Heartbleed and Valence

Last week, a flaw was announced (“the Heartbleed bug”) in the widely-used cryptographic software library called OpenSSL. Details about the bug and its impact are available at heartbleed.com.

Although this issue is not specific to Desire2Learn software, D2L clients are being kept up-to-date on the progress of the investigation into the bug’s impact on Desire2Learn systems and products. These updates have appeared via direct communications and the support portal. Most Desire2Learn systems have not been affected in any way, but due diligence is being conducted to ensure that the impact of this widespread incident has been thoroughly evaluated and any affected offerings are secured.

What does Heartbleed mean to the Valence Developer Community?

The Heartbleed Bug affects the security of websites—including web-based apps—that implement the impacted version of OpenSSL. This bug does not impact any of the Valence Learning Framework APIs or the libraries and code samples offered in the Valence Developer Community. However, if you host an application (or a third-party integration) that was built using the Valence Learning Framework APIs or LTI on a server impacted by the Heartbleed bug, your application’s data—including its App ID\Key pair—could be exposed.

It is essential to audit the infrastructure hosting any Valence or LTI applications to verify whether or not it is affected by the Heartbleed bug and take action to remove the vulnerability and mitigate its impact. Mitigation strategies could include re-issuing SSL certificates or enforcing password changes for users.

My systems are impacted and I want to replace my API Keys. How do I do that?

If you choose to replace API Keys for apps hosted on affected infrastructure, you can do so by following these steps:

  1. Follow the Key Request Process to submit an app registration request.
    Note: Be sure to review the two-part blog series on App Registration FAQs and Best Practices before submitting a new app registration request to ensure the newly registered app aligns with those guidelines.
  2. Once the request is approved, update the deployed versions of your app with the new App ID/Key pair.
  3. Once the new App ID\Key pair is in place, deactivate the old App ID\Key pairs in one of the following ways:
    1. Log in to Keytool with the account used to register the original app.  Click the View Registered Applications link. Locate the affected app record and click Delete.
      Warning: Once deleted, an app record cannot be restored. Be careful to choose only the app records that you truly want to delete.
    2. If you don’t have access to the original Keytool account, email the App Name and App ID (not the App Key— that value should be kept secure at all times) to the Valence Support email address indicating that you would like the App ID\Key pair to be deactivated. The typical app registration approval process will be followed, including contacting the site administrator to ensure that this registered app should be deactivated.

Everything you wish you knew about Keytool and app registration – Part Two: Best Practices

In Part One of this series, we covered the frequently asked questions and common issues that crop up in the app registration process. Now that you have a strong handle on app registration, it’s time to put that learning into action.

One way to ensure that everyone in your organization stays on the same page with the app registration process is to record your internal best practices. Some of the items to identify in that policy are outlined below.

Create consistent conventions for app metadata

  • Do you want to include the campus or department name in the name of each App? Should the requester include a link to the help docs for your app in the Description field? What are your app versioning conventions? Hammer out these details ahead of time so that you don’t have to reinvent the wheel each time you register a new app.

Identify Key Requesters

  • Do you want to use a team account for Keytool? Should each developer have their own account? Who should request keys for any department interns or contractors? If you’ve already got some rogue Keytool accounts that don’t match this policy, now’s a good time to decide how you want to deal with any pre-existing keys so you can retire those old accounts.
  • What needs to happen if someone leaves the department or organization? If you’re using a team account, you simply need to change the password. If one of your key-holding team members leaves, you’ll need to recreate their keys under a new account. Figuring out the overhead involved in the transition process may make you reconsider your policy on Keytool accounts.

Identify Key Approvers

  • Who’s responsible for approvals in your organization? How do you get in touch to expedite an app request? When D2L processes an app registration request, the Account Manager typically reaches out to the site administrator for approval. Contact your Account Manager to confirm who will be contacted for app registration approvals.
  • Make sure the person responsible for those approvals is familiar with your internal best practices and the list of Keytool accounts that the requests will be coming from.

Make requests early

  • At what phase of a project will you make your app registration request? During design, as you’re building, or not until you’re ready to implement the app? Will you request Dev and Prod keys at the same time, or should your app pass QA tests before requesting the Prod key? Requesting a key at the last minute can lead to delays, so figure out a policy that gives you ample buffer time.

