--- loncom/interface/domainprefs.pm	2023/04/11 20:35:19	1.422
+++ loncom/interface/domainprefs.pm	2023/06/03 19:18:11	1.425
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to set domain-wide configuration settings
 #
-# $Id: domainprefs.pm,v 1.422 2023/04/11 20:35:19 raeburn Exp $
+# $Id: domainprefs.pm,v 1.425 2023/06/03 19:18:11 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -105,7 +105,7 @@ $datatable  - HTML containing form eleme
 In the case of course requests, radio buttons are displayed for each institutional
 affiliate type (and also default, and _LC_adv) for each of the course types 
 (official, unofficial, community, textbook, placement, and lti).  
-In each case the radio buttons allow the selection of one of four values:  
+In each case the radio buttons allow the selection of one of four values:
 
 0, approval, validate, autolimit=N (where N is blank, or a positive integer).
 which have the following effects:
@@ -178,6 +178,7 @@ use DateTime::TimeZone;
 use DateTime::Locale;
 use Time::HiRes qw( sleep );
 use Net::CIDR;
+use Crypt::CBC;
 
 my $registered_cleanup;
 my $modified_urls;
@@ -225,23 +226,46 @@ sub handler {
                 'privacy','passwords','proctoring','wafproxy','ipaccess'],$dom);
     my %encconfig =
         &Apache::lonnet::get_dom('encconfig',['ltitools','lti','proctoring','linkprot'],$dom,undef,1);
+    my ($checked_is_home,$is_home);
     if (ref($domconfig{'ltitools'}) eq 'HASH') {
         if (ref($encconfig{'ltitools'}) eq 'HASH') {
+            my $home = &Apache::lonnet::domain($dom,'primary');
+            unless (($home eq 'no_host') || ($home eq '')) {
+                my @ids=&Apache::lonnet::current_machine_ids();
+                if (grep(/^\Q$home\E$/,@ids)) {
+                    $is_home = 1;
+                }
+            }
+            $checked_is_home = 1;
             foreach my $id (keys(%{$domconfig{'ltitools'}})) {
                 if ((ref($domconfig{'ltitools'}{$id}) eq 'HASH') &&
                     (ref($encconfig{'ltitools'}{$id}) eq 'HASH')) {
                     $domconfig{'ltitools'}{$id}{'key'} = $encconfig{'ltitools'}{$id}{'key'};
+                    if (($is_home) && ($phase eq 'process')) {
+                        $domconfig{'ltitools'}{$id}{'secret'} = $encconfig{'ltitools'}{$id}{'secret'};
+                    }
                 }
             }
         }
     }
     if (ref($domconfig{'lti'}) eq 'HASH') {
         if (ref($encconfig{'lti'}) eq 'HASH') {
+            unless ($checked_is_home) {
+                my $home = &Apache::lonnet::domain($dom,'primary');
+                unless (($home eq 'no_host') || ($home eq '')) {
+                    my @ids=&Apache::lonnet::current_machine_ids();
+                    if (grep(/^\Q$home\E$/,@ids)) {
+                        $is_home = 1;
+                    }
+                }
+                $checked_is_home = 1;
+            }
             foreach my $id (keys(%{$domconfig{'lti'}})) {
                 if ((ref($domconfig{'lti'}{$id}) eq 'HASH') &&
                     (ref($encconfig{'lti'}{$id}) eq 'HASH')) {
-                    foreach my $item ('key','secret') {
-                        $domconfig{'lti'}{$id}{$item} = $encconfig{'lti'}{$id}{$item};
+                    $domconfig{'lti'}{$id}{'key'} = $encconfig{'lti'}{$id}{'key'};
+                    if (($is_home) && ($phase eq 'process')) {
+                        $domconfig{'lti'}{$id}{'secret'} = $encconfig{'lti'}{$id}{'secret'};
                     }
                 }
             }
@@ -580,7 +604,7 @@ sub handler {
                   print => \&print_loadbalancing,
                   modify => \&modify_loadbalancing,
                  },
-        'ltitools' => 
+        'ltitools' =>
                  {text => 'External Tools (LTI)',
                   help => 'Domain_Configuration_LTI_Tools',
                   header => [{col1 => 'Encryption of shared secrets',
@@ -638,12 +662,12 @@ sub handler {
                   print => \&print_trust,
                   modify => \&modify_trust,
                  },
-          'lti' =>
+        'lti' =>
                  {text => 'LTI Link Protection and LTI Consumers',
                   help => 'Domain_Configuration_LTI_Provider',
                   header => [{col1 => 'Encryption of shared secrets',
                               col2 => 'Settings'},
-                             {col1 => 'Rules for shared secrets', 
+                             {col1 => 'Rules for shared secrets',
                               col2 => 'Settings'},
                              {col1 => 'Link Protectors',
                               col2 => 'Settings'},
@@ -652,7 +676,7 @@ sub handler {
                   print => \&print_lti,
                   modify => \&modify_lti,
                  },
-           'ipaccess' =>
+        'ipaccess' =>
                        {text => 'IP-based access control',
                         help => 'Domain_Configuration_IP_Access',
                         header => [{col1 => 'Setting',
@@ -893,7 +917,7 @@ sub print_config_box {
         &Apache::lonuserutils::custom_role_privs(\%privs,\%full,\%levels,\%levelscurrent);
         my @templateroles = &Apache::lonuserutils::custom_template_roles($context,$crstype);
         $output =
-            &Apache::lonuserutils::custom_roledefs_js($context,$crstype,$formname,\%full, 
+            &Apache::lonuserutils::custom_roledefs_js($context,$crstype,$formname,\%full,
                                                       \@templateroles);
     } elsif ($action eq 'ltitools') {
         $output .= &Apache::lonconfigsettings::ltitools_javascript($settings);
@@ -3529,7 +3553,6 @@ sub lti_toggle_js {
     my %servers = &Apache::lonnet::get_servers($dom,'library');
     my $primary = &Apache::lonnet::domain($dom,'primary');
     my $course_servers = "'".join("','",keys(%servers))."'";
-
     return <<"ENDSCRIPT";
 <script type="text/javascript">
 // <![CDATA[
@@ -3628,7 +3651,7 @@ function toggleLTI(form,setting,item) {
                            break;
                        }
                    }
-               } 
+               }
             }
             if (!setvis) {
                 if (document.getElementById(divid)) {
@@ -3705,7 +3728,7 @@ function toggleLTI(form,setting,item) {
         var divid = 'lti_menufield_'+item;
         var setvis = '';
         for (var i=0; i<menus.length; i++) {
-            var radioname = menus[i];  
+            var radioname = menus[i];
             var num = form.elements[radioname].length;
             if (num) {
                 for (var j=0; j<num; j++) {
@@ -3813,16 +3836,16 @@ sub saml_javascript {
     return <<"ENDSCRIPT";
 <script type="text/javascript">
 // <![CDATA[
-function toggleSamlOptions(form,hostid) { 
+function toggleSamlOptions(form,hostid) {
     var radioname = 'saml_'+hostid;
     var tablecellon = 'samloptionson_'+hostid;
     var tablecelloff = 'samloptionsoff_'+hostid;
     var num = form.elements[radioname].length;
     if (num) {
-        var setvis = ''; 
+        var setvis = '';
         for (var i=0; i<num; i++) {
             if (form.elements[radioname][i].checked) {
-                if (form.elements[radioname][i].value == '1') { 
+                if (form.elements[radioname][i].value == '1') {
                     if (document.getElementById(tablecellon)) {
                         document.getElementById(tablecellon).style.display='';
                     }
@@ -4590,7 +4613,7 @@ sub print_contacts {
                 map {$excluded{$_} = 1; } @{$lonstatus{'excluded'}};
             }
         }
-        foreach my $item ('errorthreshold','errorsysmail') { 
+        foreach my $item ('errorthreshold','errorsysmail') {
             $css_class = $rownum%2?' class="LC_odd_row"':'';
             $datatable .= '<tr'.$css_class.'>'.
                           '<td class="LC_left_item"><span class="LC_nobreak">'.
@@ -4672,7 +4695,7 @@ sub print_contacts {
                             $includeloc{'override_'.$key} = '';
                             $includestr{'override_'.$key} = '';
                             if ($settings->{'overrides'}{$key}{'include'} ne '') {
-                                ($includeloc{'override_'.$key},$includestr{'override_'.$key}) = 
+                                ($includeloc{'override_'.$key},$includestr{'override_'.$key}) =
                                     split(/:/,$settings->{'overrides'}{$key}{'include'},2);
                                 $includestr{'override_'.$key} = &unescape($includestr{'override_'.$key});
                             }
@@ -4684,7 +4707,6 @@ sub print_contacts {
             my $optionsprefix = 'LC_options_helpdesk_';
 
             my $onclicktypes = "toggleHelpdeskRow(this.form,'overrides','$customclass','$optionsprefix');";
- 
             $datatable .= &insttypes_row($settings,$types,$usertypes,$dom,
                                          $numinrow,$othertitle,'overrides',
                                          \$rownum,$onclicktypes,$customclass);
@@ -4751,7 +4773,7 @@ sub overridden_helpdesk {
             }
             my $title;
             if (ref($short_titles) eq 'HASH') {
-                $title = $short_titles->{$item}; 
+                $title = $short_titles->{$item};
             }
             $output .= '<label>'.
