Securing Adobe connect Server and CQ
Server
To Enable SSL on Connect Server and CQ server (Index)
Configure custom.ini File Uncomment the SSL TAGs in Server.xml file.
Configure the Four components of connect and CQ together on port 443. o Application Server
o Meeting Server o CQ-Author Server o CQ-Publish Server
Make sure the Server URL under CRX (CQ-5) which is the Java content Repository tool would point to https instead of pointing to port 80. This applies on both CQ-Author server ( 4502 ) and CQ-Publish server ( 4503 )
Make sure the CRX configuration for Day CQ Link Externalize and Day CQ WCM Page Statistics would point to the right FQDN after enabling the SSL. This applies to both the CQ-Author Server and CQ Publish Server.
Import the Certificates which are used to configure SSL in the JRE folder or connect 9. (This is due to a bug which we have already fixed in later versions of connect 9 therefore if you are not on 9.0.0.1 only then apply this else not required)
C
ONFIGUREC
USTOM.
INIF
ILEThe Normal Custom.ini file would look like as shown below: You will see the CQ-Author and CQ-Publish server pointing to port 4502 and 4503 with a common FQDN as admin host, if we are using only one IP address.
To enable SSL we need to add few lines and modify few lines in the custom.ini file as shown in the next picture below:
- Since we need the admin host to use https protocol we add “ ADMIN_PROTOCOL=https://” - To enable SSL we set “SSL_ONLY=yes”
- To ensure that the meeting server when called should hit the port 443 we use a TAG “RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/”
- CQ_Author_Server would change to https://connectnineauth.ac.com instead of
http://connectnine.ac.com:4502. Reason being we are mapping the CQ_Author Server with an individual IP address on port 443, therefore we are setting a different FQDN with protocol “https” and similar domain as (*.ac.com)
- Similarly for CQ_Publish_Server the value would set to https://connectninepub.ac.com instead of http://connectnine.ac.com:4503
Note: It is not mandatory to use port 4502 for author and 4503 for publish. User can set any port as according to his will. However, by default the ports are as mentioned above.
In the above picture you also see that we have added TAG “ DOMAIN_COOKIE”, this is required to set the BREEZESESSION cookie domain value which issues when user access the connect page.
U
NCOMMENT THESSL
TAG
S INS
ERVER.
XML FILE.
Now move to the location (c:\connect\9.0.0.1\appserv\conf\) and look for server.xml file. Once the file is located, open the file and make the changes as mentioned:
Find out the two TaG’s as shown below in the file and uncomment it as shown below: (The green TAG are commented and the one on the right hand side is uncommented. To comment a line we use Start TAG“<!—“ and close TAG “- - >” if you see below we have just removed the closed TAG and put it at the end of first line which says “ Uncomment for SSL Support “ )
First TAG:
Second TAG:-
Once you uncomment the SSL required TAG’s, to test if the required changes has been done
successfully, please re-open the file in browser and see if you can see the same TAGs uncommented. If it throws an error there has been a syntax error which is why it is not letting you open in the browser. Double check the TAGs carefully again.
C
ONFIGURE THEF
OUR COMPONENTS OF CONNECT ANDCQ
TOGETHER ON PORT443.
Configure software-based SSL
When you configure software-based SSL, you can secure network connections to the web application server (HTTPS protocol), the meeting server (RTMPS protocol), or both. No matter which configuration you choose, you must create DNS records for your Connect servers first.
HTTP is the protocol with which the Adobe Connect application server is accessed. This includes the Connect Central administration pages for managing your Connect instance, Connect user login, and the Connect web services. Securing the application server by using HTTPS is important to prevent
unauthorized access of your Connect service.
RTMP is the protocol which the Adobe Connect meeting server uses. RTMP connections contain media data such as video and audio streams from your Connect meetings, as well as data from the meeting rooms such as participant names and chat text. Securing the meeting server is important if you have sensitive information being exchanged in your Connect meetings.
Configure the DNS server
❖Create DNS entries that define addresses for the Fully Qualified Domain Name (FQDN) of each secured service. If you intend to secure traffic for both the application server and the meeting server, you must have a separate IP address for each service.
The domain name for the Central application server is the address with which your end users will access Adobe Connect with. Enter this domain name as the Connect Host value on the Server Settings page in the Application Management Console. For example, a good value is
connect.yourcompany.com.
End users do not see the FQDN(s) for the meeting server(s). However, you must define a unique domain name for each meeting server if you want to conduct meetings over a secure connection. Enter this FQDN in the External Name box on the Server Settings page in the Application Management Console. For example, a good value is fms.yourcompany.com.
