instructure canvas real-time integration with sct...
TRANSCRIPT
Instructure Canvas real-time integration with SCT Banner
Instructure Canvas can leverage the real-time integration capabilities available in SCT Banner and the Luminis
integration product. This integration works via a JMS HTTPClient bridge configured within a Luminis Message
Broker IV installation.
Prerequisites:
1. Integration Technologies license with Luminis Message Broker (LMB)/Luminis Message Gateway (LMG)
(versions 4.0) installed and running.
2. Banner 8.x installed and running. Banner INTCOMP must be at 8.0.2 and requires a minimum of
GENERAL 8.1 and STUDENT 8.1.
3. Luminis Platform (4.x) is installed and running.
4. Real-time data synchronization (LDI Events) between Banner and Luminis via Integration Technologies
installed and running.
Installation of the Luminis packages are detailed in documents included with the product.
Familiarity with a cygwin/Linux/Solaris command line is preferred.
Configuring Luminis to Canvas Integration Summary
Table of Contents:
1. Determine what account on the Canvas server you are going to integrate with Banner and note the account
number.
2. Create a user within the Canvas server account being integrated with Banner. This user should have an
administrative role in the specific Canvas server account. A generic account should be created rather than using
a specific person's account.
3. Generate an ACCESS_TOKEN on the canvas server specific to the account that will be integrated.
4. Create an event exchange topic in the Luminis Message Broker (LMB) server. This will be used as a holding
area for live events going from Banner to Canvas. The topic that is needed is called com_sct_ldi_sis_LmsSync.
If the LMB server is integrated with another LMS, this may already exist.
5. Create a LMB user with password which will be used internally within the LMB/LMG server. After the user
is created, grant rights for it to consume messages in the LmsSync topic.
6. Create an event HTTPClient in the LMB server connected to the Canvas server. The HTTPClient configuration
bridges between the Luminis JMS system and an external HTTP client.
7. Obtain the Canvas server's public SSL Certificate and import into the $JAVA_HOME/lib/security/cacerts
certificate store. If necessary, import the full server certificate SSL chain and/or import the certificates in other
cacerts store files located on the server.
8. Ensure connectivity between the Luminis Message Broker and Canvas servers. The Luminis Message Broker
needs to be able to initiate a connection via SSL to the Canvas server, typically on port 443.
9. Create the queues in the LMB server used for grade exchange. These are used as a holding area for the grade
exchange between Canvas and Banner. The two that are needed are com_sct_ldi_sis_UpdateRequest queue and
com_sct_ldi_sis_UpdateReply queue. If another LMS is already configured for grade exchange, these names
should be modified to include canvas and a second instance of the LMG GradeAdapter should be configured.
10. Create a grade exchange HTTPClient in the LMB server.
11. Deploy the grade exchange application to an Apache Tomcat server in the environment (Luminis IV is
installed with a tomcat server, although a secondary one can be used).
12. Ensure connectivity between the grade exchange and Canvas servers. The Canvas server needs to be able to
initiate a connection to the tomcat server where the grade exchange application is installed via SSL, If the grade
exchange application is installed on the LMB server, communication would typically be on port 7678.
Appendix 1: canvas_mbldisetup script variables and detail
Appendix 2: SSL certificate discussion (2048 bit SSL certificate not supported by default)
Appendix 3: Miscellaneous hints and tips concerning LMB/LMG
1. Determine what account on the Canvas server you are going to integrate with Banner and note the account
number.
-- Example: 13
2. Create a user within the Canvas server account being integrated with Banner. This user should have an
administrative role in the specific Canvas server account. A generic account should be created rather than using
a specific person's account.
-- Example: [email protected]
3. Generate an ACCESS_TOKEN on the canvas server within a user account which has an admin role within
Canvas. Generate a new token by going to your profile settings (upper right corner of your Canvas session,
settings), scrolling to the bottom of the page and clicking the “+New Access Token”
-- Example: 1834~yrBwlKUXWtBmYtoynzei8RBs7LtBuXVb4RwJQ3zhSXdOaMoADtnetBNYS2UqBc6L
Sections 4-6, 9 and 10 can be automated by running a canvas_mbldisetup script that can be provided on the
Luminis Message Broker server.
4. Create an event exchange topic in the Luminis Message Broker (LMB) server. This will be used as a holding
area for live events going from Banner to Canvas. The topic that is needed is called com_sct_ldi_sis_LmsSync.
If the LMB server is integrated with another LMS, this may already exist.
The com_sct_ldi_sis_LmsSync topic receives live events from Banner via the Luminis Message Gateway event
application. This includes new person objects and related changes and enrollment events. Events are passed to
Canvas via the event HTTPClient we will configure in section six.
4a. Log into the Luminis management interface:
4b. Click on Destinations and the New Destination button. Put com_sct_ldi_sis_LmsSync as the Name, select
Topic as the type and click the Create button. If you have previously been integrated with another LMS, this
topic will already exist and can be used by all systems.
You should now see the LmsSync Topic in the Destinations page.
5. Create a LMB user with password which will be used internally within the LMB/LMG server. After the user
is created, grant rights for it to consume messages in the LmsSync topic.
5a. On the LMB server, open a terminal window (cygwin for windows).
Run the following command:
mbtool add user -id=<username> -desc=<description> -credential=<password>
<username> is the name of a user that will be created internally in the Luminis Message Broker. This can be
anything that is unique in the system.
-- Example: canvaslmb
<description> is a description assigned to the user
-- Example: Canvas_LMB_User
<password> is the password for the new LMB user.
-- Example: asofkljelisdlfileh
-- Example: mbtool add user -id=canvaslmb -desc=Canvas_LMB_User -credential=asofkljelisdlfileh
5b. Once the user is created, add rights to the LmsSync destination.
mbtool update destaccess -policy=allow -entity=user -id=<username> -access=consume
-dest=com_sct_ldi_sis_LmsSync -type=topic -op=add
<username> is the same one created above.
-- Example: mbtool update destaccess -policy=allow -entity=user -id=canvaslmb -access=consume
-dest=com_sct_ldi_sis_LmsSync -type=topic -op=add
5c. Verify that access has been properly added by checking in the Luminis management interface:
Log into the Luminis management interface and select Connection Access Policy
The <username> created above should be listed in the Normal column, Allow Users area. You may or may not
have other users listed in this area. If the user is not listed, type the <username> in the box next to the Add button
and then click the Add button.
Verify the LMB user you created is in the Allow Users box. From the front page, next select Destinations, select
the radio button next to the com_sct_ldi_sis_LmsSync topic and click the Edit Access button.
The <username> created above should be listed in the Consume column, Allow Users area. You may or may
not have other users listed in this area. If the user is not listed, type the <username> in the box next to the Add
button and then click the Add button.
6. Create an event HTTPClient in the Luminis Message Broker connected to the Canvas server.
The HTTPClient configuration bridges between Luminis JMS system and an external HTTP client.
