• No results found

Securing Adobe connect Server and CQ Server

N/A
N/A
Protected

Academic year: 2021

Share "Securing Adobe connect Server and CQ Server"

Copied!
15
0
0

Loading.... (view fulltext now)

Full text

(1)

Securing Adobe connect Server and CQ

Server

To Enable SSL on Connect Server and CQ server (Index)

 Configure custom.ini File

 Uncomment the SSL TAGs in Server.xml file.

 Configure the Four components of connect and CQ together on port 443. o Application Server

o Meeting Server o CQ-Author Server o CQ-Publish Server

 Make sure the Server URL under CRX (CQ-5) which is the Java content Repository tool would point to https instead of pointing to port 80. This applies on both CQ-Author server ( 4502 ) and CQ-Publish server ( 4503 )

 Make sure the CRX configuration for Day CQ Link Externalize and Day CQ WCM Page Statistics would point to the right FQDN after enabling the SSL. This applies to both the CQ-Author Server and CQ Publish Server.

 Import the Certificates which are used to configure SSL in the JRE folder or connect 9. (This is due to a bug which we have already fixed in later versions of connect 9 therefore if you are not on 9.0.0.1 only then apply this else not required)

(2)

C

ONFIGURE

C

USTOM

.

INI

F

ILE

The Normal Custom.ini file would look like as shown below: You will see the CQ-Author and CQ-Publish server pointing to port 4502 and 4503 with a common FQDN as admin host, if we are using only one IP address.

To enable SSL we need to add few lines and modify few lines in the custom.ini file as shown in the next picture below:

- Since we need the admin host to use https protocol we add “ ADMIN_PROTOCOL=https://” - To enable SSL we set “SSL_ONLY=yes”

- To ensure that the meeting server when called should hit the port 443 we use a TAG “RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/”

- CQ_Author_Server would change to https://connectnineauth.ac.com instead of

http://connectnine.ac.com:4502. Reason being we are mapping the CQ_Author Server with an individual IP address on port 443, therefore we are setting a different FQDN with protocol “https” and similar domain as (*.ac.com)

- Similarly for CQ_Publish_Server the value would set to https://connectninepub.ac.com instead of http://connectnine.ac.com:4503

(3)

Note: It is not mandatory to use port 4502 for author and 4503 for publish. User can set any port as according to his will. However, by default the ports are as mentioned above.

In the above picture you also see that we have added TAG “ DOMAIN_COOKIE”, this is required to set the BREEZESESSION cookie domain value which issues when user access the connect page.

U

NCOMMENT THE

SSL

TAG

S IN

S

ERVER

.

XML FILE

.

Now move to the location (c:\connect\9.0.0.1\appserv\conf\) and look for server.xml file. Once the file is located, open the file and make the changes as mentioned:

(4)

Find out the two TaG’s as shown below in the file and uncomment it as shown below: (The green TAG are commented and the one on the right hand side is uncommented. To comment a line we use Start TAG“<!—“ and close TAG “- - >” if you see below we have just removed the closed TAG and put it at the end of first line which says “ Uncomment for SSL Support “ )

First TAG:

Second TAG:-

Once you uncomment the SSL required TAG’s, to test if the required changes has been done

successfully, please re-open the file in browser and see if you can see the same TAGs uncommented. If it throws an error there has been a syntax error which is why it is not letting you open in the browser. Double check the TAGs carefully again.

(5)

C

ONFIGURE THE

F

OUR COMPONENTS OF CONNECT AND

CQ

TOGETHER ON PORT

443.

Configure software-based SSL

When you configure software-based SSL, you can secure network connections to the web application server (HTTPS protocol), the meeting server (RTMPS protocol), or both. No matter which configuration you choose, you must create DNS records for your Connect servers first.

HTTP is the protocol with which the Adobe Connect application server is accessed. This includes the Connect Central administration pages for managing your Connect instance, Connect user login, and the Connect web services. Securing the application server by using HTTPS is important to prevent

unauthorized access of your Connect service.