Note: In a cluster, all the application servers can share an SSL certificate, but each meeting server must have its own SSL certificate. On a single server, to secure both the HTTP (application server) and RTMP (meeting server) connections, you must have a total of two IP addresses, two FQDNs and two SSL certificates (one for each protocol). (You may also get a single, “wildcard” SSL certificate that can be used for multiple hosts in the same sub-domain, e.g. *.yourcompany.com. This is simpler to manage, but typically costs more than a single domain name certificate. Similarly for securing CQ server as well, we must have in total 4 IP addresses 4 certificates in-case you are not using the wild card certificate. Reason being we have 2 separate servers individually under the CQ server (CQ-Author Server and CQ-Publish Server). So in Total ( Application Server, Meeting Server, CQ-Author Server and CQ-Publish Server)
Below you will see a regular Stunnel.conf file with application server [https-vip] and meeting server [rtmps-vip] TAG
CONSIDERING THAT WE ARE USING 4 IP ADDRESSES AND ONE WILD CARD CERTIFICATE Set application server on IP Address one (accept =IP-One:443) Set meeting server on IP Address Two (accept=IP-Two:443)
Set the certificates and Key names in both the Servers as marked in the figure above.
Since we have to enable SSL on CQ server as well please notice the steps below are very important and will not be found in the “s-tunnel.conf” file shown above.
You need to manually create those tags, therefore copy the TAG shown below in the s-tunnel.conf file
This is for CQ-Author: [cq-Author-vip]
; incoming vip for https (This is to secure CQ-Author server) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443
accept = 123.123.123.1:443
; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; send the unecrypted request to port 4502
connect = 127.0.0.1:4502
; Certificate information for Connect.
; This assumes you put the cert and key in the root folder of s-tunnel cert = CertificateNameHere.pem
key = CerificateKeyNameHere.pem
ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
This is for CQ-Publish: [cq-Author-vip]
; incoming vip for https (This is to secure CQ-Publish server) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443
accept = 123.123.123.1:443
; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; send the unecrypted request to port 4503
connect = 127.0.0.1:4503
; Certificate information for Connect.
; This assumes you put the cert and key in the root folder of s-tunnel cert = CertificateNameHere.pem
key = CerificateKeyNameHere.pem
ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
Once copied please follow the same steps as shown above :
Set CQ-Author server on IP Address Three (accept =IP-Three:443) Set CQ-Publish server on IP Address Four (accept=IP-Four:443)
Set the certificates and Key names in both the Servers as marked in the figure above.
Once this is done, there are two TAGs on the top of your S-tunnel file as shown below :
You need to make sure that the “sslVersion = all” instead of TLSV1 and fips=no should be uncommented. Therefore remove the semicolon right next to “fips=no”. Now save the File and Execute the S-tunnel Service.
M
AKE SURE THES
ERVERURL
UNDERCRX
(CQ-5)
WHICH IS THEJ
AVA CONTENTR
EPOSITORY TOOL WOULD POINT TO HTTPS INSTEAD OF POINTING TO PORT80.
T
HIS APPLIES ON BOTHCQ-A
UTHOR SERVER(
4502
)
ANDCQ-P
UBLISH SERVER(
4503
)
Now Navigate to the URL : http://localhost:4502 to open the CQ5 wizard window. Note that the User name for this login window shown below is always “admin” however the password can be set at the time of installation. (By default we can use the password as admin)
Once logged in successfully, please select the option on the right hand side as shown in the picture below “CRXDE Lite” which will take us to the web based IDE.
Once the IDE is open, notice that this will take us to Author Server CQ5 web based IDE, where we can navigate to the Java Content repository folder. During the installation process in connect 9, if the serial key for connect nine has the event license enabled, user will get the option for CQ Author server and CQ publish server to enable. Once the user enables the two options, the event templates are integrated with the new architecture of CQ and create a server-URL entry in the Java content Repository file. Now by default the Server-URL points to port 80 (http://FQDN:80), therefore to enable SSL we need to modify the server-URL so that when it is called it will take us to https instead of http. Therefore we will change the (http://FQDN:80) to (https://FQDN for Author), similarly in case of Publish server it will be (
To Navigate through JCR content, please follow the Path as shown in the picture below : ( Content Folder Connect folder C1JCR:Content
Once you click on the JCR content, on the right hand side pane at the bottom, scroll down to server-URL string, you will find the URL to be pointing to port 80 as shown. Change that to
https://connectnine.ac.com instead of http://connectnine.ac.com:80
Note:- Server URL is equivalent to Admin host which means the FQDN used for connect only.
The Same Procedure applies on Publish server and to navigate to that server just change the port number as shown below in the picture to port 4503 instead of port 4502.
