Securing Adobe connect Server and CQ Server



Similar documents
Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Configuring SSL in OBIEE 11g

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Exchange Reporter Plus SSL Configuration Guide

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

CHAPTER 7 SSL CONFIGURATION AND TESTING

Introduction to Mobile Access Gateway Installation

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

ADOBE CONNECT ENTERPRISE SERVER 6

Click Studios. Passwordstate. Installation Instructions

LDAP User Guide PowerSchool Premier 5.1 Student Information System

Setting Up SSL on IIS6 for MEGA Advisor

WHITE PAPER Citrix Secure Gateway Startup Guide

HELIX MEDIA LIBRARY INSTALL GUIDE FOR WINDOWS SERVER 2003 Helix Media Library Version 1.1. Revision Date: July 2011

ADFS Integration Guidelines

Acrolinx IQ. Acrolinx IQ Plug-in for Adobe CQ Rich Text Editor Installation Guide Version: 2.9

Millennium Drive. Installation Guide

HOW TO CONFIGURE PASS-THRU PROXY FOR ORACLE APPLICATIONS

ECA IIS Instructions. January 2005

Apache JMeter HTTP(S) Test Script Recorder

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Quick Scan Features Setup Guide

Using LDAP Authentication in a PowerCenter Domain

Installing and Configuring vcloud Connector

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

App Orchestration 2.5

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

MadCap Software. Upgrading Guide. Pulse

PC Monitor Enterprise Server. Setup Guide

DISTRIBUTED CONTENT SSL CONFIGURATION AND TROUBLESHOOTING GUIDE

F-Secure Messaging Security Gateway. Deployment Guide

Jeff Schertz MVP, MCITP, MCTS, MCP, MCSE

How To - Implement Single Sign On Authentication with Active Directory

Configuration Guide. BES12 Cloud

Secure Messaging Server Console... 2

Integrating CoroSoft Datacenter Automation Suite with F5 Networks BIG-IP

To install and configure SSL support on Tomcat 6, you need to follow these simple steps. For more information, read the rest of this HOW-TO.

Prerequisites. Creating Profiles

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

Cisco Prime Central Managing Certificates

Working With Virtual Hosts on Pramati Server

PowerChute TM Network Shutdown Security Features & Deployment

Using Internet or Windows Explorer to Upload Your Site

Click-To-Talk. ZyXEL IP PBX License IP PBX LOGIN DETAILS. Edition 1, 07/2009. LAN IP: WAN IP:

Click Studios. Passwordstate. Installation Instructions

RoomWizard Synchronization Software Manual Installation Instructions

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

IBM Security QRadar Vulnerability Manager Version User Guide

Cloud Services. Sharepoint. Admin Quick Start Guide

NSi Mobile Installation Guide. Version 6.2

Copyright 2013 EMC Corporation. All Rights Reserved.

Deploying RSA ClearTrust with the FirePass controller

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

IIS, FTP Server and Windows

Installing BIRT Analytics 4.4

Scan to Quick Setup Guide

ez Agent Administrator s Guide

BlackBerry Enterprise Service 10. Version: Configuration Guide

HRG Performance Series DVR DDNS Support Application Note (hrgddns)

Enable SSL in Go2Group SOAP Server

RMFT Web Client User Guide

ADSelfService Plus: Guide to Install SSL Certificate. 1 P a g e

MassTransit 6.0 Enterprise Web Configuration for Macintosh OS 10.5 Server

Director and Certificate Authority Issuance

Enable SSL for Apollo 2015

Deploying the BIG-IP System v10 with Oracle Application Server 10g R2

App Orchestration 2.5

SSL CONFIGURATION GUIDE

Quadro Configuration Console User's Guide. Table of Contents. Table of Contents

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Configuring Load Balancing

WordCom, Inc. Secure File Transfer Web Application

IUCLID 5 Guidance and Support

FlexSim LAN License Server

bbc Installing Your Development Environment Adobe LiveCycle ES July 2007 Version 8.0

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Secure Web Appliance. Reverse Proxy

Load Balancing VMware Horizon View. Deployment Guide

HP Service Manager. Mobile Applications. For the Supported Windows and UNIX operating systems Software Version: 1.0. Document Release Date: July 2011

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Learning the Basics of Citrix Web Interface 4.6, Citrix Secure Gateway 3.1 and GoDaddy Wildcard SSL Certificate

How to Implement Transport Layer Security in PowerCenter Web Services

Configuring Global Protect SSL VPN with a user-defined port

Chapter 1: How to Configure Certificate-Based Authentication

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Setting Up Your FTP Server

WhatsUp Gold v16.3 Installation and Configuration Guide

Single Sign On for ShareFile with NetScaler. Deployment Guide

BASIC CLASSWEB.LINK INSTALLATION MANUAL

SafeNet KMIP and Google Cloud Storage Integration Guide

CA Nimsoft Unified Management Portal

Installation Guidelines (MySQL database & Archivists Toolkit client)