Keep app records secure

  • Once your app registration is approved, do you need to store your App ID and App Key values outside of Keytool? If you’re using a single team Keytool account, this shouldn’t be necessary. But if each Developer uses their own account, you may need to store the values in a central spot for business continuity purposes. Be sure to treat the App Key value with the same security that you’d treat a Root User account for an important IT system.
  • In the unlikely event that your App Key gets leaked, what steps will you follow to revoke and replace that key? Will you immediately disable the registered app in the Manage Extensibility screen? Will you delete the app record in your Keytool account? If you don’t have access to the Keytool account, who will be responsible for contacting your D2L Account Manager to provide the App ID value to request that it gets disabled in the Keytool?

Does your institution have a policy around best practices for app registration? Is there anything you might add now that you’ve reviewed this blog series? Leave a comment or share your story in the ValenceUsers forum.


Everything you wish you knew about Keytool and app registration – Part One: FAQs

When you get started with Valence, one of the first tasks you have to accomplish is to register your application so that you can receive an App ID/Key pair. These values are critical for the IDKey Authentication process that connects an application built with Valence to the D2L environment. As we described in a previous post, the app registration process is primarily managed through the Keytool. There’s an updated version of the Key request walkthrough topic to help you familiarize yourself with the Keytool.

In this post, we’ll address the common questions that arise during app registration process. In Part Two, we’ll share some best practices for managing app registrations within your institution.

The Basics

Before you dive in to the app registration process, there is one critical fact to understand: Once you submit an app registration request, you cannot change any data associated with the resulting app record. This is includes changing the account associated with the app record, the name of the app, or the App ID or Key values. This restriction is made by design, so that approved app records can’t be updated for an unapproved use. Therefore, you must make a new app registration request in order to receive a new App ID/Key pair for the updated values.

Keytool Accounts

You sign up for Keytool using the Google Accounts service, which allows you to associate an existing email address or create a Gmail account. Choose wisely. On the front page of the Keytool, we advise that you should use an institutional email address when signing up for a Google Account. The address functions as your user name for Keytool, the contact point for all request notifications, and the identifying information for your app registration request. There are a few benefits to using an institutional email address, especially one that is associated with a department or team, rather than an individual:

  • All communications related to your app records are sent to the email address associated with your Keytool account, including notification of why an app request is rejected. Using an institutional email address means that you don’t have an extra, non-standard account to poll for those notifications.
  • An institutional address makes it easier to identify the requester when the app request is being considered for approval. The address devteam@yourorg.com is easier to associate with a valid request than NeoFromTheMatrix@gmail.com might be.
  • A team address reduces overhead & risk in the event a Keytool account holder leaves your team or organization. If your organizations uses a group account like devteam@yourorg.com, if a team member leaves, you simply need to change the password for your account to remove their access and protect the security of those app records. If all the app records are associated with Sam.Smith@yourorg.com, and Sam leaves the company to join the circus, you’ll have some administrative overhead to deal with: create a new Keytool account, make all new app registration requests, replace the App ID and App Key values in your deployed apps, then revoke approval from all the app records associated with Sam’s account. To do this, you’ll have to ask Sam to delete them before leaving the team, or contact your D2L Account Manager to revoke the keys.

What can you do if you’re using a non-ideal email address for your Keytool account? There are two possible paths:

  • Use a new account for all requests going forward, and only replace existing keys as a new version of the app is released. This approach allows you to use the ideal account going forward, and distributes the overhead of requesting new keys over the longer-term.
  • Use a new account going forward, and actively replace app records from the old account by registering apps with the new account, then deleting or revoking approval from the app records managed by the non-ideal account(s). This approach involves more overhead up front, but reduces the overhead and risks of continuing to maintain app records using the non-ideal account(s).

App Registration

The #1 reason why an app registration request gets denied, is because the domain specified is not a valid LMSID. The second most common reason for denying a request is because a Universal registration was requested inappropriately.

  • A Limited app is registered against a specific environment, which is identified using the LMSID. To confirm the LMSID for your target environment, an administrator can look up the following config variable in the target environment: Security.Api.Sync.LmsId. Note that an LMSID may look similar to the fully-qualified domain name for the environment, but be careful not to include any extraneous text, such as https:// or a trailing slash that don’t appear in the config variable mentioned above. For example, the FQDN might be https://learn.institution.com, which is different than the LMSID of learn.institution.com as far as the Keytool is concerned.
  • If your LMSID is missing or incorrect, your institution’s approved support contact can contact Desire2Learn HelpDesk to update that value.
  • A Universal app can only be registered by Desire2Learn and its Partners. What’s more, a Universal app is only approved for production-ready products, so a Limited app request is necessary for any prior development work. The App ID/Key pairs for Universal apps are distributed to all D2L environments, so they are subject to stricter approval guidelines.

