password to lock access to the updates parts of OpenLP remote.

The stageview url http://url:4316/stage is not secure as it is read only.

The main url http://url:4316/ is can be made secure. In the remote setting tab tick the authentication option and set the userid and password.