RTMP is the protocol which the Adobe Connect meeting server uses. RTMP connections contain media data such as video and audio streams from your Connect meetings, as well as data from the meeting rooms such as participant names and chat text. Securing the meeting server is important if you have sensitive information being exchanged in your Connect meetings.

Configure the DNS server

❖Create DNS entries that define addresses for the Fully Qualified Domain Name (FQDN) of each secured service. If you intend to secure traffic for both the application server and the meeting server, you must have a separate IP address for each service.

The domain name for the Central application server is the address with which your end users will access Adobe Connect with. Enter this domain name as the Connect Host value on the Server Settings page in the Application Management Console. For example, a good value is

connect.yourcompany.com.

End users do not see the FQDN(s) for the meeting server(s). However, you must define a unique domain name for each meeting server if you want to conduct meetings over a secure connection. Enter this FQDN in the External Name box on the Server Settings page in the Application Management Console. For example, a good value is fms.yourcompany.com.

Note: In a cluster, all the application servers can share an SSL certificate, but each meeting server must have its own SSL certificate. On a single server, to secure both the HTTP (application server) and RTMP (meeting server) connections, you must have a total of two IP addresses, two FQDNs and two SSL certificates (one for each protocol). (You may also get a single, “wildcard” SSL certificate that can be used for multiple hosts in the same sub-domain, e.g. *.yourcompany.com. This is simpler to manage, but typically costs more than a single domain name certificate. Similarly for securing CQ server as well, we must have in total 4 IP addresses 4 certificates in-case you are not using the wild card certificate. Reason being we have 2 separate servers individually under the CQ server (CQ-Author Server and CQ-Publish Server). So in Total ( Application Server, Meeting Server, CQ-Author Server and CQ-Publish Server)

(6)

Below you will see a regular Stunnel.conf file with application server [https-vip] and meeting server [rtmps-vip] TAG

CONSIDERING THAT WE ARE USING 4 IP ADDRESSES AND ONE WILD CARD CERTIFICATE  Set application server on IP Address one (accept =IP-One:443)  Set meeting server on IP Address Two (accept=IP-Two:443)

Set the certificates and Key names in both the Servers as marked in the figure above.

Since we have to enable SSL on CQ server as well please notice the steps below are very important and will not be found in the “s-tunnel.conf” file shown above.

(7)

You need to manually create those tags, therefore copy the TAG shown below in the s-tunnel.conf file

This is for CQ-Author: [cq-Author-vip]

; incoming vip for https (This is to secure CQ-Author server) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443

accept = 123.123.123.1:443

; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; send the unecrypted request to port 4502

connect = 127.0.0.1:4502

; Certificate information for Connect.

; This assumes you put the cert and key in the root folder of s-tunnel cert = CertificateNameHere.pem

key = CerificateKeyNameHere.pem

ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

This is for CQ-Publish: [cq-Author-vip]

; incoming vip for https (This is to secure CQ-Publish server) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443

accept = 123.123.123.1:443

; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; send the unecrypted request to port 4503

(8)

connect = 127.0.0.1:4503

; Certificate information for Connect.

; This assumes you put the cert and key in the root folder of s-tunnel cert = CertificateNameHere.pem

key = CerificateKeyNameHere.pem

ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

Once copied please follow the same steps as shown above :

 Set CQ-Author server on IP Address Three (accept =IP-Three:443)  Set CQ-Publish server on IP Address Four (accept=IP-Four:443)

Set the certificates and Key names in both the Servers as marked in the figure above.

Once this is done, there are two TAGs on the top of your S-tunnel file as shown below :

You need to make sure that the “sslVersion = all” instead of TLSV1 and fips=no should be uncommented. Therefore remove the semicolon right next to “fips=no”. Now save the File and Execute the S-tunnel Service.

