4 Replies Latest reply on Oct 24, 2017 6:50 AM by duzunov

    Can't launch LTI tool in an iframe due to security settings

    duzunov

      Hello,

      I'm working on an LTI tool integration with Blackboard. When I create a placement for the tool, the following popup shows:

       

      Screen Shot 2017-10-10 at 12.31.12 PM.png

       

      And when I open the tool link, the tool always launches in a new window.

      The tool runs on https and doesn't send X-Frame-Options or Content-Security-Policy response headers. I'm using the Developer Virtual Machine for running Blackboard. I'm running Blackboard over http. I also tried running it over https (using the 9877 port) but the above warning still pops up. When I'm running it over https the browser still considers the connection as "Not Secure":

       

      Screen Shot 2017-10-12 at 7.32.21 PM.png

       

      What should I do to make the tool link launch the tool in an iframe?

        • Re: Can't launch LTI tool in an iframe due to security settings
          de0043450

          Hi Dimitar!

          I'm not really a https guru, but it'd certainly help if we knew the exact error that your browser is giving. These are usually in all caps, and would look something like SSL_ERROR_RX_MALFORMED_ALERT. Usually you can find these by clicking "more information" or "Advanced" on the page with the error. Alternatively, use the dev tools to find the error.

           

          That being said, my guess is that since you're running on localhost, that probably indicates you running a self-signed certificate. Has that been properly added to your browser's certificate store?

          2 of 2 people found this helpful
            • Re: Can't launch LTI tool in an iframe due to security settings
              duzunov

              Hi David,

              Thank you for your response!

              I'm running Blackboard on localhost using Chrome. Chrome uses the System Keychain (on Mac) for storing certificates. I've added the certificate to my keychain.

              Here is the error that Chrome shows in the Security tab of developer tools:

              Screen Shot 2017-10-16 at 3.31.38 PM.png

              This is the certificate:

              Screen Shot 2017-10-20 at 1.45.17 PM.png

              1 of 1 people found this helpful
                • Re: Can't launch LTI tool in an iframe due to security settings
                  de0043450

                  We're rapidly heading into areas of TLS I simply don't know enough about, but I've got two guesses:

                  1. I'm not sure if you're using the Subject Alternative Name extension, which is required by chrome and firefox. Chrome will throw the error you are getting if it is missing.
                  2. Your cert mentions SHA-1, which is depreciated. I think it should just use the SHA-256 and ignore SHA-1, though.

                  If neither of those work, I'd like to ask is this the cert for your LTI application, or the cert you're using for the Blackboard developer VM?

                   

                  Cheers,

                  David.

                    • Re: Can't launch LTI tool in an iframe due to security settings
                      duzunov

                      Hi David,

                      This is the certificate for the Blackboard developer VM. It comes with the VM. I tried to create a new certificate which includes Subject Alternative Name extension but the Tomcat server didn't accept it. Here are the errors reported in the Tomcat logs:

                       

                      INFO   | jvm 1| 2017/10/23 10:10:43 | SEVERE: Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"]
                      INFO   | jvm 1| 2017/10/23 10:10:43 | java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: Cannot recover key
                      INFO   | jvm 1| 2017/10/23 10:10:43 | Caused by: java.security.UnrecoverableKeyException: Cannot recover key

                       

                      Is there a guide for generating a self-signed certificate for the Blackboard VM?

                       

                      Best regards,

                      Dimitar