Posts in Category "Administration"

Editing Connect On-premise Email Send Source Options

Adobe Connect hosted customers have long enjoyed the option of having their Connect account administrative email sent out to users on behalf of a specified email source rather than the system email parameter configured during installation of the Connect server.  In order to exploit this option for on-premise Connect deployments, you first need to apply the following SQL update statement.  This will  add a row into the pps_account_features table:

insert into PPS_ACCOUNT_FEATURES
(ACCOUNT_ID, FEATURE_ID, DATE_BEGIN, DATE_END)
values (7, 71, ‘2014-02-20 00:00:00.000′,’3000-01-01 00:00:00.000′)

After adding this row, check the system email settings with the SQL statement below to make sure it is correctly configured:

select * from PPS_CONFIG
where name like ‘%email%

The results of the query above should correspond with the settings prescribed on local port 8510 on the Connect server settings page in the Connect server configuration wizard.

SECTION              NAME    VALUE   COMMON_NAME
hosted   validation-emaillist                         NULL
main      config-bcc-email              NULL     NULL
main      config-support-email      admin@connectaccount.com         NULL
main      config-system-email        admin@connectaccount.com        NULL

After making the prescribed database changes, they will either take effect immediately after you cycle the Adobe Connect and Flash Media services or after 10 minutes. You do not need to cycle the services unless the change must be immediate.

With the above settings in place, if you create a user in Connect with the email address  joe@connectaccount.com and then you add  Joe to the Meeting Hosts group, the admin designated in the system-email parameter on the server settings page will send email on Joe’s behalf.

To prove this, simply log in, as Joe, create a meeting and add the user with email admin@connectaccount.com (or anyone you chose) as a meeting participant and send that person a meeting invitation. It should read: admin@connectaccount.com; on behalf of; joe@connectaccount.com:

The meeting invitation will look something like this:

From: admin@connectaccount.com [mailto:admin@connectaccount.com] On Behalf Of Joe
Sent: Sunday, February 23, 2014 5:30 PM
To: WhoeverIChoose@wherever.com; WhoeverIChoose
Subject: Adobe Connect – Meeting Invitation to “My most excellent meeting”
When: February 23, 2014 5:30 PM-6:30 PM (UTC-05:00) Eastern Time (US & Canada).
Where: http://meeting.connectaccount.com/meeting/

Please join me in an Adobe Connect Meeting.

Meeting Name:  The Only Meeting <snip>

Note: This will not affect password reset email messages.

How to stop Event pages (CQ) from being indexed

This article (and link below) is intended for Licensed (On-Premise) customers who have a standalone instance or cluster of CQ servers to serve up the Events Management piece of the Adobe Connect platform.  If you would like to stop event pages from being indexed in search engines like Google, you can follow this quick article below on adding robots.txt to the root of the CQ instances.

http://crxdelight.com/2012/02/04/how-to-protect-your-cq-instances-from-google-searches/

Event Template Account Logo will not Publish

Issue: The Connect Events template account logo in AEM does not change when you attempt publish a new template logo

Solution: To change the account logo on Event templates, you need to change the account logo of the Connect account from within Connect Central:

Click on the the thumbnail image to see the Customization page in Connect Central: Administration > Customization > Customize Central

Event-logo-CC.fw

 

For more information on Connect Central customization options see the following help link: Customize the Adobe Connect Central user interface

For more customization options see the following resource: Extensions : Solution extensions

For more information on Events Templates see the following tutorials:

Creating and Editing Event Templates

Resetting the Default Event Templates in Adobe Connect

Creating a Two Person Event Template with Adobe Connect

Event Administration in Adobe Connect 9

Adobe Connect 9: Event Migration Guide

SSL Configuration Checklist for Connect with AEM-based Events

This supplemental checklist alongside the  Adobe Connect installation guide and the SSL Configuration guide, will help expedite your SSL implementation of Connect with AEM-Events:

1. Always begin with a fully functional installation of Connect and AEM-based Events before adding SSL; Do not attempt to secure a server that is not fully tested to run all features without SSL: A server running all features in the clear with no problems manifested is the only place to begin.