                        '<input type="checkbox" name="override_'.$type.'"'.$check.
@@ -4830,7 +4852,6 @@ function toggleHelpdeskRow(form,checkbox
     return;
 }
 
-
 // ]]>
 </script>
 
@@ -5341,7 +5362,7 @@ sub ltitools_names {
                                           'key'            => 'Key',
                                           'lifetime'       => 'Nonce lifetime (s)',
                                           'secret'         => 'Secret',
-                                          'icon'           => 'Icon',   
+                                          'icon'           => 'Icon',
                                           'user'           => 'User',
                                           'fullname'       => 'Full Name',
                                           'firstname'      => 'First Name',
@@ -5359,7 +5380,7 @@ sub ltitools_names {
                                           'roster'         => 'Tool can retrieve roster:',
                                           'crstarget'      => 'Display target',
                                           'crslabel'       => 'Course label',
-                                          'crstitle'       => 'Course title', 
+                                          'crstitle'       => 'Course title',
                                           'crslinktext'    => 'Link Text',
                                           'crsexplanation' => 'Explanation',
                                           'crsappend'      => 'Provider URL',
@@ -6176,6 +6197,9 @@ sub print_lti {
     } elsif ($position eq 'lower') {
          $datatable .= &Apache::courseprefs::print_linkprotection($dom,'',$settings,$rowtotal,'','','domain');
     } else {
+        my ($switchserver,$switchmessage);
+        $switchserver = &check_switchserver($dom);
+        $switchmessage = &mt("submit from domain's primary library server: [_1].",$switchserver);
         my $maxnum = 0;
         my %ordered;
         if (ref($settings) eq 'HASH') {
@@ -6196,10 +6220,10 @@ sub print_lti {
             for (my $i=0; $i<@items; $i++) {
                 $css_class = $itemcount%2?' class="LC_odd_row"':'';
                 my $item = $ordered{$items[$i]};
-                my ($key,$secret,$lifetime,$consumer,$requser,$crsinc,$current);
+                my ($key,$secret,$usable,$lifetime,$consumer,$requser,$crsinc,$current);
                 if (ref($settings->{$item}) eq 'HASH') {
                     $key = $settings->{$item}->{'key'};
-                    $secret = $settings->{$item}->{'secret'};
+                    $usable = $settings->{$item}->{'usable'};
                     $lifetime = $settings->{$item}->{'lifetime'};
                     $consumer = $settings->{$item}->{'consumer'};
                     $requser = $settings->{$item}->{'requser'};
@@ -6247,8 +6271,56 @@ sub print_lti {
                     '<option value="LTI-1p0" selected="selected">1.1</option></select></span> '.
                     ('&nbsp;'x2).
                     '<span class="LC_nobreak">'.$lt{'lifetime'}.':<input type="text" name="lti_lifetime_'.$i.'"'.
-                    'value="'.$lifetime.'" size="3" /></span>'.
-                    ('&nbsp;'x2).
+                    'value="'.$lifetime.'" size="3" /></span><br /><br />';
+                if ($key ne '') {
+                    $datatable .= '<span class="LC_nobreak">'.$lt{'key'};
+                    if ($switchserver) {
+                        $datatable .= ': ['.&mt('[_1] to view/edit',$switchserver).']';
+                    } else {
+                        $datatable .= ':<input type="text" size="25" name="lti_key_'.$i.'" value="'.$key.'" autocomplete="off" />';
+                    }
+                    $datatable .= '</span> '.('&nbsp;'x2);
+                } elsif (!$switchserver) {
+                    $datatable .= '<span class="LC_nobreak">'.$lt{'key'}.':'.
+                                  '<input type="text" size="25" name="lti_key_'.$i.'" value="'.$key.'" autocomplete="off" />'.
+                                  '</span> '.('&nbsp;'x2);
+                }
+                if ($switchserver) {
+                    if ($usable ne '') {
+                        $datatable .= '<div id="lti_divcurrsecret_'.$i.'" style="display:inline-block" /><span class="LC_nobreak">'.
+                                      $lt{'secret'}.': ['.&mt('not shown').'] '.('&nbsp;'x2).'</span></div>'.
+                                      '<span class="LC_nobreak">'.&mt('Change secret?').
+                                      '<label><input type="radio" value="0" name="lti_changesecret_'.$i.'" onclick="javascript:toggleChgSecret(this.form,'."'$i','secret','lti'".');" checked="checked" />'.&mt('No').'</label>'.
+                                      ('&nbsp;'x2).
+                                     '<label><input type="radio" value="1" name="lti_changesecret_'.$i.'" onclick="javascript:toggleChgSecret(this.form,'."'$i','secret','lti'".');" />'.&mt('Yes').'</label>'.('&nbsp;'x2).
+                                      '</span><div id="lti_divchgsecret_'.$i.'" style="display:none" />'.
+                                      '<span class="LC_nobreak"> - '.$switchmessage.'</span>'.
+                                      '</div>';
+                    } elsif ($key eq '') {
+                        $datatable .= '<span class="LC_nobreak">'.&mt('Key and Secret are required').' - '.$switchmessage.'</span>'."\n";
+                    } else {
+                        $datatable .= '<span class="LC_nobreak">'.&mt('Secret required').' - '.$switchmessage.'</span>'."\n";
+                    }
+                } else {
+                    if ($usable ne '') {
+                        $datatable .= '<div id="lti_divcurrsecret_'.$i.'" style="display:inline-block" /><span class="LC_nobreak">'.
+                                      $lt{'secret'}.': ['.&mt('not shown').'] '.('&nbsp;'x2).'</span></div>'.
+                                      '<span class="LC_nobreak">'.&mt('Change?').
+                                      '<label><input type="radio" value="0" name="lti_changesecret_'.$i.'" onclick="javascript:toggleChgSecret(this.form,'."'$i','secret','lti'".');" checked="checked" />'.&mt('No').'</label>'.
+                                      ('&nbsp;'x2).
+                                      '<label><input type="radio" value="1" name="lti_changesecret_'.$i.'" onclick="javascript:toggleChgSecret(this.form,'."'$i','secret','lti'".');" />'.&mt('Yes').
+                                      '</label>&nbsp;&nbsp;</span><div id="lti_divchgsecret_'.$i.'" style="display:none" />'.
+                                      '<span class="LC_nobreak">'.&mt('New Secret').':'.
+                                      '<input type="password" size="20" name="lti_secret_'.$i.'" value="" autocomplete="new-password" />'.
+                                      '<label><input type="checkbox" name="lti_visible_'.$i.'" id="lti_visible_'.$i.'" onclick="if (this.checked) { this.form.lti_secret_'.$i.'.type='."'text'".' } else { this.form.lti_secret_'.$i.'.type='."'password'".' }" />'.&mt('Visible input').'</label></span></div>';
+                    } else {
+                        $datatable .=
+                            '<span class="LC_nobreak">'.$lt{'secret'}.':'.
+                            '<input type="password" size="20" name="lti_secret_'.$i.'" value="" autocomplete="new-password" />'.
+                            '<label><input type="checkbox" name="lti_visible_'.$i.'" id="lti_visible_'.$i.'" onclick="if (this.checked) { this.form.lti_secret_'.$i.'.type='."'text'".' } else { this.form.lti_secret_'.$i.'.type='."'password'".' }" />'.&mt('Visible input').'</label>';
+                    }
+                }
+                $datatable .= '<br /><br />'.
                     '<span class="LC_nobreak">'.$lt{'requser'}.':'.
                     '<label><input type="radio" name="lti_requser_'.$i.'" value="1"'.$onclickrequser.$checkedrequser{yes}.' />'.&mt('Yes').'</label>&nbsp;'."\n".
                     '<label><input type="radio" name="lti_requser_'.$i.'" value="0"'.$onclickrequser.$checkedrequser{no}.' />'.&mt('No').'</label></span>'."\n".
@@ -6257,12 +6329,6 @@ sub print_lti {
                     '<label><input type="radio" name="lti_crsinc_'.$i.'" value="1"'.$onclickcrsinc.$checkedcrsinc{yes}.' />'.&mt('Yes').'</label>&nbsp;'."\n".
                     '<label><input type="radio" name="lti_crsinc_'.$i.'" value="0"'.$onclickcrsinc.$checkedcrsinc{no}.' />'.&mt('No').'</label></span>'."\n".
                     ('&nbsp;'x4).
-                    '<span class="LC_nobreak">'.$lt{'key'}.
-                    ':<input type="text" size="25" name="lti_key_'.$i.'" value="'.$key.'" /></span> '.
-                    ('&nbsp;'x2).
-                    '<span class="LC_nobreak">'.$lt{'secret'}.':'.
-                    '<input type="password" size="20" name="lti_secret_'.$i.'" value="'.$secret.'" />'.
-                    '<label><input type="checkbox" name="visible" onclick="if (this.checked) { this.form.lti_secret_'.$i.'.type='."'text'".' } else { this.form.lti_secret_'.$i.'.type='."'password'".' }" />'.&mt('Visible input').'</label>'.
                     '<input type="hidden" name="lti_id_'.$i.'" value="'.$item.'" /></span>'.