App Records

When you submit an app registration request, Keytool creates an app record that consists of all the details you submitted in your request, the App ID and App Key values generated for that app, and its status. The following status could be associated with your app record:

  • Pending: The app registration request has been submitted and is awaiting approval.
  • Approved: The app record has been activated. Once activated, the App ID/Key pair is queued up to be distributed to the target environment(s). See Getting the Key to the LMS for details on that process. In environments at Desire2Learn version 10.2 and higher, keys can be manually updated from the Manage Extensibility administration screen.
  • Rejected: The app registration request was denied. Check the email address associated with your Keytool account for a notification explaining the reason for rejection.

The approval process for app registration requests can take several days, due to the communication chain required for approving requests. The approval process looks like this:

  • The email address of the requesting Keytool account is notified that the request has been received and is being processed. This notification happens within 2 business days of the request being submitted.
  • Desire2Learn identifies and contacts appropriate stakeholders to seek approval for the request. For example, the site administrator for the target environment of a Limited app request is one possible stakeholder.
  • The stakeholder provides their approval (or denial) for the request.
  • The app record is updated with the appropriate status – Approved or Rejected. If the request is rejected, notification is sent to the requester explaining the reason for rejection.

Security

When an app registration request is made, the associated App ID/Key pair must be kept secure. You should treat these values with the same level of security as the User ID and password for the root account of an important IT System. Keep the following scenarios in mind:

  • If you ever need to refer to an app record, use the App Name and App ID – but do not refer to the App Key value. The App Key isn’t useful for identification, so you’re exposing risk where it isn’t helpful to do so.
  • Do not send the App Key over un-encrypted channels. For example, don’t send an email containing a screenshot of the Keytool interface that exposes an App Key value. 
  • Do not publish an App Key on an unprotected website, including intranet sites that unauthorized users have access to.

So there you have it. The questions and answers above represent the primary ways to streamline your app registration requests and ensure they’re managed appropriately and most likely to be approved.

Do you still have questions or feedback that wasn’t addressed above? Leave a comment here, or join the conversation in the ValenceUsers forum.

Stay tuned for Part Two, where we talk about Best Practices to put this knowledge into action in your organization.


Keynote speakers for FUSION announced

In case you need another reason to attend FUSION, the Desire2Learn Users Conference, check out the keynote speakers that were announced today. I’ll give you a hint: these speakers are out of this world, but you don’t have to take my word for it. They have done a lot to advance education in their spheres, and I personally respect both of them, and can’t wait to hear the insights they’ll share with FUSION attendees.

If you’re planning to attend FUSION (and I hope you are!) join us on the ValenceUsers forum to tell us what you want to see in the Extensibility Lab.


ValenceUsers: What do you want to see at FUSION?

July 14th seems a long way off, but planning is ramping up for FUSION, the Desire2Learn Global Users Conference. The Extensibility Lab has been the hub for Developer activity at the conference for the past two years, and we want this year to be better than ever. Now’s our chance to hear from you – what do you want to see at FUSION, especially in the Extensibility Lab? Join us for a discussion in the ValenceUsers forum and contribute your ideas to help us make FUSION the best possible experience for Developers, Administrators and other technical roles.

Here’s what we want to know:

  • Have you visited the Extensibility Lab during a previous FUSION? What did you like about the experience? What can we improve?
  • Are there any topics that you’d like to present or attend, especially in the Extensibility Lab?
  • Are there any topics or formats that you’ve encountered at past FUSION or Ignite or other conference events that you’d like to see this year?
  • Are you planning to attend FUSION 2014 in Nashville, TN? If not, what’s preventing you from attending?

Meet the Winners of the Edge Challenge

Over the past several months, I’ve told you all about the Desire2Learn Edge Challenge 2013 – the mentoring opportunities for instructors and other professionals, head-to-head competition between participants, and the excitement as the finalists headed into the adjudication process undertaken by our panel of Judges.

Now, after months of hard work by the participants and everyone involved in running this competition, it is time to reveal the winner of the Edge Challenge!