Log into the LMB management interface and select Outgoing HTTP Clients.
Click on the New Client button.
The outgoing HTTP Client uses information from sections one thru five.
Name: The name of the HTTP Client within LMB.
-- Example: Canvas_Ldi_Event_Receiver
Enable: true
-- Set to true if this client is active.
Stop Delivery on Error: true
-- Set to true to ensure events queue from Banner if there is a communication error between the Luminis broker
and the canvas server. The easiest way to resume Canvas consumption of messages is to set Enable to false, save
and then reset Enable to true.
Consume From: com_sct_ldi_sis_LmsSync (Topic)
JMS Connection user Name: LMB user created in section five.
-- Example: canvaslmb
JMS Connection Password: LMB user password used in section five.
-- Example: asofkljelisdlfileh
Verify Password:
JMS Message Selector: Leave blank
Durable: true
-- this will ensure that the connection persists and messages are saved to be consumed even if there is a
communication interruption
Post to HTTP(S) URL: This is the Canvas server URL with the following construction:
https://<canvasurl>/api/v1/accounts/<accountnumber>/sis_imports.json?access_token=<accesstoken>&import_
type=ims_xml&extension=xml
<canvasurl> is the URL of the Canvas Server being integrated with Banner.
-- Example: https://canvas.myschool.edu
<accountnumber> is the account number on the canvas server where you are setting the integration
-- Example: 13
<accesstoken> is an API key generated on the Canvas server by an institutional admin.
-- Example: A2IDLSRMFjileK87SREL32D9idkWI8ro
-- Example URL:
https://canvas.myschool.edu/api/v1/accounts/13/sis_imports.json?access_token=1834~yrBwlKUXWtBmYtoyn
zei8RBs7LtBuXVb4RwJQ3zhSXdOaMoADtnetBNYS2UqBc6L&import_type=ims_xml&extension=xml
Authorization User Name: A user on the Canvas server with Admin rights within the account being integrated.
-- Example: [email protected]
Authorization Password: Canvas admin user password
-- Example: aoiIoiJuhJkUhU97s
Verify Password:
Click the Create button when all the information is filled in:
To modify any part of the HTTP Client configuration (changed password, URL, access_token, account number
etc.), select the radio button next to the HTTP Client and click the Modify button, update the information and click
the Modify button.
The event integration is now complete and events should flow from Banner to Canvas.
7. Obtain the Canvas server's public SSL Certificate and import into the $JAVA_HOME/lib/security/cacerts
certificate store. If necessary, import the full server certificate SSL chain and import the certificates in multiple
cacerts store files.
7a. At times, there may be a certificate communication error between the LMB server and the Canvas server when
originally configuring the integration. If this happens you will see errors similar to the following in the
$SCT_LMB_HOME\logs\datapipeline-audit.log log file:
---------------
2011-04-18 14:08:34,563/MessageBrokerApplication.dp-service: Message delivery started for client: http$canvas
2011-04-18 14:10:45,016/MessageBrokerApplication.http$canvas-adapter: javax.net.ssl.SSLException: untrusted server cert chain
2011-04-18 14:10:45,016/MessageBrokerApplication.dp-service: http$canvas adapter requesting delivery halt.
2011-04-18 14:10:45,016/MessageBrokerApplication.dp-service: Stopping message delivery to client: http$canvas
2011-04-18 14:10:46,298/MbTool.dp-service: Shutting down service.
---------------
To resolve this, the Canvas server's SSL certificate must be imported into the Java certificate store file. Different
parts of Luminis can potentially utilize different java installations, possibly requiring the certificate to be
imported into multiple locations.
7b. Obtain the Canvas server SSL certificate.
On the LMB server in a terminal window issue the following command:
openssl s_client -showcerts -connect canvas.myschool.edu:443 >canvas.crt
where canvas.myschool.edu:443 is the URL of the Canvas server.
This is creating an SSL connection to the Canvas server and requesting the certificate which is redirected to the
text file canvas.crt in your current directory. You may have to press control-c to break the connection after a few
seconds.
7c. The canvas.crt file may contain several certificates starting with a "-----BEGIN CERTIFICATE-----" line and
ending with an -----END CERTIFICATE----- line. This is the full certificate chain of the server certificate.
When importing a certificate into a java certificate store, only the top certificate in the file will be imported. Edit
the canvas.crt file and remove any text before the first Begin Certificate line and after the first End Certificate line.
Example initial results followed by the edit results:
-------------------
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=Utah/L=Salt Lake City/O=My School /OU=IT/CN=canvas.myschool.edu
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
-----BEGIN CERTIFICATE-----
MIIGZjCCBU6gAwIBAgIQCJv2Pho1TvS30j6MJSX6mTANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTA5MDMwMzAwMDAwMFoXDTEyMDUwNTIzNTk1OVowgYsxCzAJBgNV
BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEf
MB0GA1UEChMWVXRhaCBFZHVjYXRpb24gTmV0d29yazEfMB0GA1UECxMWVXRhaCBF
ZHVjYXRpb24gTmV0d29yazESMBAGA1UEAxQJKi51ZW4ub3JnMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCysHUElBMD+RrJktqjF/TyJ3DFVSSAKpliL/t3cT4Z
V5HWAWthHsRI7RCD/tn5K9h+7Z4JDKLlVVDuIZVIapLf6DSN8hSTtU3V+AFdjoot
xMyUJPTHtvCn9EZAl95SxgTZ+KlFyWaUKOiQXGFzAo8Lv2Oh1TjIyiaAuw8jig40
4QIDAQABo4IDbDCCA2gwHwYDVR0jBBgwFoAUUOpzidsp+xCPnuUBINTeeZlIg/cw
HQYDVR0OBBYEFP5LMm+8zQSohuTpjEpnfMQ5OMrVMDcGA1UdEQQwMC6CGGxlYXJu
LXRlc3Qud2ViZXIudWVuLm9yZ4IHdWVuLm9yZ4IJKi51ZW4ub3JnMH8GCCsGAQUF
BwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkG
CCsGAQUFBzAChj1odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DQUNlcnRzL0RpZ2lD
Af8EAjAAMGUGA1UdHwReMFwwLKAqoCiGJmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv
bS9jYTMtMjAxMGMuY3JsMCygKqAohiZodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
Y2EzLTIwMTBjLmNybDCCAcYGA1UdIASCAb0wggG5MIIBtQYLYIZIAYb9bAEDAAEw
ggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3Bz
LXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUA
cwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMA
bwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYA
IAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQA
IAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUA
bQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkA
dAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAA
aABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAHPw4Psjf
bIQtWdW5SYsQBK3wi370lIxUS1+GELB3juooxRlmcAqWXyisFnF0lKolOPtPtNZA
oww/0xFs3udfv1T17geN4WZfA76NKbcfJ54Zujj3xSE0hceG6SZ7Ao3secPIowEf
PE/QkXpYQSlsjTeyw2byyQiZF6EvODwyYJrPpDiohr+WoIhFLVAWJHwH3nv3wHBq
FfdWwevRi/zEXJY2q56NoQ6MqBHqPQ0Y9I1eLjX6qR/EjodxA9Npq/Il3yKctAsH
H0HQVyykeLvAJa0barVyBvpbT4KYaUgQbaASEoT/CYVLxFGrMNFy5XEC/QKbmSoc
bGr4YKpyb0K6yQ==
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIGVTCCBT2gAwIBAgIQCFH5WYFBRcq94CTiEsnCDjANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA3MDQwMzAwMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
32duXvsCAwEAAaOCAvcwggLzMA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
AHIAZQBuAGMAZQAuMA8GA1UdEwEB/wQFMAMBAf8wNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSBhzCB
hDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFz
c3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSMEGDAW
gBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUBINTe
eZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAF1PhPGoiNOjsrycbeUpSXfh59bcqdg1
rslx3OXb3J0kIZCmz7cBHJvUV5eR13UWpRLXuT0uiT05aYrWNTf58SHEW0CtWakv
XzoAKUMncQPkvTAyVab+hA4LmzgZLEN8rEO/dTHlIxxFVbdpCJG1z9fVsV7un5Tk
1nq5GMO41lJjHBC6iy9tXcwFOPRWBW3vnuzoYTYMFEuFFFoMg08iXFnLjIpx2vrF
EIRYzwfu45DC9fkpx1ojcflZtGQriLCnNseaIGHr+k61rmsb5OPs4tk8QUmoIKRU
9ZKNu8BVIASm2LAXFszj0Mi0PeXZhMbT9m5teMl5Q+h6N/9cNUm/ocU=
-----END CERTIFICATE-----
---
Server certificate
subject=C=US/ST=Utah/L=Salt Lake City/O=My School /OU=IT/CN=canvas.myschool.edu
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
No client certificate CA names sent
---
SSL handshake has read 5776 bytes and written 340 bytes
----------------
The resulting file should look similar to the following:
-----BEGIN CERTIFICATE-----
MIIGZjCCBU6gAwIBAgIQCJv2Pho1TvS30j6MJSX6mTANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTA5MDMwMzAwMDAwMFoXDTEyMDUwNTIzNTk1OVowgYsxCzAJBgNV
BAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEf
MB0GA1UEChMWVXRhaCBFZHVjYXRpb24gTmV0d29yazEfMB0GA1UECxMWVXRhaCBF
ZHVjYXRpb24gTmV0d29yazESMBAGA1UEAxQJKi51ZW4ub3JnMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCysHUElBMD+RrJktqjF/TyJ3DFVSSAKpliL/t3cT4Z
V5HWAWthHsRI7RCD/tn5K9h+7Z4JDKLlVVDuIZVIapLf6DSN8hSTtU3V+AFdjoot
xMyUJPTHtvCn9EZAl95SxgTZ+KlFyWaUKOiQXGFzAo8Lv2Oh1TjIyiaAuw8jig40
4QIDAQABo4IDbDCCA2gwHwYDVR0jBBgwFoAUUOpzidsp+xCPnuUBINTeeZlIg/cw
HQYDVR0OBBYEFP5LMm+8zQSohuTpjEpnfMQ5OMrVMDcGA1UdEQQwMC6CGGxlYXJu
LXRlc3Qud2ViZXIudWVuLm9yZ4IHdWVuLm9yZ4IJKi51ZW4ub3JnMH8GCCsGAQUF
BwEBBHMwcTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEkG
CCsGAQUFBzAChj1odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DQUNlcnRzL0RpZ2lD
Af8EAjAAMGUGA1UdHwReMFwwLKAqoCiGJmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv
bS9jYTMtMjAxMGMuY3JsMCygKqAohiZodHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
Y2EzLTIwMTBjLmNybDCCAcYGA1UdIASCAb0wggG5MIIBtQYLYIZIAYb9bAEDAAEw
ggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3Bz
LXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUA
cwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMA
bwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYA
IAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQA
IAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUA
bQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkA
dAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAA
aABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAHPw4Psjf
bIQtWdW5SYsQBK3wi370lIxUS1+GELB3juooxRlmcAqWXyisFnF0lKolOPtPtNZA
oww/0xFs3udfv1T17geN4WZfA76NKbcfJ54Zujj3xSE0hceG6SZ7Ao3secPIowEf
PE/QkXpYQSlsjTeyw2byyQiZF6EvODwyYJrPpDiohr+WoIhFLVAWJHwH3nv3wHBq
FfdWwevRi/zEXJY2q56NoQ6MqBHqPQ0Y9I1eLjX6qR/EjodxA9Npq/Il3yKctAsH
H0HQVyykeLvAJa0barVyBvpbT4KYaUgQbaASEoT/CYVLxFGrMNFy5XEC/QKbmSoc
bGr4YKpyb0K6yQ==
-----END CERTIFICATE-----
If the certificate uses a self-signed certificate authority, it may be necessary to import all of the certificates in the
chain individually. If this is the case, save each certificate out to a separate .crt file.
7d. Identify the java certificate store file(s) where the Canvas server certificate may need to be imported.
Within a terminal window type the following command:
find $JAVA_HOME -o -name "cacerts" -print 2>/dev/null
This will find the certificate store file location in your default java instance. This should be the only cacerts file
that will need to have the certificate imported.
Even though the above cacerts file should be the only one that needs the Canvas server certificate, it is possible to
have different Luminis programs utilize other java installations on the server. If this is the case, it is possible that
the Canvas server certificate will need to be imported into the additional instances as well.
Within a terminal window type the following command:
find / \( -name proc -prune \) -o -name "cacerts" -print 2>/dev/null
This will find all cacerts files located on the server.
7e. Copy the canvas.crt file to the $JAVA_HOME/jre/lib/security directory. Change the command line location
into the same directory. Because there may be multiple versions of java on the system, it is preferred to be located
in the security directory of the java instance into which you are importing the certificate to make sure the proper
version of the import tool is being used.
7f. Make a backup copy of the cacerts file. Import the Canvas server certificate into the cacerts store. The
keytool utility will prompt for the password for the cacerts store file. Most of the time this is a default of
"changeit". The primary Luminis IV cacerts file may be protected by the admin password that was used when
installing Luminis.
First make a copy of the cacerts file.
cp cacerts cacerts.bak
The command to import the certificate is the following when located in the lib/security directory:
../../bin/keytool -keystore ./cacerts -import -alias <alias> -file ./<certfile.crt>
<alias> is an unique name that will be used in the cacerts file to identify the certificate. It can be anything as long
as it doesn't conflict with another alias in the file.
-- Example: canvas
<certfile.crt> is the file which contains the certificate that will be imported.