                     '</fieldset>'.&lti_options($i,$current,$itemcount,%lt).'</td></tr>';
                 $itemcount ++;
@@ -6291,8 +6357,16 @@ sub print_lti {
                       '<span class="LC_nobreak">'.$lt{'version'}.':<select name="lti_version_add">'.
                       '<option value="LTI-1p0" selected="selected">1.1</option></select></span> '."\n".
                       ('&nbsp;'x2).
-                      '<span class="LC_nobreak">'.$lt{'lifetime'}.':<input type="text" size="3" name="lti_lifetime_add" value="300" /></span> '."\n".
-                      ('&nbsp;'x2).
+                      '<span class="LC_nobreak">'.$lt{'lifetime'}.':<input type="text" size="3" name="lti_lifetime_add" value="300" /></span><br /><br />'."\n";
+        if ($switchserver) {
+            $datatable .= '<span class="LC_nobreak">'.&mt('Key and Secret are required').' - '.$switchmessage.'</span>'."\n";
+        } else {
+            $datatable .= '<span class="LC_nobreak">'.$lt{'key'}.':<input type="text" size="25" name="lti_key_add" value="" autocomplete="off" /></span> '."\n".
+                          ('&nbsp;'x2).
+                          '<span class="LC_nobreak">'.$lt{'secret'}.':<input type="password" size="20" name="lti_secret_add" value="" autocomplete="new-password" />'.
+                          '<label><input type="checkbox" name="lti_add_visible" id="lti_add_visible" onclick="if (this.checked) { this.form.lti_secret_add.type='."'text'".' } else { this.form.lti_secret_add.type='."'password'".' }" />'.&mt('Visible input').'</label></span> '."\n";
+        }
+        $datatable .= '<br /><br />'.
                       '<span class="LC_nobreak">'.$lt{'requser'}.':'.
                       '<label><input type="radio" name="lti_requser_add" value="1" onclick="toggleLTI(this.form,'."'requser','add'".');" checked="checked" />'.&mt('Yes').'</label>&nbsp;'."\n".
                       '<label><input type="radio" name="lti_requser_add" value="0" onclick="toggleLTI(this.form,'."'requser','add'".');" />'.&mt('No').'</label></span>'."\n".
@@ -6300,11 +6374,6 @@ sub print_lti {
                       '<span class="LC_nobreak">'.$lt{'crsinc'}.':'.
                       '<label><input type="radio" name="lti_crsinc_add" value="1" onclick="toggleLTI(this.form,'."'crsinc','add'".');" checked="checked" />'.&mt('Yes').'</label>&nbsp;'."\n".
                       '<label><input type="radio" name="lti_crsinc_add" value="0" onclick="toggleLTI(this.form,'."'crsinc','add'".');" />'.&mt('No').'</label></span>'."\n".
-                      ('&nbsp;'x4).
-                      '<span class="LC_nobreak">'.$lt{'key'}.':<input type="text" size="25" name="lti_key_add" value="" /></span> '."\n".
-                      ('&nbsp;'x2).
-                      '<span class="LC_nobreak">'.$lt{'secret'}.':<input type="password" size="20" name="lti_secret_add" value="" />'.
-                      '<label><input type="checkbox" name="visible" onclick="if (this.checked) { this.form.lti_secret_add.type='."'text'".' } else { this.form.lti_secret_add.type='."'password'".' }" />'.&mt('Visible input').'</label></span> '."\n".
                       '</fieldset>'.&lti_options('add',undef,$itemcount,%lt).
                       '</td>'."\n".
                       '</tr>'."\n";
@@ -6377,7 +6446,7 @@ sub lti_options {
         if (($current->{'mapuser'} ne '') && ($current->{'mapuser'} ne 'lis_person_sourcedid')) {
             $checked{'mapuser'}{'sourcedid'} = '';
             if ($current->{'mapuser'} eq 'lis_person_contact_email_primary') {
-                $checked{'mapuser'}{'email'} = ' checked="checked"'; 
+                $checked{'mapuser'}{'email'} = ' checked="checked"';
             } else {
                 $checked{'mapuser'}{'other'} = ' checked="checked"';
                 $userfield = $current->{'mapuser'};
@@ -6387,7 +6456,7 @@ sub lti_options {
         if (($current->{'mapcrs'} ne '') && ($current->{'mapcrs'} ne 'course_offering_sourcedid')) {
             $checked{'mapcrs'}{'course_offering_sourcedid'} = '';
             if ($current->{'mapcrs'} eq 'context_id') {
-                $checked{'mapcrs'}{'context_id'} = ' checked="checked"'; 
+                $checked{'mapcrs'}{'context_id'} = ' checked="checked"';
             } else {
                 $checked{'mapcrs'}{'other'} = ' checked="checked"';
                 $cidfield = $current->{'mapcrs'};
@@ -6415,7 +6484,7 @@ sub lti_options {
             $checked{'lcauth'}{$1} = ' checked="checked"';
             unless (($current->{'lcauth'} eq 'lti') || ($current->{'lcauth'} eq 'internal')) {
                 $lcauthparm = $current->{'lcauthparm'};
-                $lcauthparmstyle = 'display:table-row'; 
+                $lcauthparmstyle = 'display:table-row';
                 if ($current->{'lcauth'} eq 'localauth') {
                     $lcauthparmtext = &mt('Local auth argument');
                 } else {
@@ -6432,7 +6501,7 @@ sub lti_options {
             %rolemaps = %{$current->{'maproles'}};
         }
         if ($current->{'section'} ne '') {
-            $checked{'crssec'}{'Y'} = '  checked="checked"'; 
+            $checked{'crssec'}{'Y'} = '  checked="checked"';
             $crssecfieldsty = 'inline-block';
             if ($current->{'section'} eq 'course_section_sourcedid') {
                 $checked{'crssecsrc'}{'sourcedid'} = ' checked="checked"';
@@ -6478,9 +6547,9 @@ sub lti_options {
         $checked{'crssec'}{'N'} = ' checked="checked"';
         $checked{'callback'}{'N'} = ' checked="checked"';
         $checked{'topmenu'}{'N'} = ' checked="checked"';
-        $checked{'inlinemenu'}{'Y'} = ' checked="checked"'; 
+        $checked{'inlinemenu'}{'Y'} = ' checked="checked"';
         $checked{'menuitem'}{'grades'} = ' checked="checked"';
-        $menusty = 'inline-block'; 
+        $menusty = 'inline-block';
     }
     my @coursetypes = ('official','unofficial','community','textbook','placement','lti');
     my %coursetypetitles = &Apache::lonlocal::texthash (
@@ -6533,7 +6602,7 @@ sub lti_options {
                '<fieldset class="ltioption_usr_'.$num.'" style="display:'.$optionsty.'"><legend>'.&mt('Roles which may create user accounts').'</legend>';
     foreach my $ltirole (@ltiroles) {
         $output .= '<span class="LC_nobreak"><label><input type="checkbox" name="lti_makeuser_'.$num.'" value="'.$ltirole.'"'.
-                   $checked{'makeuser'}{$ltirole}.' />'.$ltirole.'</label>&nbsp;</span> ';     
+                   $checked{'makeuser'}{$ltirole}.' />'.$ltirole.'</label>&nbsp;</span> ';
     }
     $output .= '</fieldset>'.
                '<fieldset class="ltioption_usr_'.$num.'" style="display:'.$optionsty.'"><legend>'.&mt('New user accounts created for LTI users').'</legend>'.
@@ -6665,9 +6734,9 @@ sub lti_options {
         if ($extra eq 'passback') {
             $pb1p1chk = ' checked="checked"';
             $pb1p0chk = '';
-            $onclickpb = ' onclick="toggleLTI(this.form,'."'passback','$num'".');"'; 
+            $onclickpb = ' onclick="toggleLTI(this.form,'."'passback','$num'".');"';
         } else {
-            $onclickpb = ''; 
+            $onclickpb = '';
         }
         if (ref($current) eq 'HASH') {
             if (($current->{$extra})) {
@@ -7857,7 +7926,7 @@ sub password_rules {
         if (ref($settings->{chars}) eq 'ARRAY') {
             map { $chars{$_} = 1; } (@{$settings->{chars}});
         }
-        if ($prefix eq 'passwords') { 
+        if ($prefix eq 'passwords') {
             if ($settings->{expire}) {
                 $expire = $settings->{expire};
             }
@@ -8000,7 +8069,7 @@ sub print_wafproxy {
             my %config = &Apache::lonnet::get_dom('configuration',['wafproxy'],$domain);
             if (ref($config{'wafproxy'}) eq 'HASH') {
                 $aliases{$domain} = $config{'wafproxy'}{'alias'};
-                if (exists($config{'wafproxy'}{'saml'})) { 
+                if (exists($config{'wafproxy'}{'saml'})) {
                     $saml{$domain} = $config{'wafproxy'}{'saml'};
                 }
                 foreach my $item ('remoteip','ipheader','trusted','vpnint','vpnext') {
@@ -8065,10 +8134,10 @@ sub print_wafproxy {
                               ('&nbsp;'x2).'<span class="LC_nobreak">'.
                               &mt('Alias used for SSO Auth').':&nbsp;<label>'.
                               '<input type="radio" value="0"'.$samloff.' name="wafproxy_alias_saml_'.$server.'" />'.