(9)

M

AKE SURE THE

S

ERVER

URL

UNDER

CRX

(CQ-5)

WHICH IS THE

J

AVA CONTENT

R

EPOSITORY TOOL WOULD POINT TO HTTPS INSTEAD OF POINTING TO PORT

80.

T

HIS APPLIES ON BOTH

CQ-A

UTHOR SERVER

(

4502

)

AND

CQ-P

UBLISH SERVER

(

4503

)

Now Navigate to the URL : http://localhost:4502 to open the CQ5 wizard window. Note that the User name for this login window shown below is always “admin” however the password can be set at the time of installation. (By default we can use the password as admin)

Once logged in successfully, please select the option on the right hand side as shown in the picture below “CRXDE Lite” which will take us to the web based IDE.

Once the IDE is open, notice that this will take us to Author Server CQ5 web based IDE, where we can navigate to the Java Content repository folder. During the installation process in connect 9, if the serial key for connect nine has the event license enabled, user will get the option for CQ Author server and CQ publish server to enable. Once the user enables the two options, the event templates are integrated with the new architecture of CQ and create a server-URL entry in the Java content Repository file. Now by default the Server-URL points to port 80 (http://FQDN:80), therefore to enable SSL we need to modify the server-URL so that when it is called it will take us to https instead of http. Therefore we will change the (http://FQDN:80) to (https://FQDN for Author), similarly in case of Publish server it will be (

(10)

To Navigate through JCR content, please follow the Path as shown in the picture below : ( Content Folder Connect folder C1JCR:Content

Once you click on the JCR content, on the right hand side pane at the bottom, scroll down to server-URL string, you will find the URL to be pointing to port 80 as shown. Change that to

https://connectnine.ac.com instead of http://connectnine.ac.com:80

Note:- Server URL is equivalent to Admin host which means the FQDN used for connect only.

(11)

The Same Procedure applies on Publish server and to navigate to that server just change the port number as shown below in the picture to port 4503 instead of port 4502.

Follow the same procedure to navigate to the Java content Repository (JCR content ) to modify the server URL on the publish server as well. Notice that on the publish server the user would always be logged in as anonymous. You will not be able to save the changes unless you are logged in as Admin user. Therefore before making the necessary changes, please make sure that you are logged in to the publish server as admin. To do the same click on the Top right pane as shown below which show anonymous user and click on login option.

Once clicked you will see the following screen, use your CRX User name which is “admin” and password which is set at the time of installation. Once logged in successfully, user will be able to save the

(12)

M

AKE SURE THE

CRX

CONFIGURATION FOR

D

AY

CQ

L

INK

E

XTERNALIZER AND

D

AY

CQ

WCM

P

AGE

S

TATISTICS WOULD POINT TO THE RIGHT

FQDN

AFTER ENABLING THE

SSL.

T

HIS APPLIES TO BOTH THE

CQ-A

UTHOR

S

ERVER AND

CQ

P

UBLISH

S

ERVER

.

This Step is not necessary, if you have checked/enabled SSL at the time of installation and point the Author server and Publish server to https://FQDN for Author/publish server instead of

http://FQDN:4502 / 4503. Reason being if you provide the Author server and publish server URL as

https://FQDN for Author/Publish server at the time of installation, it automatically configure the CRX configuration Manager.

There are two configuration links required for connect integration - Day CQ Link Externalizer

- Day CQ WCM Page Statistics.

Navigate to the URL http://localhost:4502/system/console/configMgr This will prompt you the user name and Password for CQ web console which will be the same which is used for CRX. ( User name would be “admin” and password would be the same as set at the time of installation for CQ )

(13)

You will find the list for configuration below, navigate to the “DAY CQ Link Externalizer” as shown below:

Note:- In CQ the Externalizer is an OSGI service that allows you to programmatically transform a resource path (e.g./path/to/my/page) into an external and absolute URL

(e.g. http://www.mycompany.com/path/to/my/page) by prefixing the path with a pre-configured DNS. Since an instance cannot know it’s externally visible URL if it is running behind a web layer, and since sometimes a link has to be created outside of the request scope, this service provides a central place to configure those external URLs and build them.