2. Decide whether to use hardware-based or software-based SSL and obtain appropriate public certificates and FQDN’s. If needed, see Mohit’s excellent instructions to generate CSRs. If you are using software-based SSL, stunnel can either be installed locally or on a separate server. If you are using hardware-based SSL you will want to refer to the relevant third-party documentation along with that provided by Adobe. For F5 BIG-IP LTM, the following articles along with this blog article and the resources aforementioned will help:

For information about stunnel installation options with Connect 9, see Jim’s blog post on Adobe Connect 9.0.0.1 and 9.1 stunnel installation options. Within the 9.0.0.1 installation folder, under  \Adobe Connect 9.0.0.1\Adobe Connect\Merge_Modules, we provide the installer for  stunnel-4.53.  From there, you can install Stunnel 4.53 for your SSL deployment. Adobe QE has tested stunnel version 4.56 collocated with Connect – installed within the Connect installation directory. These days it is arguably prudent to use the latest security option tested. Depending on the version of Connect you are running, if you wish to use stunnel locally, then you would create and/or populate the stunnel directory under the root install directory: Connect\9.1.2\stunnel.

Click on this thumbnail diagram below to see what it would look like with a hardware-based SSL accelerator:

C9SSLAEMSingle

Click on this thumbnail diagram below to see what it would look like with stunnel collocated with Connect:

C9SSLAEMStunnel

The rest of this checklist & summary will assume stunnel is being used collocated with Connect, but the configuration variables will apply to hardware-based external SSL acceleration options as well and even a casual glance back at these diagrams will help you infer the differences.

The sample file editing offered herein will be based on the single server stunnel example depicted in the diagram above.

3. Four FQDN’s are required: This is how our working example FQDN list would appear in a host file.

  • 192.167.21.176  connectmtg.domain.com
  • 192.167.21.175 connect.domain.com
  • 192.167.21.174:443  cqauthor.domain.com
  • 192.167.21.173:443  cqpublisher.domain.com

4. Four certificates (or a wildcard certificate) is needed; here is the list of certificates for SSL following our example:

  • connectmtg.domain.com
  • connect.domain.com
  • cqauthor.domain.com
  • cqpublisher.domain.com

Note: These are depicted in our working example as a wildcard certificate: domain.com. If the certificates are not trusted public certificates, then meeting rooms will not open; self-signed certificates will not work with meeting unless they are installed on all clients. Place the certificates into the stunnel installation directory: \Connect\9.1.2\stunnel\

5. Backup and edit the stunnel.conf file: in the \Connect\9.1.2\stunnel\ directory to set up the four VIPs and pools:

stunnel.conf for four servers on one
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS
; Service-level configuration
[https-vip]
; incoming vip for https (to secure Connect Application Traffic)
; ip address of the server with stunnel on it
; listens on port 443
accept =192.167.21.175:443
; ip of the connect server
; send the unecrypted request to port 8443
connect =127.0.0.1:8443
; Certificate info for Connect cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[rtmps-vip]
; incoming vip for fms (to secure Connect Meeting Traffic)
accept = 192.167.21.176:443
; ip of the fms server
; Send unencrypted request to 1935
connect = 127.0.0.1:1935
; Certificate info for Connect meeting cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Author-vip]
; incoming vip for CQ-Author (to secure AEM-based Events Authoring)
accept = 192.167.21.174:443
; ip of the CQ Author server
; Send unencrypted request to 4502
connect = 127.0.0.1:4502
; Certificate info for CQ Author cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Publisher-vip]
; incoming vip for CQ-Publisher (to secure AEM-based Events Publishing)
accept = 192.167.21.173:443
; ip of the CQ Publisher server
; Send unencrypted request to 4503
connect = 127.0.0.1:4503
; Certificate info for CQ Publisher cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem

6. Next backup and edit the custom.ini file: By default, the custom.ini will point to 4502 and 4502 for CQ Author and Publisher respectively; you must change the links to reflect https rather than http and also change the  names to the correct FQDNs and also enable SSL for Connect with these following entries:

CQ_AUTHOR_SERVER=https://author.adobeconnect.com
CQ_PUBLISH_SERVER=https://publisher.adobeconnect.com
DOMAIN_COOKIE=adobeconnect.com
ADMIN_PROTOCOL=https://
SSL_ONLY=yes
RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/

7. Next backup and edit the server.xml file; in the \appserv\conf\ directory; uncomment two sections depicted here to enable SSL:

<Executor name=”httpsThreadPool”
namePrefix=”https-8443-”
maxThreads=”350″
minSpareThreads=”25″/>

<Connector port=”8443″ protocol=”HTTP/1.1″
executor=”httpsThreadPool”
enableLookups=”false”
acceptCount=”250″
connectionTimeout=”20000″
SSLEnabled=”false”
scheme=”https”
secure=”true”
proxyPort=”443″
URIEncoding=”utf-8″/>

Note: Be sure to test the server.xml file for correct editing by opening it in a browser and viewing any syntax errors.