-- Example: canvas.crt
note: If the server certificate is using a self-signed certificate authority (CA), it may be necessary to import each
certificate in the certificate chain. If this is the case, extract each certificate to its own <certfile.crt> file and
import each one with a different <alias>.
If multiple canvas server certificates are eventually imported, the alias can be changed as needed, for example by
adding a number after canvas.
If the password is incorrect, the command will result in an error. Try again with the password assigned at
Installation.
If the password is correct, a summary of the certificate will be listed asking for confirmation to 'Trust this
certificate". Type yes and press enter.
If the alias is already used or if the certificate already exists in the cacerts file, it will indicate this.
Restart the Luminis services or preferably the LMB server to load the updated certificate file in memory. If the
untrusted server cert error continues, repeat the import process for each other cacerts file found on the system. If
java is ever updated to a newer version, the cacerts file may be overwritten with the one in the new java
installation package. If this happens, either the old cacerts file could be copied back into place or the server
certificate import would have to be repeated.
8. Ensure connectivity between the Luminis Message Broker and Canvas servers. The Luminis Message Broker
needs to be able to initiate a connection via SSL to the Canvas server, typically on port 443.
9. Create the queues in the LMB server used for grade exchange. These are used as a holding area for the grade
exchange between Canvas and Banner. The two that are needed are com_sct_ldi_sis_UpdateRequest queue and
com_sct_ldi_sis_UpdateReply queue. If another LMS is already configured for and using grade exchange, these
names should be modified to include canvas and a second instance of the LMG GradeAdapter should be
configured. Please refer to section 9d.
The com_sct_ldi_sis_UpdateRequest queue receives grades pushed from Canvas via the grade exchange
application. Grade events are received by Banner via the Luminis Message Gateway grade adapter application.
We will set up the grade exchange application in section eleven.
The com_sct_ldi_sis_UpdateReply queue receives status updates from Banner for grades received and is sent
Canvas via the grade exchange HTTPClient we will configure in section ten.
9a. Log into the Luminis management interface:
9b. Click on the New Destination button. Put com_sct_ldi_sis_UpdateRequest as the Name, select queue as the
type and click the Create button. If you have previously been integrated with another LMS, this queue will
already exist.
9c. Click on the New Destination button. Put com_sct_ldi_sis_UpdateReply as the Name, select queue as the
type and click the Create button. If you have previously been integrated with another LMS, this queue will
already exist.
You should now see both queues in the Destinations page.
9d. If another LMS is currently integrated Banner on the same Luminis box and using grade pass back, the canvas
grade exchange will have to be created with different queues. For example, the following names could be used in
steps 9b and 9c instead.
com_sct_ldi_sis_UpdateRequest_Canvas
com_sct_ldi_sis_UpdateReply_Canvas
To integrate grade exchange with two LMS systems via the same LMB/LMG server, a copy of the
$SCT_LMG_HOME/GradeAdapter will have to be created and started for each LMS.
If a copy is made at $SCT_LMG_HOME/GradeAdapterCanvas with the modified queue names above, the
configuration file located at $SCT_LMG_HOME/GradeAdapterCanvas/config/adapter.properties would need to
have the following variables adjusted:
In the BannerAdapter section, update the dtdUriBase variable to reflect the new grade adapter config directory
location
-- Example: dtdUriBase = "file:///c:/lmg/GradeAdapterCanvas/config";
In the JMSTransport section, update the InboundGradesQueue variable to reflect the new GradeAdapter inbound
grades queue.
-- Example: InboundGradesQueue =
"cn=queue$com_sct_ldi_sis_UpdateRequest_Canvas,ou=AdministeredObjects";
10. Create a grade exchange HTTPClient in the LMB server.
Log into the LMB management interface and select Outgoing HTTP Clients.
Click on the New Client button.
The outgoing HTTP Client uses information from sections one thru five of the Event integration document.
Name: The name of the HTTP Client within LMB.
-- Example: Canvas_LDI_GradeExchange_Endpoint
Enable: true
-- Set to true if this client is active.
Stop Delivery on Error: true
Consume From: com_sct_ldi_sis_UpdateReply (Queue)
JMS Connection user Name: LMB user created in section five.
-- Example: canvaslmb
JMS Connection Password: LMB user password used in section five.
-- Example: asofkljelisdlfileh
Verify Password:
JMS Message Selector: Leave blank
Durable: false
Post to HTTP(S) URL: This is the Canvas server URL with the following construction:
https://<canvasurl>/api/v1/accounts/<accountnumber>/sis_imports.json?access_token=<accesstoken>&impo
rt_type=banner_grade_exchange_results&extension=xml
<canvasurl> is the Canvas Server URL which is being integrated with Banner.
-- Example: https://canvas.myschool.edu
<accountnumber> is the account number on the canvas server where you are setting the integration
-- Example: 13
<accesstoken> is an API key generated on the Canvas server by an institutional admin
-- Example: A2IDLSRMFjileK87SREL32D9idkWI8ro
-- Example URL:
https://canvas.myschool.edu/api/v1/accounts/13/sis_imports.json?access_token=A2IDLSRMFjileK87SREL32D
9idkWI8ro&import_type=banner_grade_exchange_results&extension=xml
Authorization User Name: A user on the Canvas server with Admin rights within the account being integrated.
-- Example: [email protected]
Authorization Password: Canvas admin user password
-- Example: aoiIoiJuhJkUhU97s
Verify Password:
Click the Create button when all the information is filled in:
To modify any part of the HTTP Client configuration (changed password, URL, access_token, account number
etc.), select the radio button next to the HTTP Client and click the Modify button, update the information and click
the Modify button.
If the LMB server is integrated for grade exchange with another LMS, change the Consume From: queue to
reflect the GradeAdapter used with Canvas.
If there appears to be a communication issued between the Canvas server and Banner server, please refer to
Section 7: Obtain the Canvas server's public SSL Certificate and import into the
$JAVA_HOME/lib/security/cacerts certificate store.
11. Deploy the grade exchange application (HTTPGradeExchangeRelay-1.0.0.war) to an Apache Tomcat server
in the environment (Luminis IV is installed with a tomcat server, although a secondary one can be used).
11a. Because the grade publishing event can come from potentially any Canvas job server (making it difficult to
open up targeted firewall holes), and because it is often difficult to keep Luminis current with security patches for
the underlying programs, it may be advisable to install the grade exchange application on a standalone tomcat
server that is separate than the built-in Luminis one.
11b. Once you have decided what tomcat server to use, you will need a valid SSL certificate signed by an official
certificate authority (CA) (not self-signed) if you don’t already have one. Most certificate authorities will
provide directions for generating a private key and certificate signing request for tomcat. If you use the built-in
Luminis tomcat, here is an example of how to update the certificate associated with the tomcat user used by
Luminis.