(Drum roll please…)

Congratulations to team MySyllabiMadison – Andrew McLean and Jacob Schieber! They’re taking home the Grand Prize of $10,000 and they’ll be joining us at FUSION 2014 in Nashville, TN. (Special thanks to sponsor XMG Studio Inc. for contributing to the Grand Prize!)

Now I’ll let Drew and Jake do the talking, as they describe their solution and the road to winning the Edge Challenge.

MySyllabiMadison website screenshot

Can you introduce yourselves?

J: Jacob Schieber, a Computer Engineering major at the University of Wisconsin – Madison.

A: Andrew McLean and my major is Accounting.

What inspired you to create MySyllabiMadison?

A: During an Entrepreneurship class my freshman year we had to make a “bug list” of things that annoyed us that we could potentially turn into a business idea. One of my classmates was annoyed with how many different courses had a syllabus on paper that was hard to keep track of, and wanted to create an iPad application that allowed students to store their syllabus on the app. Together we pursued the idea for the rest of the semester.

J: Drew came to me in April of my freshman year and asked me if I could code a java applet that could distribute course syllabus on campus. After accepting his request and finishing the initial application I didn’t even know what to say. This idea, I knew, could be put online, distributed nationally and be used by every major and minor University in America. When I saw a chance at me coding a service that could help thousands of students I had no choice but to accept the challenge and become MySyllabiMadison’s director of development.

Can you describe the process you followed to develop your idea into this successful application?

A: We started originally with a simple Java applet that had a few basic features. Then Jake had the epiphany/realization to switch over to a website that performed the similar features.

J: After being approached by Drew and finishing the initial Java Application, which let users upload their syllabus to the program and download a calendar, I wanted to take the idea further. After finishing a couple generations of the applet I knew hardcopy software was not going to be the medium that would work for us. Without a web service our idea would never be able to spread and have the impact that we were hoping for. So 2 weeks before the start of the Fall Semester of 2013 we took MySyllabi live at MySyllabiMadison.com. The web site endured hundreds of hours of coding, 2 different template designs and countless process restructuring but eventually it became the site that we are extraordinarily proud of today.

A: We also spent a lot of time over winter break of 2013-2014 working on web layout, testing every possible function of the website, creating new features, and emailing various professors to introduce our idea. That brings us up to our campus launch that happened starting on January 21st of this year.

What’s next in the development of MySyllabiMadison?

A: Over the upcoming months we want to focus on simplifying the website to make it more self-explanatory, and also look to the future for potential monetization. We have received a lot of great user feedback in regards to the looks of the website, its functionality, the idea, etc. but we want to make sure that anybody would be able to go on the website and be able to comprehend its basic features and use them as well. Also, like in many businesses, we are looking to see what the best avenue to monetize our idea is. We believe that every educational system from middle school to the university could make use of our website, and we want to grow in making what we have to offer even more appealing to them. We hope to introduce our idea to other college campuses, continue to meet with professionals who have been in our situation, and grow the MySyllabiMadison brand.

How did you discover the Edge Challenge? What made you want to participate in the competition?

A: John Surdyk one of the professors at the Wisconsin School of Business, who also taught my Entrepreneurship class last year, told me about the Edge Challenge. We looked at the details, and realized that even if we didn’t win, it would still be an amazing experience for us in being able to bring our idea to life.

J: Immediately after hearing about it I was hooked. I was in the process of creating an application that was aimed at helping students and here was a competition that showcased just that. Although I thought I would never have a shot at actually winning this national software competition […] the journey throughout it was riveting. And now, after realizing that our idea was not found wanting by the judges that examined it makes me feel even more accomplished as a programmer and entrepreneur than I ever thought would be possible as a sophomore in college. The Edge Challenge has been one of the most rewarding experiences of my entire life. I just want to thank all that helped make the Edge Challenge possible for all that they did and encourage them to know that it truly gave my partner and I the push that we needed to make our idea a service that could actually help the world in however large or small a way that it ends up developing into.

Do you have any advice for other student innovators out there?

J: Find an idea that you like and work on it. The only thing that keeps you from doing what you thought you could never do is the thought that you can never do it. Have fun at college but first understand exactly what kind of fun you want to have and realize that the best fun will be that which you have to work the hardest for. MySyllabiMadison is one of my life’s greatest achievements […] but it required to me to sit upstairs at parties so I could program and when they were over sit behind a computer screen at 4am if I needed to finish a block of code.