8. After configuring the stunnel.conf, the custom.ini and the server.xml file for all four server instances, stop all five the services in the following order:

  • Adobe Connect CQ Author
  • Adobe Connect CQ Publisher
  • Adobe Connect Server
  • Adobe Flash Media Server
  • stunnel

9. After all services are completely stopped, start all five services in reverse order; do not cheat and just restart each one successively.

  • stunnel
  • Adobe Flash Media Server
  • Adobe Connect Server
  • Adobe Connect CQ Publisher
  • Adobe Connect CQ Author

10. Open a browser on the Connect server; go to localhost:4502 and log into CQ5 Author as an administrator and edit the URL

  • Select CRXDE Lite on the menu list on the right side of the screen
  • Go to: content>connect>c1>jcr:content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://cqauthor.domain.com

11. Open a browser on the Connect server and go to localhost:4503 and log into CQ5 Publisher as an administrator and edit the URL

  • Select CRXDE Lite on the right menu list
  • Go to content>connect>c1>jcr content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://cqpublisher.domain.com

12. Open a browser on the Connect server and go to localhost:4502/system/console/configmgr and log in as an administrator and edit the author externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Author server
  • cqauthor.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4502 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqauthor.domain.com/libs/wcm/stats/tracker

13. Open a browser on the Connect server and go to localhost:4503/system/console/configmgr and log in as an administrator and edit the publisher externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Publisher server
  • cqpublisher.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4503 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqpublisher.domain.com/libs/wcm/stats/tracker

14. Stop all services and and restart as shown in steps 8 & 9 or reboot the server

15. Log into Connect and test all features including the Events module.

Troubleshooting appendix:

  • Check to make sure all five  services are running and start any that are not running.
  • Once all the services are up, click on the stunnel.exe icon in the stunnel directory and insure that stunnel runs without errors
    • If stunnel.exe throws an error then examine the stunnel.conf for syntax problems
    • If stunnel.exe starts successfully then look elsewhere for problems
  • If  Firefox browsers Fail to Connect when stunnel is used to secure Adobe Connect, then double check to be sure that the
    • sslVersion = all
    • fips = no
  • To make certain the help files are served via SSL, follow the instructions in Jim’s blog article: Changing the Help Links to use HTTPS://
  • Make sure there is not a passphrase on stunnel: see Jim’s blog article Adobe Connect Stunnel prompting for passphrase when server/services restarts
  • If stunnel does not start with Connect upon reboot, this technique will help: Stunnel does not Startup with Connect
  • Depending on the version of Connect you are running, you may need to add the certificate to the java CA certificates in Connect in order to allow images in the AEM-based Events module to appear in Connect. Ignore this step unless you are running Connect 9.0.0.1 and even then, if at all possible, simply use a later version of Connect instead as this issue has been fixed and this workaround is made superfluous for later versions:
    • For 9.0.0.1, export and then import the SSL certificate: Log into Connect and click on the lock in the URL line to the left of HTTPS and click the button in the pop-up: More Information>View Certificates>Details>Export to export the SSL certificate. Save the certificate in the jre\bin directory in the root install directory for Connect: Connect\9.1.2\jre\bin
    • Use the command prompt to complete the importation: F:\Connect\9.1.2\jre\bin> keytool -import -trustcacerts -alias connect -file certificate-name -keystore cacerts
      • The default password is changeit.
      • Overwrite any existing certificate.
      • The italicized alias connect is a variable
      • The italicized certificate-name must match the name of the certificate

Adobe Connect 9.2 Announced

Last week (12/10) Adobe announced Adobe Connect 9.2, which is due in early 2014.  This release will bring several key enhancements to Adobe Connect including a new filmstrip mode for the video pod, a redesigned workflow for new users, and the ability to register and login to events using your social media profiles.

The Connect blog post around the release is live here. 