Change to the lib/security directory of the java installation used by tomcat, delete the old key, create a new key,
generate signing request, import the new key and restart.
cd /cygdrive/c/Java/jdk1.5.0_10/jre/lib/security/
cp cacerts cacerts.backup
../../bin/keytool -delete -alias tomcat -keystore cacerts -storepass <password>
../../bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -dname "CN=<FQDN of this server>,
OU=<organization unit>, O=<organization>, L=<city>, ST=<state>, C=<country>" -keypass <password>
-keystore cacerts -storepass <password>
../../bin/keytool -certreq -v -alias tomcat -file cert.req -keystore cacerts -storepass <password>
../../bin/keytool -import -trustcacerts -alias tomcat -file integrator.p7b -keystore cacerts -storepass <password>
11c. Place the HTTPGradeExchangeRelay-1.0.0.war file in the webapps directory of your tomcat server for
deployment. Tomcat will automatically extract and deploy it.
For the default Luminis location on windows, this is located under
$SCT_LMB_HOME/products/tomcat/tomcat-mb/webapps/ and will expand to
$SCT_LMB_HOME/products/tomcat/tomcat-mb/webapps/HTTPGradeExchangeRelay-1.0.0/.
Modify the
$SCT_LMB_HOME/products/tomcat/tomcat-mb/webapps/HTTPGradeExchangeRelay-1.0.0/WEB-INF/classes
/config.properties file to reflect your environment:
# ------- config.properties example ---------
# JMS Operation for sending Banner Grade request
# to the JMS Queue for consumption by LMG (GE adapter)
relayGradeRequestToJMSQueue = true
# HTTP Post Operation for sending Banner Grade response
# in a URL parameter named "message"
relayGradeResponseToHTTPEndpoint = false
ldispDTDSource = classpath:ldisp-2.0.dtd
############### JMS Connection ######################
initialContextFactory = com.sun.jndi.ldap.LdapCtxFactory
securityAuthentication = simple
securityPrincipal = cn=canvaslmbuser,ou=People,o=messaging
securityCredentials = asdfpoiarejjpoasdfj
providerUrl = ldap://luminis.myschool.edu:389/o=messaging
sisLookupName = cn=com_sct_ldi_sis_QueueConnFactory,ou=AdministeredObjects
queueUsername = canvaslmbuser
queuePassword = asdfpoiarejjpoasdfj
clientId = canvaslmbuser.MessageBrokerApplication_1
queueName = cn=queue$com_sct_ldi_sis_UpdateRequest_canvas,ou=AdministeredObjects
replyQueueName = cn=queue$com_sct_ldi_sis_UpdateReply_canvas,ou=AdministeredObjects
durableScription = http$CanvasHttpClient
############### HTTP Client Connection ###############
httpEndpoint =
https://canvas.myschool.edu/api/v1/accounts/13/sis_imports.json?access_token=<token>&import_type=banner
_grade_exchange_results&extension=xml
httpBasicAuthHost =
httpBasicAuthPort =
httpBasicAuthUserName = e
httpBasicAuthPassword = e
If you already use grade exchange and created new UpdateRequest and UpdateReply queues, update the file to
reflect this.
11d. Create a tomcat user that will be used to authenticate the connection from Canvas. Edit tomcat-users.xml
within the <tomcat>/conf/ directory ($SCT_LMB_HOME/products/tomcat/tomcat-mb/conf/tomcat-users.xml)
Add a line such as the following:
<user username="[email protected]" password="qBlnmCBgi0Ip9unU" roles="GradeExchange"/>
If you want the tomcat password encrypted, you can set it to be sha1 encrypted by updating the default realm
Edit $SCT_LMB_HOME/products/tomcat/tomcat-mb/conf/server.xml. Find the following line:
<Realm resourceName='UserDatabase' className='org.apache.catalina.realm.UserDatabaseRealm'/>
and add the encryption type;
<Realm resourceName='UserDatabase' digest='SHA'
className='org.apache.catalina.realm.UserDatabaseRealm'/>
Go to $SCT_LMB_HOME/products/tomcat/tomcat-mb/bin/ and run digest.sh –a SHA <password>, take the
encrypted password and put it in the tomcat-users.xml file.
$ ./digest.sh -a SHA qBlnmCBgi0Ip9unU
qBlnmCBgi0Ip9unU:39e141e3ee10b65e91c2fb380d7b414032355b12
The entry will look like this:
<user username="[email protected]" password="39e141e3ee10b65e91c2fb380d7b414032355b12"
roles="GradeExchange"/>
11e. After restarting tomcat, Go to the URL
https://<mytomcatserver>:<port>/HTTPGradeExchangeRelay-1.0.0/GradeExchangeProcessor/ , log in with the
username and password placed in the tomcat-users.xml file. You should receive the response
“HTTP Grade Exchange Relay Service
Request is authenticated and awaiting Banner Grade XML message...”
11d. Have Instructure add the POST to URL in the grade passback area to point to your tomcat server.
https://<tomcat-users username>:<password>@<tomcat server
FQDN>:<port>/HTTPGradeExchangeRelay-1.0.0/GradeExchangeProcessor
for example:
https://[email protected]:[email protected]/HTTPGradeExchangeRelay-1.0.0/G
radeExchangeProcessor/
12. Ensure connectivity between the grade exchange and Canvas servers. The Canvas server needs to be able to
initiate a connection to the tomcat server where the grade exchange application is installed via SSL, If the grade
exchange application is installed on the LMB server, communication would typically on port 7678. Because the
grade publishing event can come from potentially any Canvas job server, and because it is often difficult to keep
Luminis current with security patches for the underlying programs, it may be advisable to install the grade
exchange application on a standalone tomcat server that is separate than the built-in Luminis one.
Appendix 1: canvas_mbldisetup script variables and detail
A script original created for WebCT integration has been updated to address many of the basic steps used to
configure Canvas integration. The top of the script includes several variables which need to be defined for each
installation environment.
Copy the canvas_mbldisetup to $SCT_LMG_HOME, update the following variables as needed and run to
automate Sections 4-6, 9 and 10.
# ------------- LMB Setup -------------
# CANVAS_LMB_USER - LMB user account that is created in and connects to LMB
# example: CANVAS_LMB_USER=canvaslmbuser
CANVAS_LMB_USER=canvaslmb
# Password for the above user
# example: CANVAS_LMB_PW=asdfpoiarejjpoasdfj
CANVAS_LMB_PW=asdfpoiarejjpoasdfj
# ------------- Canvas Event Exchange -------------
#HTTP authorization user name for Events. This is an admin user on the Canvas server used for integration
# example: [email protected]
#HTTP authorization password for Events. This is the password of the above user on the canvas server
#EVENT_HTTPAUTH_PW=aoiIoiJuhJkUhU97s
EVENT_HTTPAUTH_PW=aoiIoiJuhJkUhU97s
# Access token generated on the Canvas server by an institutional admin
# example: CANVAS_ACCESS_TOKEN=A2IDLSRMFjileK87SREL32D9idkWI8ro
CANVAS_ACCESS_TOKEN=A2IDLSRMFjileK87SREL32D9idkWI8ro
# Canvas account number for the institution (not a user account id)
#CANVAS_ACCOUNT_NUMBER=13
CANVAS_ACCOUNT_NUMBER=13
#LMG filtered Sync Topic for Canvas/Blackboard/.... Canvas consumes events from this topic.
