<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://3120/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Cory,<div><br></div><div>Unfortunately we don't have any specific documentation at the moment about deploying ArchivesSpace using HTTPS, we'll be prioritizing the creation of this documentation in the next few weeks.</div><div><br></div><div>Best,</div><div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: 'Lucida Grande'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div>Mark A. Matienzo | <a href="mailto:mark.matienzo@nyu.edu">mark.matienzo@nyu.edu</a></div><div>Technical Architect, ArchivesSpace</div><div><a href="http://archivesspace.org/">http://archivesspace.org/</a></div></span>
</div>
<br><div><div>On Nov 19, 2013, at 11:10 AM, Cory Nimer <<a href="mailto:cory_nimer@byu.edu">cory_nimer@byu.edu</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: 'Lucida Grande'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">As we have been getting LDAP set up for our local ArchivesSpace instance, our IT staff have raised a number of questions about the security of the login process, as well as the use of the staff interface. I have included portions of their comments below:<o:p></o:p></div><p style="margin-right: 0in; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(160, 160, 168); ">Forwarded message:<o:p></o:p></span></p><p style="margin-right: 0in; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(160, 160, 168); ">On Friday, November 15, 2013 at 10:25 AM, David Brownell wrote:<o:p></o:p></span></p><p style="margin-right: 0in; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><b>Subject:</b><span class="Apple-converted-space"> </span>RE: archivesspace and ldap and SSL<span style="color: rgb(160, 160, 168); "><o:p></o:p></span></p><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">archivesspace doesn't proxy nicely so it's nearly impossible to secure. I think it is still possible to proxy<span class="Apple-converted-space"> </span><i>if it has its own IP address</i><span class="Apple-converted-space"> </span>but DS1 [our web application server] already has 4 and I'm not sure I'm willing to do that for this. It makes the whole thing less maintainable.<br><br>It needs to be at the path's root because it does things like send you to /login. So I can't have it be /archivesspace (because it doesn't send you to /archivesspace/login). I have not seen any way to change the path of the thing, so that I can have it live on /archivesspace/blah. Do you know of a way to change that? I messed with the config.rb frontend_url but it's NOT a URL, it's only looking at the host and port. Not the path!<br><br>That said, I can work on LDAP authentication, but without a means of a secure connection, I don't want to do that and expose peoples password in plaintext.<br><br>What are your thoughts?<span class="Apple-converted-space"> </span><br><br>P.S. When I say "context" I mean the stuff after the server. For example, If I gave a url --<span class="Apple-converted-space"> </span><a href="http://ds1.lib.byu.edu:9080/blah" target="_blank" style="color: purple; text-decoration: underline; ">http://ds1.lib.byu.edu:9080/blah</a><span class="Apple-converted-space"> </span>-- /blah would be the context.<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "> </span></div><div class="MsoNormal" align="center" style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; text-align: center; "><span style=""><hr size="2" width="100%" align="center"></span></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, November 18, 2013 9:37 AM<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "> </span></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="">I don’t know of a way to change it so it can live on /archivespace/blah. I think the url structure is pretty well baked in. It sounds like we might need to have a dedicated IP address. It doesn’t necessarily need to live on DS1, if that helps.<o:p></o:p></span></div><div align="center" style="margin-left: 0.5in; text-align: center; "><span style=""><hr size="2" width="100%" align="center"></span></div><p style="margin-right: 0in; margin-left: 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><b>Date:</b><span class="Apple-converted-space"> </span>Monday, November 18, 2013 at 9:53:13 AM<o:p></o:p></p><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">It's really,<span class="Apple-converted-space"> </span><i>really</i><span class="Apple-converted-space"> </span>important that HTTP-listening applications that accept a password have the ability to do HTTPS. archivesspace needs to have the ability to listen on HTTPS with the ability to use a signed certificate for the communication.</span><span style=""><o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Are there configuration options for making the login/staff interface available over HTTPS? Is this something that is expected to change in future versions of the software? And how should we advise our IT staff on setting this up on the server?<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Thanks for your guidance,<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Cory Nimer<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Manuscripts Cataloger/Metadata Specialist<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Brigham Young University<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">1108 HBLL<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">(801) 422-6091<o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div></div>_______________________________________________<br>Archivesspace_Users_Group mailing list<br><a href="mailto:Archivesspace_Users_Group@lyralists.lyrasis.org" style="color: purple; text-decoration: underline; ">Archivesspace_Users_Group@lyralists.lyrasis.org</a><br><a href="http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group" style="color: purple; text-decoration: underline; ">http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group</a><br></div></blockquote></div><br></div></body></html>