A: One thing that I would advise other students is in how motivated you have to be yourself in order to succeed with a start-up. A lot of people may like your idea, even think it’s a great one, but won’t necessarily care all that much if you choose to drop the idea and go back to “normal life”. There won’t be anyone encouraging you to stay up late at night, or skip hanging out with your friends, to work on your start-up, and those are the sacrifices that you need to be willing to make.

Note: This article has been cross-posted to the Desire2Learn Community Blog.


Announcing the ValenceUsers Discussion Forum

I am pleased to announce that the Valence Community now has a discussion forum to call our own! Today marks the launch of the ValenceUsers forum on Google Groups. We’ve launched this discussion forum in response to repeated requests for an opportunity to connect with fellow Valence Community Members to ask questions, brainstorm solutions, provide feedback, and support one another while using the Valence development platform.

What can I use the ValenceUsers forum for?

First and foremost, the ValenceUsers forum is a place to ask questions and share your knowledge about the platform. Need help understanding an error you encountered when using a particular API? Do you want another set of eyes when reviewing the remote plugin you’ve designed? Are you curious if others have found a great way to automate an administrative task?

There is a lot of knowledge and experience within our Community, but it’s currently buried in email threads or locked in people’s brains until an opportunity like the FUSION User’s Conference comes around when we can get together and share. Using the ValenceUsers  forum, Community Members can ask questions and learn from each others’ experiences. Desire2Learn staff will moderate and contribute to the forum, just as we do on StackOverflow and through email now. The difference is that we can have a broader discussion and invite contributions from the wider Valence Community by using the new forum.

The ValenceUsers forum is also a place to network with peers from across the hundreds of organizations using Valence, and exchange ideas on how to tackle the projects and challenges that keep us busy. In addition to being a support resource, the ValenceUsers forum is a social and professional outlet for the Developers, Administrators, Technical Team Leaders, and various other roles that are represented across the Valence Community.

Does the forum replace HelpDesk for support?

Absolutely not. The Desire2Learn HelpDesk continues to be the resource for Desire2Learn clients and Partners to report suspected defects with Valence or other Desire2Learn products, work through LMS configuration issues, and log security issues.

If you’re not quite certain how to classify an issue and want to talk about it with your peers before you open a ticket, you can go to the ValenceUsers forum to have that initial discussion. Ideally, by the time you open a ticket, you’ll be armed with all the information you need to get a timely and effective response when working with HelpDesk staff.

Does the forum replace StackOverflow?

Not necessarily. If you have a question about an API, tool or code you are working on, you can still search and then post to the Q&A on StackOverflow and tag your post as [Desire2Learn]. You’re welcome to ask these questions on the ValenceUsers forum instead, or post a link to your StackOverflow question within the forum to ensure your fellow Valence Community Members see it. And if your question merits a deeper discussion or additional details that don’t fit within the posting requirements for StackOverflow, you should certainly bring the conversation into the forum.

Does the forum replace the Valence email address?

Not yet. We’d like all questions and inquiries to go to the ValenceUsers forum first. Whether the answer comes from your peers or from Desire2Learn staff, we want the whole community to benefit from having that question asked and answered on the forum. But we’re going to hang on to the Valence email address for the interim, while we all get accustomed to using the forum.

How do I get started?

  1. Visit the ValenceUsers forum in a browser.
  2. Sign in using a Google Identity.
  3. If you don’t have a Google Identity, you can associate your institutional email address (i.e. professorX@xavierinstitute.edu) using the Sign Up Without Gmail form. This is the same process that we use for signing up for the Keytool.
    1. Click Join Group.
    2. On the Join screen, customize your screen name or link your Google Identity profile to populate your screen name & avatar automatically.
    3. Choose an email option (i.e. receive a Daily email summarizing all the activity across the forum).
      1. Read the Forum Policies.
      2. Search, read and participate in the ValenceUsers forum!
      3. Get to know your fellow Valence Community Members by reviewing and posting to the Introduce Yourself! topic.

Note: Posts will be moderated for all new users. We’ll be actively monitoring the moderation queue to minimize any latency.

How do I provide feedback?

We’re rolling out the simplest, most barebones structure for the ValenceUsers forum on purpose. We want you to show us how you want to use these forums, and provide additional feedback by posting to the Forum Feedback topic.

See you on the forum!


Follow

Get every new post delivered to your Inbox.

Join 32 other followers