Connect on-premise – SSL – Convert .pfx to .pem format

Connect can be configured with Stunnel to support HTTPS and RTMPS. Stunnel requires you to provide a private key and a public cert file in .pem format.

You probably run Stunnel as a service (you should) so you also need to save the private key without a passphrase.

If you have a .pfx file with your private key and public certificate, you need to extract the key and cert from the .pfx file and save them to individual .pem files.

Here’s how to do just that:

  1. Install OpenSSL from here: https://www.openssl.org/related/binaries.html
  2.  Open a command line window and change to the directory where you installed OpenSSL, i.e. c:\OpenSLL-Win64\bin\.
  3. Run the following command to extract the private key and save it to a new file:
    openssl pkcs12 -in yourpfxfile.pfx -nocerts -out privatekey.pem -nodes
  4. Now run the following command to also extract the public cert and save it to a new file:
    openssl pkcs12 -in yourpfxfile.pfx -nokeys -out publiccert.pem
  5. Now you can use the files in your Stunnel config.

You can find more on configuring SSL and a sample config for Stunnel here:

https://helpx.adobe.com/adobe-connect/kb/secure-connect-cq.html

https://blogs.adobe.com/connectsupport/ssl-configuration-checklist-for-connect-with-aem-based-events

 

 

Seminar Extensions after Connect 9.3

Beginning with Connect 9.1.1, Connect Seminar extensions in session beyond the initially scheduled time were 30 minutes and then another 30 minutes and then an additional 10 minutes provided there was not a conflict with another scheduled Seminar. Beginning with Connect 9.3, this has changed; the new in-session Seminar extension options are now unlimited as long as there is not a conflicting scheduled Seminar under the same Seminar license. If there is another scheduled Seminar that is in conflict, then you will only get a 10 minute warning before your Seminar ends, but if there is not a conflicting Seminar then this interactive pop up will allow the Seminar host to extend the Seminar:

force-extend-seminar

CSO EMEA1 – DATE (21 May 2015)

We’re currently investigating an issue on EMEA1 cluster that is impacting customer meetings.

Few issue reports we have :

  • Connectivity lost during meeting / users drop out of rooms
  • Rooms do not launch
  • Also: MeetingOne telephony profiles associated with rooms are found disabled.

We are investigating aggressively and will follow up shortly.

 

** Update **  –  The cluster is stable now. We’re not seeing any further connectivity issues.

Note : Telephony profiles Issues is still being investigated as a separate incident. More updates to follow shortly.

** New Update **  – All issues including  MeetingOne Telephony profiles have been resolved now !

 

On-premise Connect Installation Hangs Connecting to the Database

Symptoms: Installing with clean images on servers, the Connect Installation with the appropriate local Administrator permissions seemed to be successful but upon clicking “Done” its hangs indefinitely. Restarting the services does not help and the Connect Configuration Console on the local Connect server will not come up. Rebooting the VM will not bring Connect up. In the error.log, it reads:

“Start up error: java.lang.Exception: invalid backup folder: \\connectsharedstorage\connect.” START_UP    START_UP_ERROR….

Note: replace connectsharedstorage\connect with your UNC path to shared storage.

Solution: This error indicates that shared storage is expected by the database but is not configured on the Connect server. This may inadvertently be overlooked during an upgrade instance when a new server (perhaps with a new OS) replaces an older server. The fresh Connect installation, upon pointing to an existing upgraded database that has possibly been updated by script or maybe by the older server image, is expecting shared storage to be in place, but it is not yet configured on the new Connect server. To get past this, edit the Shared Storage entry in the PPS_Config table of the Connect Database to “NULL” and restart the services.

CSO NA11 – DATE (14 May 2015)

The application VIP NA11 is currently down. It may not affect ongoing meetings, but currently the web app VIP is being redirected to the status page. We are investigating aggressively and will follow up shortly.

 

** UPDATE ** – Issue has been repaired at 10:58 AM PST.

Offline FLV Archives Fast-forward during Playback

With Flash Player version 17.0.0.169, the Nellymoser audio codec used within Connect offline FLV Meeting archives played automatically in fast forward. This issue is resolved in the latest Flash Player.

The solution is to install Flash Player version 17.0.0.188 (or later depending on when you run into this issue) and all effected Connect FLV meeting archives will play normally.

https://get.adobe.com/flashplayer/

 

 

 

The begin screen-sharing button in Connect is obscured by the task-bar when resolution on a laptop screen is set to 1366×768

The begin screen-sharing button in Connect is obscured by the task-bar when resolution on a laptop screen is set to 1366×768. You will see this happen, if you use a laptop with 1366×768 screen resolution, attempt to share your screen in Connect. The effect is that the start screen sharing button is hidden behind the Windows task bar at the bottom of the screen:

Small Res - High DPI

The expected behavior is for the start screen share button to be accessible.

The workaround options are to either move the task-bar or change the screen resolution in order to expose the button, but since the start screen-sharing button is already highlighted or in focus albeit unseen, if you simply hit the enter key, screen-sharing will begin. Keep in mind that 1366×768 is the default screen resolution for some laptops.

Note: This is only reproducible in high DPI mode and it is not limited to the Connect Screen-sharing dialog. See how the basic operating system “Save As” dialog exhibits similar behavior at the same resolution:

Small Res - High DPI Windows Dialog

Configuring Secure SQL with Connect

It may be prudent to secure the connection between the Adobe Connect application servers and the SQL database.