Network Load Balancing

PineApp Archive-Secure Quick Installation Guide:

Active Directory integration with CloudByte ElastiStor

Configure Single Sign on Between Domino and WPS

Transcription:

Securing Adobe connect Server and CQ Server To Enable SSL on Connect Server and CQ server (Index) Configure custom.ini File Uncomment the SSL TAGs in Server.xml file. Configure the Four components of connect and CQ together on port 443. o Application Server o Meeting Server o CQ-Author Server o CQ-Publish Server Make sure the Server URL under CRX (CQ-5) which is the Java content Repository tool would point to https instead of pointing to port 80. This applies on both CQ-Author server ( 4502 ) and CQ-Publish server ( 4503 ) Make sure the CRX configuration for Day CQ Link Externalize and Day CQ WCM Page Statistics would point to the right FQDN after enabling the SSL. This applies to both the CQ-Author Server and CQ Publish Server. Import the Certificates which are used to configure SSL in the JRE folder or connect 9. (This is due to a bug which we have already fixed in later versions of connect 9 therefore if you are not on 9.0.0.1 only then apply this else not required)

CONFIGURE CUSTOM.INI FILE The Normal Custom.ini file would look like as shown below: You will see the CQ-Author and CQ-Publish server pointing to port 4502 and 4503 with a common FQDN as admin host, if we are using only one IP address. To enable SSL we need to add few lines and modify few lines in the custom.ini file as shown in the next picture below: - Since we need the admin host to use https protocol we add ADMIN_PROTOCOL=https:// - To enable SSL we set SSL_ONLY=yes - To ensure that the meeting server when called should hit the port 443 we use a TAG RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/ - CQ_Author_Server would change to https://connectnineauth.ac.com instead of http://connectnine.ac.com:4502. Reason being we are mapping the CQ_Author Server with an individual IP address on port 443, therefore we are setting a different FQDN with protocol https and similar domain as (*.ac.com) - Similarly for CQ_Publish_Server the value would set to https://connectninepub.ac.com instead of http://connectnine.ac.com:4503

Note: It is not mandatory to use port 4502 for author and 4503 for publish. User can set any port as according to his will. However, by default the ports are as mentioned above. In the above picture you also see that we have added TAG DOMAIN_COOKIE, this is required to set the BREEZESESSION cookie domain value which issues when user access the connect page. UNCOMMENT THE SSL TAGS IN SERVER.XML FILE. Now move to the location (c:\connect\9.0.0.1\appserv\conf\) and look for server.xml file. Once the file is located, open the file and make the changes as mentioned:

Find out the two TaG s as shown below in the file and uncomment it as shown below: (The green TAG are commented and the one on the right hand side is uncommented. To comment a line we use Start TAG <! and close TAG - - > if you see below we have just removed the closed TAG and put it at the end of first line which says Uncomment for SSL Support ) First TAG: Second TAG:- Once you uncomment the SSL required TAG s, to test if the required changes has been done successfully, please re-open the file in browser and see if you can see the same TAGs uncommented. If it throws an error there has been a syntax error which is why it is not letting you open in the browser. Double check the TAGs carefully again.

CONFIGURE THE FOUR COMPONENTS OF CONNECT AND CQ TOGETHER ON PORT 443. Configure software-based SSL When you configure software-based SSL, you can secure network connections to the web application server (HTTPS protocol), the meeting server (RTMPS protocol), or both. No matter which configuration you choose, you must create DNS records for your Connect servers first. HTTP is the protocol with which the Adobe Connect application server is accessed. This includes the Connect Central administration pages for managing your Connect instance, Connect user login, and the Connect web services. Securing the application server by using HTTPS is important to prevent unauthorized access of your Connect service. RTMP is the protocol which the Adobe Connect meeting server uses. RTMP connections contain media data such as video and audio streams from your Connect meetings, as well as data from the meeting rooms such as participant names and chat text. Securing the meeting server is important if you have sensitive information being exchanged in your Connect meetings. Configure the DNS server Create DNS entries that define addresses for the Fully Qualified Domain Name (FQDN) of each secured service. If you intend to secure traffic for both the application server and the meeting server, you must have a separate IP address for each service. The domain name for the Central application server is the address with which your end users will access Adobe Connect with. Enter this domain name as the Connect Host value on the Server Settings page in the Application Management Console. For example, a good value is connect.yourcompany.com. End users do not see the FQDN(s) for the meeting server(s). However, you must define a unique domain name for each meeting server if you want to conduct meetings over a secure connection. Enter this FQDN in the External Name box on the Server Settings page in the Application Management Console. For example, a good value is fms.yourcompany.com. Note: In a cluster, all the application servers can share an SSL certificate, but each meeting server must have its own SSL certificate. On a single server, to secure both the HTTP (application server) and RTMP (meeting server) connections, you must have a total of two IP addresses, two FQDNs and two SSL certificates (one for each protocol). (You may also get a single, wildcard SSL certificate that can be used for multiple hosts in the same sub-domain, e.g. *.yourcompany.com. This is simpler to manage, but typically costs more than a single domain name certificate. Similarly for securing CQ server as well, we must have in total 4 IP addresses 4 certificates in-case you are not using the wild card certificate. Reason being we have 2 separate servers individually under the CQ server (CQ-Author Server and CQ-Publish Server). So in Total ( Application Server, Meeting Server, CQ-Author Server and CQ-Publish Server)