Click on “Day CQ Link Externalizer” and open the dialogue box as show below, once opened make sure the Host Name should point to Author server URL which in this case is “connectnineauth.ac.com” without the https.

Note:- Host Name by default is set as blank.

(14)

Similarly, next we will navigate to ”Day CQ WCM Page Statistics” and click on it to open the dial box.

Once the dialogue box is open the URL by default you will see, set as

http://localhost:4502/libs/wcm/stats/tracker you need to change that/ make sure the URL should be

https://FQDN/libs/wcm/stats/tracker which in this case is

https://connectnineauth.ac.com/libs/wcm/stats/tracker ( In the figure below it shows connectnine.ac.com which is incorrect please change that to connectnineauth.ac.com )

Note: As mentioned earlier in the step, this configuration would not be required if user enables the SSL at the time of installation. However, user can always confirm the settings in any case.

Similarly, we need to follow the same steps for publish server CQ web console as well. Remember in both the cases it will ask user to enter the password for CQ. To navigate to the Publish server navigate to the URL http://localhost:4503/system/console/configMgr and follow the same steps as shown above.

I

MPORT THE

C

ERTIFICATES WHICH ARE USED TO CONFIGURE

SSL

IN THE

JRE

FOLDER OR CONNECT

9.

This Step is Not Mandatory because this has been fixed in later versions of connect 9, therefore if you are not on connect 9.0.0.1 and planning to apply patches then ignore this step:

Since we have an existing bug in Beta build (Bug#3055998: According to which with HTTPS setup on CQ, Images are not displaying on landing/registration/speaker info pages).

(15)

We have the following workaround for this bug. Steps:-

1. Go to the system where Connect is installed and find the JRE folder which is located in connect folder at C:\connect\9.0.0.1\jre\bin

2. Obtain the SSL certificate (.cer) file.

I have obtained the certificate by following steps –  Open https://connectnine.ac.com URL.

3. Copy this certificate into bin folder under the JRE folder which is located in connect folder at C:\connect\9.0.0.1\jre\bin

4. Open run execute command prompt and set current working directory as

c:\connect\9.0.0.1\jre\bin

5. Execute command “keytool import trustcacerts alias connect file <certificate name> -keystore cacerts”.

Note:- Highlighted connect is used as an alias ,therefore you can use any terminology over here.

6. Once you hit enter you will be asked for password. When asked for password, type password “changeit”. Re-confirm it and hit enter.

7. There will be a “cacert” file generated in the bin folder, you need to make sure that this file is copied at location: c:\Connect\9.0.0.1\jre\lib\security\

References

Related documents

See Also The OSGi Service Platform Core Specification for a complete list of the defined bundle manifest headers... CFC Prior to CQ5 the Communiqué Foundation Classes form

You're here because you're playing Roblox and you found some games you want to play, in-game bonuses, items, VIP servers, and other cool stuff only obtained through the

It is based on three steps: a splitting step which splits events in order to allow the incremental and local resolution of non-determinism, a mapping step which introduces

If you open the jar file directly you will activate the Quickstart installation and start the server.. Copy the following jar files to the application server folder holding

CQ Advanced Developer Training builds on the basic CQ Developer train- ing by introducing developers to the advanced topics of building a custom CQ application based on OSGi,

Dessa forma, o presente trabalho objetivou avaliar a qualidade pós-colheita de dois híbridos de melancia com sementes (‘Boston’ e ‘Quetzali’), cultivados sob manejo

This theory-centered review uses Hudson’s caregiving model (4) as a structure for synthesising results of studies that evaluated caregivers’ experiences in caring for patients at

To integrate all of these potentials of a socially cohesive and healthy environment of traditional buildings and neighbourhoods within the design of a