Begin with the SQL server and then move onto the Connect server(s); if your SQL server is shared then begin with a change request to the DBA who has charge over the shared SQL environment. If your SQL database is already secure, you may skip Part I.

Part I. Securing the MS SQL Database Server:

First open the Certificates snap-in:

1. Open the MMC console, click Start, and then click Run; In the Run dialog box type:  MMC
2. From the  File menu, click Add/Remove Snap-in….
3. Click Add, and then click Certificates. Click Add again.
4. You are prompted to open the snap-in for the current user account, the service account or for the computer account. Select the Computer Account.
5. Select Local Computer, and then click Finish.
6. Click Close in the Add Standalone Snap-in dialog box.
7. Click OK in the Add/Remove Snap-in dialog box. Your installed certificates are located in the Certificates folder in the Personal container.

Use the MMC snap-in to install the certificate on the server:

  1. Click to select the Personal folder in the left-hand pane.
  2. Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate….
  3. The Certificate Request Wizard dialog box opens. Click Next. Select Certificate type is “computer”.
  4. In the Friendly Name text box you can type a friendly name for the certificate or leave the text box blank, and then complete the wizard. After the wizard finishes, you will see the certificate in the folder with the fully qualified computer domain name.

You are done now with installation of certificate on the SQL server, next you will need to export the certificate so that the same can be imported in the Connect application server.

  1. Open MMC, and then locate your certificate in the Personal folder.
  2. Right-click the certificate name, and then click Open.
  3. Review the Certification Path tab. Note the top most item.
  4. Navigate to the Trusted Root Certification Authorities folder, and then locate the Certificate Authority noted in step 3..
  5. Right-click CA, point to All Tasks, and then click Export.
  6. Select all the defaults, and then save the exported file to a location where the Connect application server can gain access to it.

Configure SSL encryption in the MS SQL instance:

1. On the SQL server start menu open Microsoft SQL Server>Configuration Tools> SQL Server Configuration Manager:

SQLsecure1.fw

2. Expand SQL Server Network Configuration, then right-click Protocols for MSSQLSERVER, and choose Properties. Select the Flags tab and change the Force Encryption setting to Yes.

sqlserverencryptionstep2

3. Under the Certificate tab, choose the certificate created earlier from the drop down list:

SQLsecure4

The database is now ready for secure connection with the Connect application server.

Part II. Configure the Connect application server to support a secure SQL connection:

Importing the certificate onto the Connect application server

  1. Copy the certificate from MS SQL Database server to the Connect application server(s) or to an accessible share.
  2. Navigate the Connect application sever by using the MMC snap-in, and then browse to the Trusted Root Certification Authorities folder.
  3. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click Import.
  4. Browse, and then select the certificate (.cer file) that you copied in step 1. Select the defaults to complete the remaining part of the wizard.

Create a Trust Store

1.  Be sure to have java installed on your Connect application server; at the command prompt, navigate to the bin directory of your JRE, and execute the following command:

keytool -import -file  <certificate file path> -alias firstCA -keystore <any name for trust store>
Note: This step will queue for a password, create and record a password for future reference.

2. In the ConnectProSvc.conf in the appserv\conf directory, add the following entries in the list of JAVA arguments:

wrapper.java.additional.28=-Djavax.net.ssl.trustStore= <path of Trust Store file created in step 1>
wrapper.java.additional.29=-Djavax.net.ssl.trustStorePassword=<password you created in step 1>

Configure the secure connection in Connect:

1. In custom.ini file under the root Connect installation directory, add the following entries:

DB_ENCRYPTION_METHOD=SSL
DB_VALIDATE_SERVER_CERTIFICATE=true

2. Cycle the services or reboot the server:

Adobe Connect Service
Flash Media Service

Note: For secure LDAP or LDAPS with Connect and for additional granularity around the paths and keystore see the following tech-note: Configure Connect Directory Services to use LDAPS

Security scans flag FMS used in Adobe Connect

Multiple Adobe Connect on-premise customers have informed us that some of their security scans are reporting that the version of FMS used in Adobe Connect is unsupported. There are no known open security issues in the version of FMS used in Connect today. The FMS components that are embedded in Adobe Connect on-premise deployments are fully supported under the maintenance and support agreements for Adobe Connect.  If any vulnerabilities are discovered in these components of Adobe Connect, they will be addressed per the guidelines of those support agreements.

Reducing the Number of Ports Listening on an Adobe Connect Server

Some ports that are not being used can be shut off:

Port 1111 is listening as part of the Flash Media Administration Service.  It does not serve any needed function and may be shut off as part of hardening or simply conservation of resources.

Note: Do not confuse the Flash Media Administration Service with the Flash Media Server or FMS, while the former is unneeded, the latter runs the Meeting server.

Port 2222 may also be closed. The Flash Media Gateway (FMG) service may be listening on that port if is was installed with Connect. If you are not using FMG for Unified Voice Telephony, then you may shut off that service as well.

Shut off and set to manual or disable either of both under the services MMC:

fig04

You may also quickly use commands to stop the ports instantly from listening; go to the command prompt with elevated permissions:

  • Run net stop fmsadmin (or sc stop fmsadmin)
  • Run net stop fmg (or sc stop fmg)
  • Run netstat -an|find “1111” or netstat -an|find “2222”to make sure they are down (or sc query fmsadmin or sc query fmg )