Follow the same procedure to navigate to the Java content Repository (JCR content ) to modify the server URL on the publish server as well. Notice that on the publish server the user would always be logged in as anonymous. You will not be able to save the changes unless you are logged in as Admin user. Therefore before making the necessary changes, please make sure that you are logged in to the publish server as admin. To do the same click on the Top right pane as shown below which show anonymous user and click on login option.
Once clicked you will see the following screen, use your CRX User name which is “admin” and password which is set at the time of installation. Once logged in successfully, user will be able to save the
M
AKE SURE THECRX
CONFIGURATION FORD
AYCQ
L
INKE
XTERNALIZER ANDD
AYCQ
WCM
P
AGES
TATISTICS WOULD POINT TO THE RIGHTFQDN
AFTER ENABLING THESSL.
T
HIS APPLIES TO BOTH THECQ-A
UTHORS
ERVER ANDCQ
P
UBLISHS
ERVER.
This Step is not necessary, if you have checked/enabled SSL at the time of installation and point the Author server and Publish server to https://FQDN for Author/publish server instead of
http://FQDN:4502 / 4503. Reason being if you provide the Author server and publish server URL as
https://FQDN for Author/Publish server at the time of installation, it automatically configure the CRX configuration Manager.
There are two configuration links required for connect integration - Day CQ Link Externalizer
- Day CQ WCM Page Statistics.
Navigate to the URL http://localhost:4502/system/console/configMgr This will prompt you the user name and Password for CQ web console which will be the same which is used for CRX. ( User name would be “admin” and password would be the same as set at the time of installation for CQ )
You will find the list for configuration below, navigate to the “DAY CQ Link Externalizer” as shown below:
Note:- In CQ the Externalizer is an OSGI service that allows you to programmatically transform a resource path (e.g./path/to/my/page) into an external and absolute URL
(e.g. http://www.mycompany.com/path/to/my/page) by prefixing the path with a pre-configured DNS. Since an instance cannot know it’s externally visible URL if it is running behind a web layer, and since sometimes a link has to be created outside of the request scope, this service provides a central place to configure those external URLs and build them.
Click on “Day CQ Link Externalizer” and open the dialogue box as show below, once opened make sure the Host Name should point to Author server URL which in this case is “connectnineauth.ac.com” without the https.
Note:- Host Name by default is set as blank.
Similarly, next we will navigate to ”Day CQ WCM Page Statistics” and click on it to open the dial box.
Once the dialogue box is open the URL by default you will see, set as
http://localhost:4502/libs/wcm/stats/tracker you need to change that/ make sure the URL should be
https://FQDN/libs/wcm/stats/tracker which in this case is
https://connectnineauth.ac.com/libs/wcm/stats/tracker ( In the figure below it shows connectnine.ac.com which is incorrect please change that to connectnineauth.ac.com )
Note: As mentioned earlier in the step, this configuration would not be required if user enables the SSL at the time of installation. However, user can always confirm the settings in any case.
Similarly, we need to follow the same steps for publish server CQ web console as well. Remember in both the cases it will ask user to enter the password for CQ. To navigate to the Publish server navigate to the URL http://localhost:4503/system/console/configMgr and follow the same steps as shown above.
I
MPORT THEC
ERTIFICATES WHICH ARE USED TO CONFIGURESSL
IN THEJRE
FOLDER OR CONNECT9.
This Step is Not Mandatory because this has been fixed in later versions of connect 9, therefore if you are not on connect 9.0.0.1 and planning to apply patches then ignore this step:
Since we have an existing bug in Beta build (Bug#3055998: According to which with HTTPS setup on CQ, Images are not displaying on landing/registration/speaker info pages).
We have the following workaround for this bug. Steps:-
1. Go to the system where Connect is installed and find the JRE folder which is located in connect folder at C:\connect\9.0.0.1\jre\bin
2. Obtain the SSL certificate (.cer) file.
I have obtained the certificate by following steps – Open https://connectnine.ac.com URL.
3. Copy this certificate into bin folder under the JRE folder which is located in connect folder at C:\connect\9.0.0.1\jre\bin
4. Open run execute command prompt and set current working directory as
c:\connect\9.0.0.1\jre\bin
5. Execute command “keytool import trustcacerts alias connect file <certificate name> -keystore cacerts”.
Note:- Highlighted connect is used as an alias ,therefore you can use any terminology over here.
6. Once you hit enter you will be asked for password. When asked for password, type password “changeit”. Re-confirm it and hit enter.
7. There will be a “cacert” file generated in the bin folder, you need to make sure that this file is copied at location: c:\Connect\9.0.0.1\jre\lib\security\