Below you will see a regular Stunnel.conf file with application server [https-vip] and meeting server [rtmps-vip] TAG CONSIDERING THAT WE ARE USING 4 IP ADDRESSES AND ONE WILD CARD CERTIFICATE Set application server on IP Address one (accept =IP-One:443) Set meeting server on IP Address Two (accept=ip-two:443) Set the certificates and Key names in both the Servers as marked in the figure above. Since we have to enable SSL on CQ server as well please notice the steps below are very important and will not be found in the s-tunnel.conf file shown above.

You need to manually create those tags, therefore copy the TAG shown below in the s-tunnel.conf file This is for CQ-Author: [cq-author-vip] ; incoming vip for https (This is to secure CQ-Author server) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443 accept = 123.123.123.1:443 ; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; send the unecrypted request to port 4502 connect = 127.0.0.1:4502 ; Certificate information for Connect. ; This assumes you put the cert and key in the root folder of s-tunnel cert = CertificateNameHere.pem key = CerificateKeyNameHere.pem ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH This is for CQ-Publish: [cq-author-vip] ; incoming vip for https (This is to secure CQ-Publish server) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443 accept = 123.123.123.1:443 ; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; send the unecrypted request to port 4503

connect = 127.0.0.1:4503 ; Certificate information for Connect. ; This assumes you put the cert and key in the root folder of s-tunnel cert = CertificateNameHere.pem key = CerificateKeyNameHere.pem ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH Once copied please follow the same steps as shown above : Set CQ-Author server on IP Address Three (accept =IP-Three:443) Set CQ-Publish server on IP Address Four (accept=ip-four:443) Set the certificates and Key names in both the Servers as marked in the figure above. Once this is done, there are two TAGs on the top of your S-tunnel file as shown below : You need to make sure that the sslversion = all instead of TLSV1 and fips=no should be uncommented. Therefore remove the semicolon right next to fips=no. Now save the File and Execute the S-tunnel Service.

MAKE SURE THE SERVER URL UNDER CRX (CQ-5) WHICH IS THE JAVA CONTENT REPOSITORY TOOL WOULD POINT TO HTTPS INSTEAD OF POINTING TO PORT 80. THIS APPLIES ON BOTH CQ-AUTHOR SERVER ( 4502 ) AND CQ-PUBLISH SERVER ( 4503 ) Now Navigate to the URL : http://localhost:4502 to open the CQ5 wizard window. Note that the User name for this login window shown below is always admin however the password can be set at the time of installation. (By default we can use the password as admin) Once logged in successfully, please select the option on the right hand side as shown in the picture below CRXDE Lite which will take us to the web based IDE. Once the IDE is open, notice that this will take us to Author Server CQ5 web based IDE, where we can navigate to the Java Content repository folder. During the installation process in connect 9, if the serial key for connect nine has the event license enabled, user will get the option for CQ Author server and CQ publish server to enable. Once the user enables the two options, the event templates are integrated with the new architecture of CQ and create a server-url entry in the Java content Repository file. Now by default the Server-URL points to port 80 (http://fqdn:80), therefore to enable SSL we need to modify the server-url so that when it is called it will take us to https instead of http. Therefore we will change the (http://fqdn:80) to (https://fqdn for Author), similarly in case of Publish server it will be ( https://fqdn for Publish)

To Navigate through JCR content, please follow the Path as shown in the picture below : ( Content Folder Connect folder C1 JCR:Content Once you click on the JCR content, on the right hand side pane at the bottom, scroll down to server-url string, you will find the URL to be pointing to port 80 as shown. Change that to https://connectnine.ac.com instead of http://connectnine.ac.com:80 Note:- Server URL is equivalent to Admin host which means the FQDN used for connect only. Once the change is done, Save the Author IDE from the top left Save all button as shown below :

The Same Procedure applies on Publish server and to navigate to that server just change the port number as shown below in the picture to port 4503 instead of port 4502. Follow the same procedure to navigate to the Java content Repository (JCR content ) to modify the server URL on the publish server as well. Notice that on the publish server the user would always be logged in as anonymous. You will not be able to save the changes unless you are logged in as Admin user. Therefore before making the necessary changes, please make sure that you are logged in to the publish server as admin. To do the same click on the Top right pane as shown below which show anonymous user and click on login option. Once clicked you will see the following screen, use your CRX User name which is admin and password which is set at the time of installation. Once logged in successfully, user will be able to save the necessary changes on the publish server as well.