-                              &mt('No').'</label>&nbsp;<label>'. 
+                              &mt('No').'</label>&nbsp;<label>'.
                               '<input type="radio" value="1"'.$samlon.' name="wafproxy_alias_saml_'.$server.'" />'.
                               &mt('Yes').'</label></span>'.
-                              '</td>'; 
+                              '</td>';
             }
             $aliasrows .= '</tr>';
             $aliasinfo{$dom_in_effect} .= $aliasrows;
@@ -8978,7 +9047,7 @@ sub print_loadbalancing {
                                   no => ' checked="checked"',
                               );
         my %balcookiechecked = (
-                                  no => ' checked="checked"', 
+                                  no => ' checked="checked"',
                                );
         foreach my $sparetype (@sparestypes) {
             my $targettable;
@@ -9565,7 +9634,7 @@ sub print_selfcreation {
         ($datatable,$itemcount) = &radiobutton_prefs(\%radiohash,\@toggles,\%defaultchecked,
                                                      \%choices,$itemcount,$onclick);
         $$rowtotal += $itemcount;
-        
+
         if (ref($usertypes) eq 'HASH') {
             if (keys(%{$usertypes}) > 0) {
                 $datatable .= &insttypes_row($createsettings,$types,$usertypes,
@@ -9702,7 +9771,7 @@ sub print_selfcreation {
                 my $currstyle = 'display:none';
                 if (grep(/^\Q$status\E$/,@ordered)) {
                     $currstyle = $rowstyle;
-                    $hidden = 0; 
+                    $hidden = 0;
                 }
                 $datatable .= &noninst_users($processing,$emailverified,$emailoptions,$emaildomain,
                                              $emailrules,$emailruleorder,$settings,$status,$rowid,
@@ -9729,8 +9798,8 @@ sub print_selfcreation {
             foreach my $status (@posstypes) {
                 my $rowid = $classprefix.$status;
                 my $datarowstyle = 'display:none';
-                if (grep(/^\Q$status\E$/,@ordered)) { 
-                    $datarowstyle = $rowstyle; 
+                if (grep(/^\Q$status\E$/,@ordered)) {
+                    $datarowstyle = $rowstyle;
                 }
                 $datatable .= &modifiable_userdata_row('cancreate','emailusername_'.$status,$settings,
                                                        $numinrow,$$rowtotal,\%usertypeshash,$infofields,
@@ -9832,7 +9901,7 @@ function toggleEmailOptions(form,radio,p
                     document.getElementById(altprefix+'_inst_'+status).style.display = 'none';
                     document.getElementById(altprefix+'_noninst_'+status).style.display = 'none';
                     if (curr == 'custom') {
-                        if (prefix) { 
+                        if (prefix) {
                             document.getElementById(prefix+'_'+status).style.display = 'inline';
                         }
                     } else if (curr == 'inst') {
@@ -9855,10 +9924,10 @@ ENDSCRIPT
 
 sub noninst_users {
     my ($processing,$emailverified,$emailoptions,$emaildomain,$emailrules,
-        $emailruleorder,$settings,$type,$rowid,$typetitle,$css_class,$rowstyle,$intdom) = @_; 
+        $emailruleorder,$settings,$type,$rowid,$typetitle,$css_class,$rowstyle,$intdom) = @_;
     my $class = 'LC_left_item';
     if ($css_class) {
-        $css_class = ' class="'.$css_class.'"'; 
+        $css_class = ' class="'.$css_class.'"';
     }
     if ($rowid) {
         $rowid = ' id="'.$rowid.'"';
@@ -9873,10 +9942,10 @@ sub noninst_users {
         $description = &mt('Requests for: [_1] (status self-reported)',$typetitle);
     }
     $output = '<tr'.$css_class.$rowid.$rowstyle.'>'.
-              "<td>$description</td>\n".           
+              "<td>$description</td>\n".
               '<td class="'.$class.'" colspan="2">'.
               '<table><tr>';
-    my %headers = &Apache::lonlocal::texthash( 
+    my %headers = &Apache::lonlocal::texthash(
               approve  => 'Processing',
               email    => 'E-mail',
               username => 'Username',
@@ -10001,7 +10070,7 @@ sub noninst_users {
                     my $value;
                     if (ref($emaildomain) eq 'HASH') {
                         if (ref($emaildomain->{$type}) eq 'HASH') {
-                            $value = $emaildomain->{$type}->{$option}; 
+                            $value = $emaildomain->{$type}->{$option};
                         }
                     }
                     if ($value eq '') {
@@ -10319,7 +10388,7 @@ sub print_defaults {
                     if ($defaults{$item.'_'.$field}) {
                         $checkedon = $checkedoff;
                         $checkedoff = '';
-                    } 
+                    }
                     $datatable .= '<div id="'.$item.'_'.$field.'_div" style="display:'.$portalsty.'">'.
                               '<span class="LC_nobreak">'.$titles->{$field}.'&nbsp;'.
                               '<label><input type="radio" name="'.$item.'_'.$field.'" value="1"'.$checkedon.'/>'.&mt('Yes').'</label>'.
@@ -11148,7 +11217,7 @@ sub defaults_javascript {
 function portalExtras(caller) {
     var x = caller.value;
     var y = new Array('email','web');
-    for (var i=0; i<y.length; i++) { 
+    for (var i=0; i<y.length; i++) {
         if (document.getElementById('portal_def_'+y[i]+'_div')) {
             var z = document.getElementById('portal_def_'+y[i]+'_div');
             if (x.length > 0) {
@@ -11252,7 +11321,7 @@ sub passwords_javascript {
     }
     &js_escape(\%intalert);
     my $defmin = $Apache::lonnet::passwdmin;
-    my $intauthjs; 
+    my $intauthjs;
     if ($prefix eq 'passwords') { $intauthjs = <<"ENDSCRIPT";
 
 function warnIntAuth(field) {
@@ -11672,7 +11741,7 @@ sub modifiable_userdata_row {
                 }
             }
         }
-        if (ref($hashref) eq 'HASH') { 
+        if (ref($hashref) eq 'HASH') {
             foreach my $field (@fields) {
                 if ($hashref->{$field}) {
                     if ($role eq 'emailusername') {
@@ -11684,7 +11753,6 @@ sub modifiable_userdata_row {
             }
         }
     }
- 
     my $total = scalar(@fields);
     for (my $i=0; $i<$total; $i++) {
         $rem = $i%($numinrow);
@@ -11848,7 +11916,7 @@ sub insttypes_row {
         } else {
             $output .= '<td class="LC_left_item">';
         }
-        $output .= '&nbsp;';  
+        $output .= '&nbsp;';
     } else {
         if ($rem == 0) {
             $output .= '<tr>';
@@ -12124,7 +12192,7 @@ sub modify_login {
                     if ($lang eq $env{'form.loginhelpurl_add_lang'}) {
                         $formelem = 'loginhelpurl_add_file';
                     }
-                    (my $result,$newurl{$lang}) = 
+                    (my $result,$newurl{$lang}) =
                         &Apache::lonconfigsettings::publishlogo($r,'upload',$formelem,$dom,$confname,
                                                                 "help/$lang",'','',$newfile{$lang},
                                                                 $modified);
@@ -12201,7 +12269,7 @@ sub modify_login {
                 my $modified = [];
                 foreach my $lonhost (@newhosts) {
                     my $formelem = 'loginheadtag_'.$lonhost;
-                    (my $result,$newheadtagurls{$lonhost}) = 
+                    (my $result,$newheadtagurls{$lonhost}) =
                         &Apache::lonconfigsettings::publishlogo($r,'upload',$formelem,$dom,$confname,
                                                                 "login/headtag/$lonhost",'','',
                                                                 $env{'form.loginheadtag_'.$lonhost.'.filename'},
@@ -12278,15 +12346,15 @@ sub modify_login {
                 $currsaml{$lonhost}{$item} = $env{'form.saml_'.$item.'_'.$lonhost};
             }
         } else {
-            if ($saml{$lonhost}) {  
+            if ($saml{$lonhost}) {
                 $changes{'saml'}{$lonhost} = 1;
                 delete($currsaml{$lonhost});
             }
         }
     }
     foreach my $posshost (keys(%currsaml)) {
-        unless (exists($domservers{$posshost})) { 
-            delete($currsaml{$posshost}); 
+        unless (exists($domservers{$posshost})) {
+            delete($currsaml{$posshost});
         }
     }
     %{$loginhash{'login'}{'saml'}} = %currsaml;
@@ -12300,7 +12368,7 @@ sub modify_login {
                 my $modified = [];
                 foreach my $lonhost (@newsamlimgs) {
                     my $formelem = 'saml_img_'.$lonhost;
-                    my ($result,$imgurl) = 
+                    my ($result,$imgurl) =
                         &Apache::lonconfigsettings::publishlogo($r,'upload',$formelem,$dom,$confname,
                                                                 "login/saml/$lonhost",'','',
                                                                 $env{'form.saml_img_'.$lonhost.'.filename'},
@@ -12670,7 +12738,7 @@ sub modify_ipaccess {
             $possrange =~ s/,+/,/g;
             if ($possrange ne '') {
                 my (@ok,$count);
-                $count = 0; 
+                $count = 0;
                 foreach my $poss (split(/\,/,$possrange)) {
                     $count ++;
                     $poss = &validate_ip_pattern($poss);
@@ -12703,9 +12771,9 @@ sub modify_ipaccess {
             }
         }
         $confhash{$itemid}{'commblocks'} = {};
-         
+
         my %commblocks;
-        map { $commblocks{$_} = 1; } &Apache::loncommon::get_env_multiple('form.ipaccess_block_'.$idx);  
+        map { $commblocks{$_} = 1; } &Apache::loncommon::get_env_multiple('form.ipaccess_block_'.$idx);
         foreach my $type (@{$typeorder}) {
             if ($commblocks{$type}) {
                 $confhash{$itemid}{'commblocks'}{$type} = 'on';
@@ -12737,7 +12805,7 @@ sub modify_ipaccess {
         }
         $env{'form.ipaccess_cnum_'.$idx} =~ s/^\s+|\s+$//g;
         $env{'form.ipaccess_cdom_'.$idx} =~ s/^\s+|\s+$//g;
-        if (($env{'form.ipaccess_cnum_'.$idx} =~ /^$match_courseid$/) && 
+        if (($env{'form.ipaccess_cnum_'.$idx} =~ /^$match_courseid$/) &&
             ($env{'form.ipaccess_cdom_'.$idx} =~ /^$match_domain$/)) {
             if (&Apache::lonnet::homeserver($env{'form.ipaccess_cnum_'.$idx},
                                             $env{'form.ipaccess_cdom_'.$idx}) eq 'no_host') {
@@ -12817,7 +12885,7 @@ sub modify_ipaccess {
                     if (keys(%{$confhash{$itemid}{'courses'}})) {
                         my @courses;
                         foreach my $cid (sort(keys(%{$confhash{$itemid}{'courses'}}))) {
-                            my %courseinfo = &Apache::lonnet::coursedescription($cid,{'one_time' => 1}); 
+                            my %courseinfo = &Apache::lonnet::coursedescription($cid,{'one_time' => 1});
                             push(@courses,$courseinfo{'description'}.' ('.$cid.')');
                         }
                         $resulttext .= '<li>'.&mt('Courses/Communities allowed').':<ul><li>'.