#Multiple LMS can consume from this location.
SCT_LMS_DISPATCH_TOPIC=com_sct_ldi_sis_LmsSync
#Topic for SyncError messages and orphaned UpdateReply messages
# Error with the synchronization will be reported here
SCT_ERROR_TOPIC=com_sct_ldi_sis_Error
#set to true to delete and recreate above objects, if they already exist.
#setting this to true quickly resets the integration environment (LMB users/Topics/Queues/HTTPClients)
RE_INITIALIZE=true
#set to true if you're already integrated with BB Vista and don't want to delete and recreate the topics/queues
# deleting and recreating the topics/queues will require the BB Vista LMB user to have its permissions
# re-assigned. This tones down the re-initialization
BBVISTA=true
#HTTP client identifier for events. This can be any descriptive name
CANVAS_EVENTS_RECEIVER_NAME=Canvas_Ldi_Event_Receiver
# HTTP LDI Event Receiver in Canvas This is the base URL of the Canvas Server
#CANVAS_EVENTS_URL=https://canvas.myschool.edu
CANVAS_EVENTS_URL=https://canvas.myschool.edu
# ------------- Grade Exchange -------------
# This information will likely match some of the settings within the Event configuration above.
# It is added in here in case the grade exchange info is ever different
#HTTP authorization user name for grade exchange . This is an admin user on the Canvas server
#used for integration
# example: [email protected]
#HTTP authorization password for grade exchange. This is the password of the above user on the canvas server
#GE_HTTPAUTH_PW=aoiIoiJuhJkUhU97s
GE_HTTPAUTH_PW=aoiIoiJuhJkUhU97s
# HTTP LDI grade exchange sender in Canvas. This is the base URL of the Canvas Server
#CANVAS_GE_URL=https://canvas.myschool.edu
CANVAS_GE_URL=https://canvas.myschool.edu
#HTTP client identifier for GradeExchange. This can be any descriptive name.
CANVAS_GE_RECEIVER_NAME=Canvas_LDI_GradeExchange_Endpoint
# Canvas Produces Grade Exchange messages on to this Queue
# If another LMS is integrated and operational for grade exchange, this should be modified for a
# second instance of the LMG GradeAdapter. Example: com_sct_ldi_sis_UpdateRequest_Canvas
SCT_GRADE_QUEUE_INBOUND=com_sct_ldi_sis_UpdateRequest
# Canvas Consumes Grade Exchange reply messages from this Queue
# If another LMS is integrated and operational for grade exchange, this should be modified for a
# second instance of the LMG GradeAdapter. Example: com_sct_ldi_sis_UpdateReply_Canvas
SCT_GRADE_QUEUE_OUTBOUND=com_sct_ldi_sis_UpdateReply
#If true, LMB keeps trying to POST the message after an interval of time if an error is encountered.
STOPDELIVERY_ONERROR=true
Copy everything between the BEGIN SCRIPT and END SCRIPT lines, not including those two and save them to
$SCT_LMG_HOME/canvas_mbldisetup.
Update the variables discussed above to match your environment
For Linux or Solaris, change the mode of the file to allow execution.
From the $SCT_LMG_HOME directory run the following:
chmod 755 canvas_mbldisetup
Run the script by typing ./canvas_mbldisetup from the $SCT_LMG_HOME directory.
-------------------BEGIN SCRIPT------------------ #!/bin/sh
###############################################################################
# 2001-2002 Systems & Computer Technology Corporation. All Rights Reserved.
#
# CONFIDENTIAL BUSINESS INFORMATION
#
# THIS PROGRAM IS PROPRIETARY INFORMATION OF SYSTEMS & COMPUTER TECHNOLOGY
# CORPORATION AND IS NOT TO BE COPIED, REPRODUCED, LENT, OR DISPOSED OF,
# NOR USED FOR ANY PURPOSE OTHER THAN THAT WHICH IT IS SPECIFICALLY PROVIDED
# WITHOUT THE WRITTEN PERMISSION OF THE SAID COMPANY
#
# Script to create JMS Objects and/or permissions for Webct adapter.
# @version 1.0
# DT Jan-16-2004 Cloned from mbldiscript for SCT LMG
# BR Jun-01-2011 Cloned from webct_mbldiscript for SCT LMG
# stripped out the JMS connector material and changed
# for canvas. If you have current BB Vista/WebCT integration
# established, set BBVISTA to true to prevent deletion and recreation
of the topics/queues in LMB
# BR Jun-21-2011 Added back in the gradeexchange material. Created CANVAS_GE_*
variables for canvas
# url/username/password in case these ever differ from the event ones.
#
# !/bin/sh -xv debug's the script.
# In debug mode a + before the line shows the line being executed
#
###############################################################################
# ------------- LMB Setup -------------
# CANVAS_LMB_USER - LMB user account that is created in and connects to LMB
# example: CANVAS_LMB_USER=canvaslmbuser
CANVAS_LMB_USER=
# Password for the above user
# example: CANVAS_LMB_PW=asdfpoiarejjpoasdfj
CANVAS_LMB_PW=
# ------------- Canvas Event Exchange -------------
#HTTP authorization user name for Events. This is an admin user on the Canvas server used for
integration
# example: [email protected]
EVENT_HTTPAUTH_USER=
#HTTP authorization password for Events. This is the password of the above user on the canvas
server
#EVENT_HTTPAUTH_PW=aoiIoiJuhJkUhU97s
EVENT_HTTPAUTH_PW=
# Access token generated on the Canvas server for a Canvas account
# example: CANVAS_ACCESS_TOKEN=A2IDLSRMFjileK87SREL32D9idkWI8ro
CANVAS_ACCESS_TOKEN=
# Canvas account number for which the above API key was generated
#CANVAS_ACCOUNT_NUMBER=13
CANVAS_ACCOUNT_NUMBER=
#LMG filtered Sync Topic for Canvas/Blackboard/.... Canvas consumes events from this topic.
#Multiple LMS can consume from this location.
SCT_LMS_DISPATCH_TOPIC=com_sct_ldi_sis_LmsSync
#Topic for SyncError messages and orphaned UpdateReply messages
# Error with the synchronization will be reported here
SCT_ERROR_TOPIC=com_sct_ldi_sis_Error
#set to true to delete and recreate above objects, if they already exist.