MAKE SURE THE CRX CONFIGURATION FOR DAY CQ LINK EXTERNALIZER AND DAY CQ WCM PAGE STATISTICS WOULD POINT TO THE RIGHT FQDN AFTER ENABLING THE SSL. THIS APPLIES TO BOTH THE CQ-AUTHOR SERVER AND CQ PUBLISH SERVER. This Step is not necessary, if you have checked/enabled SSL at the time of installation and point the Author server and Publish server to https://fqdn for Author/publish server instead of http://fqdn:4502 / 4503. Reason being if you provide the Author server and publish server URL as https://fqdn for Author/Publish server at the time of installation, it automatically configure the CRX configuration Manager. There are two configuration links required for connect integration - Day CQ Link Externalizer - Day CQ WCM Page Statistics. Navigate to the URL http://localhost:4502/system/console/configmgr This will prompt you the user name and Password for CQ web console which will be the same which is used for CRX. ( User name would be admin and password would be the same as set at the time of installation for CQ ) Once logged in successfully click on the Configuration TAB as shown below :

You will find the list for configuration below, navigate to the DAY CQ Link Externalizer as shown below: Note:- In CQ the Externalizer is an OSGI service that allows you to programmatically transform a resource path (e.g./path/to/my/page) into an external and absolute URL (e.g. http://www.mycompany.com/path/to/my/page) by prefixing the path with a pre-configured DNS. Since an instance cannot know it s externally visible URL if it is running behind a web layer, and since sometimes a link has to be created outside of the request scope, this service provides a central place to configure those external URLs and build them. Click on Day CQ Link Externalizer and open the dialogue box as show below, once opened make sure the Host Name should point to Author server URL which in this case is connectnineauth.ac.com without the https. Note:- Host Name by default is set as blank. After making the necessary changes in the host name, make sure you save the settings.

Similarly, next we will navigate to Day CQ WCM Page Statistics and click on it to open the dial box. Once the dialogue box is open the URL by default you will see, set as http://localhost:4502/libs/wcm/stats/tracker you need to change that/ make sure the URL should be https://fqdn/libs/wcm/stats/tracker which in this case is https://connectnineauth.ac.com/libs/wcm/stats/tracker ( In the figure below it shows connectnine.ac.com which is incorrect please change that to connectnineauth.ac.com ) Note: As mentioned earlier in the step, this configuration would not be required if user enables the SSL at the time of installation. However, user can always confirm the settings in any case. Similarly, we need to follow the same steps for publish server CQ web console as well. Remember in both the cases it will ask user to enter the password for CQ. To navigate to the Publish server navigate to the URL http://localhost:4503/system/console/configmgr and follow the same steps as shown above. IMPORT THE CERTIFICATES WHICH ARE USED TO CONFIGURE SSL IN THE JRE FOLDER OR CONNECT 9. This Step is Not Mandatory because this has been fixed in later versions of connect 9, therefore if you are not on connect 9.0.0.1 and planning to apply patches then ignore this step: Since we have an existing bug in Beta build (Bug#3055998: According to which with HTTPS setup on CQ, Images are not displaying on landing/registration/speaker info pages).

We have the following workaround for this bug. Steps:- 1. Go to the system where Connect is installed and find the JRE folder which is located in connect folder at C:\connect\9.0.0.1\jre\bin 2. Obtain the SSL certificate (.cer) file. I have obtained the certificate by following steps Open https://connectnine.ac.com URL. 3. Copy this certificate into bin folder under the JRE folder which is located in connect folder at C:\connect\9.0.0.1\jre\bin 4. Open run execute command prompt and set current working directory as c:\connect\9.0.0.1\jre\bin 5. Execute command keytool -import -trustcacerts -alias connect -file <certificate name> - keystore cacerts. Note:- Highlighted connect is used as an alias,therefore you can use any terminology over here. 6. Once you hit enter you will be asked for password. When asked for password, type password changeit. Re-confirm it and hit enter. 7. There will be a cacert file generated in the bin folder, you need to make sure that this file is copied at location: c:\connect\9.0.0.1\jre\lib\security\ If there is already a file existing, copy and replace it

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information