@@ -13412,10 +13480,14 @@ sub subscribed_hosts {
 
 sub check_switchserver {
     my ($dom,$confname) = @_;
-    my ($allowed,$switchserver);
-    my $home = &Apache::lonnet::homeserver($confname,$dom);
-    if ($home eq 'no_host') {
+    my ($allowed,$switchserver,$home);
+    if ($confname eq '') {
         $home = &Apache::lonnet::domain($dom,'primary');
+    } else {
+        $home = &Apache::lonnet::homeserver($confname,$dom);
+        if ($home eq 'no_host') {
+            $home = &Apache::lonnet::domain($dom,'primary');
+        }
     }
     my @ids=&Apache::lonnet::current_machine_ids();
     foreach my $id (@ids) { if ($id eq $home) { $allowed=1; } }
@@ -14245,15 +14317,22 @@ sub modify_ltitools {
                                    $action => { %newtoolsenc }
                                );
             &Apache::lonnet::put_dom('encconfig',\%toolsenchash,$dom,undef,1);
+            my $cachetime = 24*60*60;
+            &Apache::lonnet::do_cache_new('ltitoolsenc',$dom,\%newtoolsenc,$cachetime);
             &store_security($dom,'ltitools',\%secchanges,\%newkeyset,\%keystore,$lastactref);
         }
         $resulttext = &mt('Changes made:').'<ul>';
         if (keys(%secchanges) > 0) {
-            $resulttext .= &lti_security_results('ltitools',\%secchanges,\%newtoolsec,\%newkeyset,\%keystore);
+            $resulttext .= &lti_security_results($dom,'ltitools',\%secchanges,\%newtoolsec,\%newkeyset,\%keystore);
         }
         if (keys(%ltitoolschg) > 0) {
             $resulttext .= $ltitoolsoutput;
         }
+        my $cachetime = 24*60*60;
+        &Apache::lonnet::do_cache_new('ltitools',$dom,\%newltitools,$cachetime);
+        if (ref($lastactref) eq 'HASH') {
+            $lastactref->{'ltitools'} = 1;
+        }
     } else {
         $errors .= '<li><span class="LC_error">'.&mt('Failed to save changes').'</span></li>';
     }
@@ -14334,7 +14413,6 @@ sub fetch_secrets {
 
     foreach my $hostid (keys(%servers)) {
         if (($hostid ne '') && (grep(/^\Q$hostid\E$/,@ids))) {
-            my $newkey;
             my $keyitem = 'form.'.$context.'_privkey_'.$hostid;
             if (exists($env{$keyitem})) {
                 $env{$keyitem} =~ s/(`)/'/g;
@@ -14358,7 +14436,7 @@ sub fetch_secrets {
 }
 
 sub store_security {
-    my ($dom,$context,$secchanges,$newkeyset,$keystore,$lastactref) = @_;
+    my ($dom,$context,$secchanges,$newkeyset,$keystore) = @_;
     return unless ((ref($secchanges) eq 'HASH') && (ref($newkeyset) eq 'HASH') &&
                    (ref($keystore) eq 'HASH'));
     if (keys(%{$secchanges})) {
@@ -14373,19 +14451,17 @@ sub store_security {
                                                                   $dom,$hostid);
             }
         }
-        if (ref($lastactref) eq 'HASH') {
-            if (($secchanges->{'encrypt'}) || ($secchanges->{'private'})) {
-                $lastactref->{'domdefaults'} = 1;
-            }
-        }
     }
 }
 
 sub lti_security_results {
-    my ($context,$secchanges,$newsec,$newkeyset,$keystore) = @_;
+    my ($dom,$context,$secchanges,$newsec,$newkeyset,$keystore) = @_;
     my $output;
+    my %domdefaults = &Apache::lonnet::get_domain_defaults($dom);
+    my $needs_update;
     foreach my $item (keys(%{$secchanges})) {
         if ($item eq 'encrypt') {
+            $needs_update = 1;
             my %encrypted;
             if ($context eq 'lti') {
                 %encrypted = (
@@ -14417,12 +14493,29 @@ sub lti_security_results {
             }
             my @types= ('crs','dom');
             if ($context eq 'lti') {
+                foreach my $type (@types) {
+                    undef($domdefaults{'linkprotenc_'.$type});
+                }
                 push(@types,'consumers');
+                undef($domdefaults{'ltienc_consumers'});
+            } elsif ($context eq 'ltitools') {
+                foreach my $type (@types) {
+                    undef($domdefaults{'toolenc_'.$type});
+                }
             }
             foreach my $type (@types) {
                 my $shown = $encrypted{$type}{'off'};
                 if (ref($newsec->{$item}) eq 'HASH') {
                     if ($newsec->{$item}{$type}) {
+                        if ($context eq 'lti') {
+                            if ($type eq 'consumers') {
+                                $domdefaults{'ltienc_consumers'} = 1;
+                            } else {
+                                $domdefaults{'linkprotenc_'.$type} = 1;
+                            }
+                        } elsif ($context eq 'ltitools') {
+                            $domdefaults{'toolenc_'.$type} = 1;
+                        }
                         $shown = $encrypted{$type}{'on'};
                     }
                 }
@@ -14466,10 +14559,27 @@ sub lti_security_results {
                 $output .= '<li>'.&mt('[_1] set to none',$titles{'chars'}).'</li>';
             }
         } elsif ($item eq 'private') {
+            $needs_update = 1;
+            if ($context eq 'lti') {
+                undef($domdefaults{'ltiprivhosts'});
+            } elsif ($context eq 'ltitools') {
+                undef($domdefaults{'toolprivhosts'});
+            }
             if (keys(%{$newkeyset})) {
+                my @privhosts;
                 foreach my $hostid (sort(keys(%{$newkeyset}))) {
                     if ($keystore->{$hostid} eq 'ok') {
                         $output .= '<li>'.&mt('Encryption key for storage of shared secrets saved for [_1]',$hostid).'</li>';
+                        unless (grep(/^\Q$hostid\E$/,@privhosts)) {
+                            push(@privhosts,$hostid);
+                        }
+                    }
+                }
+                if (@privhosts) {
+                    if ($context eq 'lti') {
+                        $domdefaults{'ltiprivhosts'} = \@privhosts;
+                    } elsif ($context eq 'ltitools') {
+                        $domdefaults{'toolprivhosts'} = \@privhosts;
                     }
                 }
             }
@@ -14477,6 +14587,10 @@ sub lti_security_results {
             next;
         }
     }
+    if ($needs_update) {
+        my $cachetime = 24*60*60;
+        &Apache::lonnet::do_cache_new('domdefaults',$dom,\%domdefaults,$cachetime);
+    }
     return $output;
 }
 
@@ -15016,7 +15130,7 @@ sub process_proctoring_image {
 sub modify_lti {
     my ($r,$dom,$action,$lastactref,%domconfig) = @_;
     my %domdefaults = &Apache::lonnet::get_domain_defaults($dom,1);
-    my ($newid,@allpos,%changes,%confhash,%encconfig,$errors,$resulttext);
+    my ($newid,@allpos,%changes,%confhash,%ltienc,$errors,$resulttext);
     my (%posslti,%posslticrs,%posscrstype);
     my @courseroles = ('cc','in','ta','ep','st');
     my @ltiroles = qw(Learner Instructor ContentDeveloper TeachingAssistant Mentor Member Manager Administrator);
@@ -15130,29 +15244,43 @@ sub modify_lti {
             }
         }
     }
+    my (%keystore,$secstored);
+    if ($is_home) {
+        &store_security($dom,'lti',\%secchanges,\%newkeyset,\%keystore);
+    }
+
+    my ($cipher,$privnum);
+    if ((@items > 0) && ($is_home)) {
+        ($cipher,$privnum) = &get_priv_creds($dom,$home,$secchanges{'encrypt'},
+                                             $newltisec{'encrypt'},$keystore{$home});
+    }
     foreach my $idx (@items) {
         my $itemid = $itemids{$idx};
         next unless ($itemid);
+        my %currlti;
+        unless ($idx eq 'add') {
+            if (ref($domconfig{$action}) eq 'HASH') {
+                if (ref($domconfig{$action}{$itemid}) eq 'HASH') {
+                    %currlti = %{$domconfig{$action}{$itemid}};
+                }
+            }
+        }
         my $position = $env{'form.lti_pos_'.$itemid};
         $position =~ s/\D+//g;
         if ($position ne '') {
             $allpos[$position] = $itemid;
         }
-        foreach my $item ('consumer','key','secret','lifetime','requser','crsinc') {
+        foreach my $item ('consumer','lifetime','requser','crsinc') {
             my $formitem = 'form.lti_'.$item.'_'.$idx;
             $env{$formitem} =~ s/(`)/'/g;
             if ($item eq 'lifetime') {
                 $env{$formitem} =~ s/[^\d.]//g;
             }
             if ($env{$formitem} ne '') {
-                if (($item eq 'key') || ($item eq 'secret')) {
-                    $encconfig{$itemid}{$item} = $env{$formitem};
-                } else {
-                    $confhash{$itemid}{$item} = $env{$formitem};
-                    unless (($idx eq 'add') || ($changes{$itemid})) {
-                        if ($domconfig{$action}{$itemid}{$item} ne $confhash{$itemid}{$item}) {
-                            $changes{$itemid} = 1;
-                        }
+                $confhash{$itemid}{$item} = $env{$formitem};
+                unless (($idx eq 'add') || ($changes{$itemid})) {
+                    if ($currlti{$item} ne $confhash{$itemid}{$item}) {
+                        $changes{$itemid} = 1;
                     }
                 }
             }
@@ -15293,27 +15421,27 @@ sub modify_lti {
             unless (($idx eq 'add') || ($changes{$itemid})) {
                 if ($confhash{$itemid}{'crsinc'}) {