#setting this to true quickly resets the integration environment (LMB
users/Topics/Queues/HTTPClients)
RE_INITIALIZE=true
#set to true if you're already integrated with BB Vista and don't want to delete and recreate
the topics/queues
# deleting and recreating the topics/queues will require the BB Vista LMB user to have its
permissions
# re-assigned. This tones down the re-initialization
BBVISTA=true
#HTTP client identifier for events. This can be any descriptive name
CANVAS_EVENTS_RECEIVER_NAME=Canvas_Ldi_Event_Receiver
# HTTP LDI Event Receiver in Canvas This is the base URL of the Canvas Server
#CANVAS_EVENTS_URL=https://canvas.myschool.edu
CANVAS_EVENTS_URL=
# ------------- Grade Exchange -------------
# This information will likely match some of the settings within the Event configuration above.
# It is added in here in case the grade exchange info is ever different
#HTTP authorization user name for grade exchange . This is an admin user on the Canvas server
#used for integration
# example: [email protected]
GE_HTTPAUTH_USER=
#HTTP authorization password for grade exchange. This is the password of the above user on
the canvas server
#GE_HTTPAUTH_PW=aoiIoiJuhJkUhU97s
GE_HTTPAUTH_PW=
# HTTP LDI grade exchange sender in Canvas. This is the base URL of the Canvas Server
#CANVAS_GE_URL=https://canvas.myschool.edu
CANVAS_GE_URL=
#HTTP client identifier for GradeExchange. This can be any descriptive name.
CANVAS_GE_RECEIVER_NAME=Canvas_LDI_GradeExchange_Endpoint
# Canvas Produces Grade Exchange messages on to this Queue
# If another LMS is integrated and operational for grade exchange, this should be modified
for a
# second instance of the LMG GradeAdapter. Example: com_sct_ldi_sis_UpdateRequest_Canvas
SCT_GRADE_QUEUE_INBOUND=com_sct_ldi_sis_UpdateRequest
# Canvas Consumes Grade Exchange reply messages from this Queue
# If another LMS is integrated and operational for grade exchange, this should be modified
for a
# second instance of the LMG GradeAdapter. Example: com_sct_ldi_sis_UpdateReply_Canvas
SCT_GRADE_QUEUE_OUTBOUND=com_sct_ldi_sis_UpdateReply
#If true, LMB keeps trying to POST the message after an interval of time if an error is
encountered.
STOPDELIVERY_ONERROR=true
# ------------- Begin init scripts -------------
inithttpclient_events() {
DO_CREATE="true"
if [ "$DO_CREATE" = "true" ]
then
echo "INFO: Creating httpclient $CANVAS_EVENTS_RECEIVER_NAME..."
mbtool add httpclient -client=$CANVAS_EVENTS_RECEIVER_NAME
-http.username=$EVENT_HTTPAUTH_USER -http.password=$EVENT_HTTPAUTH_PW
-http.url=$CANVAS_EVENTS_URL/api/v1/accounts/$CANVAS_ACCOUNT_NUMBER/sis_imports.json?acce
ss_token=$CANVAS_ACCESS_TOKEN\&import_type=ims_xml\&extension=xml -enabled=true
-http.stopDeliveryOnError=$STOPDELIVERY_ONERROR -username=$CANVAS_LMB_USER
-credential=$CANVAS_LMB_PW -message.source.name=$SCT_LMS_DISPATCH_TOPIC
-message.source.type=topic -message.selector=NONE -durable=true
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: unable to create httpclient $CANVAS_EVENTS_RECEIVER_NAME"
return 1
fi
fi
return 0
}
delete_event_httpclient() {
mbtool delete httpclient -client=$CANVAS_EVENTS_RECEIVER_NAME >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo "INFO: httpclient $CANVAS_EVENTS_RECEIVER_NAME does not exist"
fi
return 0
}
inithttpclient_gradeexchange() {
DO_CREATE="true"
if [ "$DO_CREATE" = "true" ]
then
echo "INFO: Creating httpclient $CANVAS_GE_RECEIVER_NAME..."
mbtool add httpclient -client=$CANVAS_GE_RECEIVER_NAME
-http.username=$GE_HTTPAUTH_USER -http.password=$GE_HTTPAUTH_PW
-http.url=$CANVAS_GE_URL/api/v1/accounts/$CANVAS_ACCOUNT_NUMBER/sis_imports.json?access_t
oken=$CANVAS_ACCESS_TOKEN\&import_type=banner_grade_exchange_results\&extension=xml
-enabled=true -http.stopDeliveryOnError=$STOPDELIVERY_ONERROR -username=$CANVAS_LMB_USER
-credential=$CANVAS_LMB_PW -message.source.name=$SCT_GRADE_QUEUE_OUTBOUND
-message.source.type=queue -message.selector=NONE -durable=false
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: unable to create httpclient $CANVAS_GE_RECEIVER_NAME"
return 1
fi
fi
return 0
}
delete_grades_httpclient() {
mbtool delete httpclient -client=$CANVAS_GE_RECEIVER_NAME >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo "INFO: httpclient $CANVAS_GE_RECEIVER_NAME does not exist"
fi
return 0
}
initusers() {
DO_CREATE="true"
mbtool list user -id="$CANVAS_LMB_USER" >/dev/null 2>&1
if [ $? -eq 0 ]
then
if [ "$RE_INITIALIZE" = "true" ]
then
echo "INFO: Deleting User $CANVAS_LMB_USER..."
mbtool delete user -id=$CANVAS_LMB_USER
else
echo "INFO: User $CANVAS_LMB_USER already exists, skipping..."
DO_CREATE="false"
fi
fi
if [ "$DO_CREATE" = "true" ]
then
echo "INFO: Creating User $CANVAS_LMB_USER..."
mbtool add user -id=$CANVAS_LMB_USER -desc=LMG -credential=$CANVAS_LMB_PW
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: unable to create User $CANVAS_LMB_USER"
return 1
fi
fi
echo "INFO: Creating LMB access permissions to $CANVAS_LMB_USER..."
mbtool update clientaccess -policy=allow -entity=user -id=$CANVAS_LMB_USER
-conn=normal -op=add
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: Could not grant access to $CANVAS_LMB_USER to connect to LMB"
return 1
fi
return 0
}
initdestinations() {
for DEST_SPEC in \
"${SCT_LMS_DISPATCH_TOPIC}:topic:consume" \
"${SCT_ERROR_TOPIC}:topic:produce" \
"${SCT_GRADE_QUEUE_INBOUND}:queue:produce" \
"${SCT_GRADE_QUEUE_OUTBOUND}:queue:consume"
do
DEST_NAME=`echo $DEST_SPEC | cut -d: -f1`
DEST_TYPE=`echo $DEST_SPEC | cut -d: -f2`
DEST_PERMISSION=`echo $DEST_SPEC | cut -d: -f3`
DO_CREATE="true"
mbtool list deststatus -dest="$DEST_NAME" -type="$DEST_TYPE" >/dev/null 2>&1
if [ $? -eq 0 ]
then
if [[ "$RE_INITIALIZE" = "true" && "$BBVISTA" = "false" ]]
then
echo "INFO: Deleting ${DEST_TYPE} ${DEST_NAME}..."
mbtool delete destination -dest="$DEST_NAME" -type="$DEST_TYPE"
else
echo "INFO: ${DEST_TYPE} ${DEST_NAME} already exists, skipping..."