                     foreach my $field ('mapcrs','storecrs','makecrs','section','passback','roster') {
-                        if ($domconfig{$action}{$itemid}{$field} ne $confhash{$itemid}{$field}) {
+                        if ($currlti{$field} ne $confhash{$itemid}{$field}) {
                             $changes{$itemid} = 1;
                         }
                     }
                     unless ($changes{$itemid}) {
-                        if ($domconfig{$action}{$itemid}{'passback'} eq $confhash{$itemid}{'passback'}) {
-                            if ($domconfig{$action}{$itemid}{'passbackformat'} ne $confhash{$itemid}{'passbackformat'}) {
+                        if ($currlti{'passback'} eq $confhash{$itemid}{'passback'}) {
+                            if ($currlti{'passbackformat'} ne $confhash{$itemid}{'passbackformat'}) {
                                 $changes{$itemid} = 1;
                             }
                         }
                     }
                     foreach my $field ('mapcrstype','selfenroll') {
                         unless ($changes{$itemid}) {
-                            if (ref($domconfig{$action}{$itemid}{$field}) eq 'ARRAY') {
+                            if (ref($currlti{$field}) eq 'ARRAY') {
                                 if (ref($confhash{$itemid}{$field}) eq 'ARRAY') {
-                                    my @diffs = &Apache::loncommon::compare_arrays($domconfig{$action}{$itemid}{$field},
+                                    my @diffs = &Apache::loncommon::compare_arrays($currlti{$field},
                                                                                    $confhash{$itemid}{$field});
                                     if (@diffs) {
                                         $changes{$itemid} = 1;
                                     }
-                                } elsif (@{$domconfig{$action}{$itemid}{$field}} > 0) {
+                                } elsif (@{$currlti{$field}} > 0) {
                                     $changes{$itemid} = 1;
                                 }
                             } elsif (ref($confhash{$itemid}{$field}) eq 'ARRAY') {
@@ -15324,10 +15452,10 @@ sub modify_lti {
                         }
                     }
                     unless ($changes{$itemid}) {
-                        if (ref($domconfig{$action}{$itemid}{'maproles'}) eq 'HASH') {
+                        if (ref($currlti{'maproles'}) eq 'HASH') {
                             if (ref($confhash{$itemid}{'maproles'}) eq 'HASH') {
-                                foreach my $ltirole (keys(%{$domconfig{$action}{$itemid}{'maproles'}})) {
-                                    if ($domconfig{$action}{$itemid}{'maproles'}{$ltirole} ne 
+                                foreach my $ltirole (keys(%{$currlti{'maproles'}})) {
+                                    if ($currlti{'maproles'}{$ltirole} ne 
                                         $confhash{$itemid}{'maproles'}{$ltirole}) {
                                         $changes{$itemid} = 1;
                                         last;
@@ -15336,13 +15464,13 @@ sub modify_lti {
                                 unless ($changes{$itemid}) {
                                     foreach my $ltirole (keys(%{$confhash{$itemid}{'maproles'}})) {
                                         if ($confhash{$itemid}{'maproles'}{$ltirole} ne 
-                                            $domconfig{$action}{$itemid}{'maproles'}{$ltirole}) {
+                                            $currlti{'maproles'}{$ltirole}) {
                                             $changes{$itemid} = 1;
                                             last;
                                         }
                                     }
                                 }
-                            } elsif (keys(%{$domconfig{$action}{$itemid}{'maproles'}}) > 0) {
+                            } elsif (keys(%{$currlti{'maproles'}}) > 0) {
                                 $changes{$itemid} = 1;
                             }
                         } elsif (ref($confhash{$itemid}{'maproles'}) eq 'HASH') {
@@ -15356,20 +15484,20 @@ sub modify_lti {
                 }
                 unless ($changes{$itemid}) {
                     foreach my $field ('mapuser','lcauth','lcauthparm','topmenu','inlinemenu','callback') {
-                        if ($domconfig{$action}{$itemid}{$field} ne $confhash{$itemid}{$field}) {
+                        if ($currlti{$field} ne $confhash{$itemid}{$field}) {
                             $changes{$itemid} = 1;
                         }
                     }
                     unless ($changes{$itemid}) {
                         foreach my $field ('makeuser','lcmenu') {
-                            if (ref($domconfig{$action}{$itemid}{$field}) eq 'ARRAY') {
+                            if (ref($currlti{$field}) eq 'ARRAY') {
                                 if (ref($confhash{$itemid}{$field}) eq 'ARRAY') {
-                                    my @diffs = &Apache::loncommon::compare_arrays($domconfig{$action}{$itemid}{$field},
+                                    my @diffs = &Apache::loncommon::compare_arrays($currlti{$field},
                                                                                    $confhash{$itemid}{$field});
                                     if (@diffs) {
                                         $changes{$itemid} = 1;
                                     }
-                                } elsif (@{$domconfig{$action}{$itemid}{$field}} > 0) {
+                                } elsif (@{$currlti{$field}} > 0) {
                                     $changes{$itemid} = 1;
                                 }
                             } elsif (ref($confhash{$itemid}{$field}) eq 'ARRAY') {
@@ -15382,6 +15510,71 @@ sub modify_lti {
                 }
             }
         }
+        if ($is_home) {
+            my $keyitem = 'form.lti_key_'.$idx;
+            $env{$keyitem} =~ s/(`)/'/g;
+            if ($env{$keyitem} ne '') {
+                $ltienc{$itemid}{'key'} = $env{$keyitem};
+                unless ($changes{$itemid}) {
+                    if ($currlti{'key'} ne $env{$keyitem}) {
+                        $changes{$itemid} = 1;
+                    }
+                }
+            }
+            my $secretitem = 'form.lti_secret_'.$idx;
+            $env{$secretitem} =~ s/(`)/'/g;
+            if ($currlti{'usable'}) {
+                if ($env{'form.lti_changesecret_'.$idx}) {
+                    if ($env{$secretitem} ne '') {
+                        if ($privnum && $cipher) {
+                            $ltienc{$itemid}{'secret'} = $cipher->encrypt_hex($env{$secretitem});
+                            $confhash{$itemid}{'cipher'} = $privnum;
+                        } else {
+                            $ltienc{$itemid}{'secret'} = $env{$secretitem};
+                        }
+                        $changes{$itemid} = 1;
+                    }
+                } else {
+                    $ltienc{$itemid}{'secret'} = $currlti{'secret'};
+                    $confhash{$itemid}{'cipher'} = $currlti{'cipher'};
+                }
+                if (ref($ltienc{$itemid}) eq 'HASH') {
+                    if (($ltienc{$itemid}{'key'} ne '') && ($ltienc{$itemid}{'secret'} ne '')) {
+                        $confhash{$itemid}{'usable'} = 1;
+                    }
+                }
+            } elsif ($env{$secretitem} ne '') {
+                if ($privnum && $cipher) {
+                    $ltienc{$itemid}{'secret'} = $cipher->encrypt_hex($env{$secretitem});
+                    $confhash{$itemid}{'cipher'} = $privnum;
+                } else {
+                    $ltienc{$itemid}{'secret'} = $env{$secretitem};
+                }
+                if (ref($ltienc{$itemid}) eq 'HASH') {
+                    if (($ltienc{$itemid}{'key'} ne '') && ($ltienc{$itemid}{'key'} ne '')) {
+                        $confhash{$itemid}{'usable'} = 1;
+                    }
+                }
+                $changes{$itemid} = 1;
+            }
+        }
+        unless ($changes{$itemid}) {
+            foreach my $key (keys(%currlti)) {
+                if (ref($currlti{$key}) eq 'HASH') {
+                    if (ref($confhash{$itemid}{$key}) eq 'HASH') {
+                        foreach my $innerkey (keys(%{$currlti{$key}})) {
+                            unless (exists($confhash{$itemid}{$key}{$innerkey})) {
+                                $changes{$itemid} = 1;
+                                last;
+                            }
+                        }
+                    } elsif (keys(%{$currlti{$key}}) > 0) {
+                        $changes{$itemid} = 1;
+                    }
+                }
+                last if ($changes{$itemid});
+            }
+        }
     }
     if (@allpos > 0) {
         my $idx = 0;
@@ -15399,12 +15592,21 @@ sub modify_lti {
             }
         }
     }
+
+    if ((keys(%changes) == 0) && (keys(%secchanges) == 0)) {
+        return &mt('No changes made.');
+    }
+
     my %ltihash = (
                       $action => { %confhash }
                   );
-    my %ltienchash = (
-                         $action => { %encconfig }