DO_CREATE="false"
fi
fi
if [ "$DO_CREATE" = "true" ]
then
echo "INFO: Creating ${DEST_TYPE} ${DEST_NAME}..."
mbtool add destination -dest="$DEST_NAME" -type="$DEST_TYPE"
if [ $? -ne 0 ]
then
echo "ERROR: unable to create ${DEST_TYPE} ${DEST_NAME}"
return 1
fi
fi
echo "INFO: Adding $DEST_PERMISSION permission to ${DEST_TYPE} ${DEST_NAME} for user
${CANVAS_LMB_USER}..."
mbtool update destaccess -policy=allow -entity=user -id="$CANVAS_LMB_USER"
-access=$DEST_PERMISSION -dest="$DEST_NAME" -type=$DEST_TYPE -op=add
if [ $? -ne 0 ]
then
echo "ERROR: unable to update destinaton permissions"
return 1
fi
done
return 0
}
initadministeredobjectstcp() {
for ADMIN_OBJ_SPEC in \
"cn=$CANVAS_TOPIC_CONNECTION_FACTORY:tcf" \
"cn=$CANVAS_QUEUE_CONNECTION_FACTORY:qcf"
do
ADMIN_OBJ_RDN=`echo $ADMIN_OBJ_SPEC | cut -d: -f1`
ADMIN_OBJ_TYPE=`echo $ADMIN_OBJ_SPEC | cut -d: -f2`
mbtool list adminobj -rdn="${ADMIN_OBJ_RDN}" >/dev/null 2>&1
if [ $? -eq 0 ]
then
if [[ "$RE_INITIALIZE" = "true" && "$BBVISTA" = "false" ]]
then
echo "INFO: Deleting administered object " \
"${ADMIN_OBJ_RDN} with type ${ADMIN_OBJ_TYPE}..."
mbtool delete adminobj -rdn="${ADMIN_OBJ_RDN}"
else
echo "INFO: Administered object " \
"${ADMIN_OBJ_RDN} with type ${ADMIN_OBJ_TYPE} already " \
"exists, skipping..."
continue
fi
fi
echo "INFO: Adding administered object " \
"${ADMIN_OBJ_RDN} with type ${ADMIN_OBJ_TYPE}..."
mbtool add adminobj -rdn="${ADMIN_OBJ_RDN}" -obj="${ADMIN_OBJ_TYPE}"
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: administered object creation failed, not proceeding"
return 1
fi
done
return 0
}
initadministeredobjectsssl() {
for ADMIN_OBJ_SPEC in \
"cn=$CANVAS_TOPIC_CONNECTION_FACTORY_SSL:tcf" \
"cn=$CANVAS_QUEUE_CONNECTION_FACTORY_SSL:qcf"
do
ADMIN_OBJ_RDN=`echo $ADMIN_OBJ_SPEC | cut -d: -f1`
ADMIN_OBJ_TYPE=`echo $ADMIN_OBJ_SPEC | cut -d: -f2`
mbtool list adminobj -rdn="${ADMIN_OBJ_RDN}" >/dev/null 2>&1
if [ $? -eq 0 ]
then
if [[ "$RE_INITIALIZE" = "true" && "$BBVISTA" = "false" ]]
then
echo "INFO: Deleting administered object " \
"${ADMIN_OBJ_RDN} with type ${ADMIN_OBJ_TYPE}..."
mbtool delete adminobj -rdn="${ADMIN_OBJ_RDN}"
else
echo "INFO: Administered object " \
"${ADMIN_OBJ_RDN} with type ${ADMIN_OBJ_TYPE} already " \
"exists, skipping..."
continue
fi
fi
echo "INFO: Adding administered object " \
"${ADMIN_OBJ_RDN} with type ${ADMIN_OBJ_TYPE}..."
mbtool add adminobj -rdn="${ADMIN_OBJ_RDN}" -obj="${ADMIN_OBJ_TYPE}"
-property="imqConnectionType:TLS"
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: administered object creation failed, not proceeding"
return 1
fi
done
return 0
}
echo ""
echo "#### Initializing messaging users..."
initusers
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: messaging user initialization failed, not proceeding"
exit 1
fi
echo ""
echo "#### Initializing administered objects TCP..."
initadministeredobjectstcp
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: TCP administered object initialization failed, not proceeding"
exit 1
fi
echo ""
echo "#### Initializing administered objects SSL..."
initadministeredobjectsssl
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: SSL administered object initialization failed, not proceeding"
exit 1
fi
echo ""
echo "#### Initializing message destinations..."
initdestinations
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: message destination initialization failed, not proceeding"
exit 1
fi
echo ""
echo "### Checking event http clients..."
delete_event_httpclient
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: event http client could not be deleted......."
exit 1
fi
echo ""
echo "#### Initializing event http client "
inithttpclient_events
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: event http client could not be created, not proceeding"
exit 1
fi
echo ""
echo "### Checking grades http clients..."
delete_grades_httpclient
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: grades http client could not be deleted......."
exit 1
fi
echo ""
echo "#### Initializing grade exchange http client "
inithttpclient_gradeexchange
if [ $? -ne 0 ]
then
echo ""
echo "ERROR: grade exchange http client could not be created, not proceeding"
exit 1
fi
echo ""
echo "INFO: Successfully configured JMS Objects in LMB"
exit 0
-------------------END SCRIPT-------------------
Appendix 2: SSL certificate discussion (2048 bit SSL certificate not supported by default)
The following is a discussion on a Luminis Development list which gives some suggestions for certificates:
http://www.lumdev.net/node/3355
The long and short of it is that the command line has to be used to generate the key and CSR and to install the
certificates.
These instructions helped as well:
http://www.digicert.com/ssl-certificate-installation-iplanet.htm
Appendix 3: Miscellaneous hints and tips concerning LMB/LMG
Example Luminis IV config file for a standalone installation of LMB/LMG. Notice that there is no ‘escaping’ of
equal signs like the documentation tells you to do.
admin.id=admin
admin.password=<password>
cp.root=c:\lmb
license.key=<license key for standalone>
resource.directory.manager.dn=cn=Directory Manager
resource.directory.manager.password = <password>
resource.host=luminis.myschool.edu
resource.ldap.suffix=cp
resource.ldap.port=389
school.city=somewhere
school.country=us
school.name=USU
school.state=UT
school.timezone=America/Denver
school.zipcode=84322
tiers=messagebroker
verbose=yes
ws.http.port=7677
ws.https.port=7678