-                     );
+    my %ltienchash;
+
+    if ($is_home) {
+        %ltienchash = (
+                         $action => { %ltienc }
+                      );
+    }
     if (keys(%secchanges)) {
         $ltihash{'ltisec'} = \%newltisec;
         if ($secchanges{'linkprot'}) {
@@ -15415,43 +15617,32 @@ sub modify_lti {
     }
     my $putresult = &Apache::lonnet::put_dom('configuration',\%ltihash,$dom);
     if ($putresult eq 'ok') {
-        my %keystore;
-        &store_security($dom,'lti',\%secchanges,\%newkeyset,\%keystore,$lastactref);
-        &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom,undef,1);
-        if ((keys(%changes) == 0) && (keys(%secchanges) == 0)) {
-            return &mt('No changes made.');
+        if (keys(%ltienchash)) {
+            &Apache::lonnet::put_dom('encconfig',\%ltienchash,$dom,undef,1);
         }
         $resulttext = &mt('Changes made:').'<ul>';
         if (keys(%secchanges) > 0) {
-            $resulttext .= &lti_security_results('lti',\%secchanges,\%newltisec,\%newkeyset,\%keystore);
+            $resulttext .= &lti_security_results($dom,'lti',\%secchanges,\%newltisec,\%newkeyset,\%keystore);
             if (exists($secchanges{'linkprot'})) {
                 $resulttext .= $linkprotoutput;
             }
         }
         if (keys(%changes) > 0) {
             my $cachetime = 24*60*60;
-            my %ltiall = %confhash;
-            foreach my $id (keys(%ltiall)) {
-                if (ref($encconfig{$id}) eq 'HASH') {
-                    foreach my $item ('key','secret') {
-                        $ltiall{$id}{$item} = $encconfig{$id}{$item};
-                    }
-                }
-            }
-            &Apache::lonnet::do_cache_new('lti',$dom,\%ltiall,$cachetime);
+            &Apache::lonnet::do_cache_new('lti',$dom,\%confhash,$cachetime);
             if (ref($lastactref) eq 'HASH') {
                 $lastactref->{'lti'} = 1;
             }
             my %bynum;
             foreach my $itemid (sort(keys(%changes))) {
-                my $position = $confhash{$itemid}{'order'};
-                $bynum{$position} = $itemid;
+                if (ref($confhash{$itemid}) eq 'HASH') {
+                    my $position = $confhash{$itemid}{'order'};
+                    $bynum{$position} = $itemid;
+                }
             }
             foreach my $pos (sort { $a <=> $b } keys(%bynum)) {
                 my $itemid = $bynum{$pos};
-                if (ref($confhash{$itemid}) ne 'HASH') {
-                    $resulttext .= '<li>'.&mt('Deleted: [_1]',$changes{$itemid}).'</li>';
-                } else {
+                if (ref($confhash{$itemid}) eq 'HASH') {
                     $resulttext .= '<li><b>'.$confhash{$itemid}{'consumer'}.'</b><ul>';
                     my $position = $pos + 1;
                     $resulttext .= '<li>'.&mt('Order: [_1]',$position).'</li>';
@@ -15460,13 +15651,11 @@ sub modify_lti {
                             $resulttext .= '<li>'.$lt{$item}.':&nbsp;'.$confhash{$itemid}{$item}.'</li>';
                         }
                     }
-                    if ($encconfig{$itemid}{'key'} ne '') {
-                        $resulttext .= '<li>'.$lt{'key'}.':&nbsp;'.$encconfig{$itemid}{'key'}.'</li>';
+                    if ($ltienc{$itemid}{'key'} ne '') {
+                        $resulttext .= '<li>'.$lt{'key'}.':&nbsp;'.$ltienc{$itemid}{'key'}.'</li>';
                     }
-                    if ($encconfig{$itemid}{'secret'} ne '') {
-                        $resulttext .= '<li>'.$lt{'secret'}.':&nbsp;';
-                        my $num = length($encconfig{$itemid}{'secret'});
-                        $resulttext .= ('*'x$num).'</li>';
+                    if ($ltienc{$itemid}{'secret'} ne '') {
+                        $resulttext .= '<li>'.$lt{'secret'}.':&nbsp;['.&mt('not shown').']</li>';
                     }
                     if ($confhash{$itemid}{'requser'}) {
                         if ($confhash{$itemid}{'callback'}) {
@@ -15618,8 +15807,18 @@ sub modify_lti {
                     $resulttext .= '</ul></li>';
                 }
             }
+            if (keys(%deletions)) {
+                foreach my $itemid (sort { $a <=> $b } keys(%deletions)) {
+                    $resulttext .= '<li>'.&mt('Deleted: [_1]',$changes{$itemid}).'</li>';
+                }
+            }
         }
         $resulttext .= '</ul>';
+        if (ref($lastactref) eq 'HASH') {
+            if (($secchanges{'encrypt'}) || ($secchanges{'private'})) {
+                $lastactref->{'domdefaults'} = 1;
+            }
+        }
     } else {
         $errors .= '<li><span class="LC_error">'.&mt('Failed to save changes').'</span></li>';
     }
@@ -15630,6 +15829,30 @@ sub modify_lti {
     return $resulttext;
 }
 
+sub get_priv_creds {
+    my ($dom,$home,$encchg,$encrypt,$storedsec) = @_;
+    my ($needenc,$cipher,$privnum);
+    my %domdefs = &Apache::lonnet::get_domain_defaults($dom);
+    if (($encchg) && (ref($encrypt) eq 'HASH')) {
+        $needenc = $encrypt->{'consumers'} 
+    } else {
+        $needenc = $domdefs{'ltienc_consumers'};
+    }
+    if ($needenc) {
+        if (($storedsec eq 'ok') || ((ref($domdefs{'ltiprivhosts'}) eq 'ARRAY') &&
+                                     (grep(/^\Q$home\E$/,@{$domdefs{'ltiprivhosts'}})))) {
+                        my %privhash  = &Apache::lonnet::restore_dom('lti','private',$dom,$home,1);
+            my $privkey = $privhash{'key'};
+            $privnum = $privhash{'version'};
+            if (($privnum) && ($privkey ne '')) {
+                $cipher = Crypt::CBC->new({'key'     => $privkey,
+                                          'cipher'  => 'DES'});
+            }
+        }
+    }
+    return ($cipher,$privnum);
+}
+
 sub get_lti_id {
     my ($domain,$consumer) = @_;
     # get lock on lti db
@@ -16432,7 +16655,7 @@ sub modify_contacts {
                     $contacts_hash{'contacts'}{'overrides'}{$type}{'include'} = $includeloc{$type}.':'.&escape($includestr{$type});
                     $newsetting{'override_'.$type}{'include'} = $contacts_hash{'contacts'}{'overrides'}{$type}{'include'};
                 }
-            }     
+            }
         }
     }
     if (keys(%currsetting) > 0) {
@@ -16490,12 +16713,12 @@ sub modify_contacts {
             }
         }
         if (@statuses) {
-            if (ref($currsetting{'overrides'}) eq 'HASH') { 
+            if (ref($currsetting{'overrides'}) eq 'HASH') {
                 foreach my $key (keys(%{$currsetting{'overrides'}})) {
                     if (ref($currsetting{'overrides'}{$key}) eq 'HASH') {
                         if (ref($newsetting{'override_'.$key}) eq 'HASH') {
                             foreach my $item (@contacts,'bcc','others','include') {
-                                if ($currsetting{'overrides'}{$key}{$item} ne $newsetting{'override_'.$key}{$item}) { 
+                                if ($currsetting{'overrides'}{$key}{$item} ne $newsetting{'override_'.$key}{$item}) {
                                     push(@{$changes{'overrides'}},$key);
                                     last;
                                 }
@@ -16512,7 +16735,7 @@ sub modify_contacts {
                 }
             } else {
                 foreach my $key (@overrides) {
-                    push(@{$changes{'overrides'}},$key); 
+                    push(@{$changes{'overrides'}},$key);
                 }
             }
         }
@@ -16694,7 +16917,7 @@ sub modify_contacts {
                             $resulttext .= $bcctext.': <span class="LC_cusr_emph">'.$bcc{$type}.'</span>';
                         } elsif (!@text) {
                             $resulttext .= &mt('No one');
-                        }   
+                        }
                         if ($includestr{$type} ne '') {
                             if ($includeloc{$type} eq 'b') {
                                 $resulttext .= '<br />'.&mt('Text automatically added to e-mail body:').' '.$includestr{$type};
@@ -16718,14 +16941,14 @@ sub modify_contacts {
                             if (ref($newsetting{'override_'.$type}) eq 'HASH') {
                                 my @text;
                                 foreach my $item (@contacts) {
-                                    if ($newsetting{'override_'.$type}{$item}) { 
+                                    if ($newsetting{'override_'.$type}{$item}) {
                                         push(@text,$short_titles->{$item});
                                     }
                                 }
                                 if ($newsetting{'override_'.$type}{'others'} ne '') {
                                     push(@text,$newsetting{'override_'.$type}{'others'});
                                 }
-  
+
                                 if (@text) {
                                     $resulttext .= &mt('Helpdesk e-mail sent to: [_1]',
                                                        '<span class="LC_cusr_emph">'.join(', ',@text).'</span>');
@@ -17566,7 +17789,7 @@ sub modify_passwords {
                                                    );
                                 my $needed = '<ul><li>'.
                                              join('</li><li>',map {$rulenames{$_} } @{$confighash{'passwords'}{'chars'}}).
-                                             '</li></ul>'; 
+                                             '</li></ul>';
                                 $resulttext .= '<li>'.&mt('[_1] set to: [_2]',$titles{'chars'},$needed).'</li>';
                             } else {
                                 $resulttext .= '<li>'.&mt('[_1] set to none',$titles{'chars'}).'</li>';
@@ -18049,7 +18272,7 @@ sub modify_selfcreation {
                             if (($chosen eq 'inst') || ($chosen eq 'noninst')) {
                                 my $emaildom;
                                 if ($env{'form.cancreate_emaildomain_'.$chosen.'_'.$type} =~ /^\@[^\@]+$/) {
-                                    $emaildom = $env{'form.cancreate_emaildomain_'.$chosen.'_'.$type}; 
+                                    $emaildom = $env{'form.cancreate_emaildomain_'.$chosen.'_'.$type};
                                     $cancreate{'emaildomain'}{$type}{$chosen} = $emaildom;
                                     if (ref($curremaildom{$type}) eq 'HASH') {
                                         if (exists($curremaildom{$type}{$chosen})) {
@@ -18061,7 +18284,7 @@ sub modify_selfcreation {
                                         }
                                     } elsif ($emaildom ne '') {
                                         push(@{$changes{'cancreate'}},'emaildomain');
-                                    } 
+                                    }
                                 }
                                 $cancreate{'emailoptions'}{$type} = $env{'form.cancreate_emailoptions_'.$type};
                             } elsif ($chosen eq 'custom') {
@@ -18488,7 +18711,7 @@ sub modify_selfcreation {
                                                                   );
                         if (@types) {
                             if (@statuses) {
-                                $chgtext .= &mt('Processing of requests to create account with e-mail verification set as follows:'). 
+                                $chgtext .= &mt('Processing of requests to create account with e-mail verification set as follows:').
                                             '<ul>';
                                 foreach my $status (@statuses) {
                                     if ($status eq 'default') {
@@ -18696,7 +18919,7 @@ sub modify_selfcreation {
                                 $typename = $othertitle;
                             } else {
                                 $typename = $usertypes{$type};
-                            } 
+                            }
                             $chgtext .= &mt('(Affiliation: [_1])',$typename);
                         }
                         if (@{$email_rule{$type}} > 0) {
@@ -19041,7 +19264,7 @@ sub modify_defaults {
         }
         if ($item eq 'portal_def') {
             unless (grep(/^\Q$item\E$/,@errors)) {
-                if ($newvalues{$item} eq '') { 
+                if ($newvalues{$item} eq '') {
                     foreach my $field ('email','web') {
                         if (exists($domdefaults{$item.'_'.$field})) {
                             delete($domdefaults{$item.'_'.$field});
@@ -19226,7 +19449,7 @@ sub modify_defaults {
                             $resulttext =~ s/, $//;
                             $resulttext .= '</li>';
                         } else {
-                            $resulttext .= '<li>'.&mt('Institutional user status types deleted').'</li>'; 
+                            $resulttext .= '<li>'.&mt('Institutional user status types deleted').'</li>';
                         }
                     }
                 } elsif ($item eq 'unamemap_rule') {
@@ -20463,7 +20686,7 @@ sub modify_coursedefaults {
         }
         my (%newdomexttool,%newexttool,%olddomexttool,%oldexttool);
         map { $newdomexttool{$_} = 1; } &Apache::loncommon::get_env_multiple('form.domexttool');
-        map { $newexttool{$_} = 1; } &Apache::loncommon::get_env_multiple('form.exttool'); 
+        map { $newexttool{$_} = 1; } &Apache::loncommon::get_env_multiple('form.exttool');
         if (ref($domconfig{'coursedefaults'}{'domexttool'}) eq 'HASH') {
             %olddomexttool = %{$domconfig{'coursedefaults'}{'domexttool'}};
         } else {
@@ -20476,7 +20699,7 @@ sub modify_coursedefaults {
             }
         }
         if (ref($domconfig{'coursedefaults'}{'exttool'}) eq 'HASH') {
-            %oldexttool = %{$domconfig{'coursedefaults'}{'exttool'}};     
+            %oldexttool = %{$domconfig{'coursedefaults'}{'exttool'}};
         } else {
             foreach my $type (@types) {
                if ($staticdefaults{'exttool'}) {
@@ -21129,7 +21352,7 @@ sub modify_wafproxy {
                 }
             } elsif ($currvalue{$item}) {
                 $changes{$item} = 1;
-            } 
+            }
         }
     } else {
         if (keys(%curralias)) {
@@ -21137,7 +21360,7 @@ sub modify_wafproxy {
         }
         if (keys(%currsaml)) {
             $changes{'saml'} = 1;
-        } 
+        }
         if (keys(%currvalue)) {
             foreach my $key (keys(%currvalue)) {
                 $changes{$key} = 1;
@@ -21147,7 +21370,7 @@ sub modify_wafproxy {
     if (keys(%changes)) {
         my %defaultshash = (
                               wafproxy => \%wafproxy,
-                           ); 
+                           );
         my $putresult = &Apache::lonnet::put_dom('configuration',\%defaultshash,
                                                  $dom);
         if ($putresult eq 'ok') {
@@ -21163,7 +21386,7 @@ sub modify_wafproxy {
                         $domdefaults{'waf_'.$item} = $wafproxy{$item};
                     } elsif (exists($domdefaults{'waf_'.$item})) {
                         delete($domdefaults{'waf_'.$item});
-                    } 
+                    }
                 }
             }
             if ($updatedomdefs) {
@@ -21230,7 +21453,7 @@ sub modify_wafproxy {
                             $output .= '<li>'.&mt('Aliases deleted for hostnames').'</li>';
                         }
                     } elsif ($item eq 'saml') {
-                        my $shown; 
+                        my $shown;
                         if (ref($wafproxy{'saml'}) eq 'HASH') {
                             if (keys(%{$wafproxy{'saml'}})) {
                                 $shown = join(', ',sort(keys(%{$wafproxy{'saml'}})));
@@ -21560,7 +21783,7 @@ sub modify_usersessions {
                 if (($offload eq 'offloadoth') && (@okoffloadoth)) {
                     $changes{'offloadoth'} = 1;
                 }
-            } 
+            }
         }
     } else {
         if (@okoffload) {
@@ -22098,7 +22321,7 @@ sub modify_loadbalancing {
         }
         if ($env{'form.loadbalancing_cookie_'.$i}) {
             $defaultshash{'loadbalancing'}{$balancer}{'cookie'} = 1;
-            if (exists($currbalancer{$balancer})) { 
+            if (exists($currbalancer{$balancer})) {
                 unless ($currcookies{$balancer}) {
                     $changes{'curr'}{$balancer}{'cookie'} = 1;
                 }
@@ -22784,7 +23007,6 @@ function balancerChange(balnum,baltotal,
 END
 }
 
-
 sub new_spares_js {
     my @sparestypes = ('primary','default');
     my $types = join("','",@sparestypes);