The Featured Topic on the Connectusers homepage is now set to reflect the 9.2 announcement. Included on connectusers are the following:

– Video tutorial on the integration with social profiles

– Tutorial on using the new video pod

– What’s New with Adobe Connect 9.2  (overview document)

 

Public MP4 is redirecting to login page on Android and iOS devices

Currently as of Adobe Connect (hosted) 9.1.2, there is an issue with accessing public MP4 recordings on Android and iOS devices.  By design, the public content should not present a login screen to the user.  However, users are getting the login page on those devices when they try to access these public MP4 recordings.  The fix for this has been identified and it is slated to be rolled out in the 9.2 upgrade of the Adobe Connect hosted system.  Until then, the following workaround below should be followed.

The ‘workability’ of it depends on how you provide your users with the link to the MP4s.  iOS users in particular, are most likely not getting these links from the web app (Connect Central) but are instead getting them from an email or other portal that is provided to them.  If that is the case (for either iOS or Android), then you would just need to update the URLs (as indicated below) until we release 9.2 and provide a resolution.  Here is the workaround:

  1. Locate the MP4 in the Content Library.
  2. Click to view the ‘Edit Information’ page for the recording.
  3. Click the ‘Download Content’ link.
  4. Under ‘Download output file(s)’ there is a link to download the file. Copy this URL
  5. Paste the URL to a notepad or document.
  6. You will have a URL that looks something like this example: https://myCompany.adobeconnect.com/localmp4/output/Local-z1.mp4?download=Local-z1.mp4
  7. Remove everything after the ‘?’ and your URL will be something like this example: https://myCompany.adobeconnect.com/localmp4/output/Local-z1.mp4
  8. You can provide the modified URL to your users, and the recording will stream without stopping them to ask for permissions, though it will honor any permissions settings you have on content that is not public.

 Again, this issue is resolved in the upcoming 9.2 Adobe Connect release.

Using the XML API with Enhanced Security

With the release of Adobe Connect 9.0.4 and beyond (view KB here), we have introduced the Enhanced Security feature (documentation) and it is ON by default on our hosted system.  If you are an Adobe Connect Hosted customer, you can toggle the Enhanced Security feature on or off (if you are an Administrator) by logging into your Adobe Connect Hosted account and navigating to: Administration > More Settings.  You will see the following Security Settings:

es

 

If you have ‘Enable Enhanced Security’ checked (and you save the settings), your account will now issue TWO session cookies to a user when they authenticate.  This is crucial to understand and plan for if you are using the XML API to integrate with another system.  Also, if you are a partner or developer who has built an application that integrates with Adobe Connect, you will need to rework your application to account for the possibility of this feature being ON or OFF.

From my experience, it is best to simply code the application to look for the second session cookie all the time (after initially authenticating the user) rather than try to check for the feature being on or off.

Typically in Adobe Connect Hosted accounts before this feature was implemented (and with this setting OFF), your application would first make a ‘common-info’ call as below, to obtain a session cookie before logging a user in:

https://myaccountURL/api/xml?action=common-info

<results>
<status code=”ok”/>
<common locale=”en” time-zone-id=”35″ time-zone-java-id=”US/Eastern”>
<cookie>naXbreezecookie123456789</cookie>
<date>2013-12-02T19:50:38.983-05:00</date>
<host>https://myaccountURL</host>
<local-host>connecthost01</local-host>
<admin-host>naXcps.adobeconnect.com</admin-host>
<url>/api/xml?action=common-info</url>
<version>9.1.2</version>
<tos-version>7.5</tos-version>
<product-notification>true</product-notification>
<account account-id=”12345678″/>
<user user-id=”45678901″ type=”user”>
<name>Jim Johnson</name>
<login>Jim</login>
</user>
<user-agent>
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36
</user-agent>
<mobile-app-package>air.com.adobe.connectpro</mobile-app-package>
</common>
<reg-user>
<is-reg-user>false</is-reg-user>
</reg-user>
</results>

Then you would log the user in:

https://myaccountURL/api/xml?action=login&login=Jim&password=XXXXXXX&session=naXbreezecookie123456789

<results>
<status code=”ok”/>
</results>

That would normally be it.

Then, all subsequent calls, you would normally just append that same session cookie as the ‘session’ parameter and you’d be all set.  However, with Enhanced Security ON, that session cookie you obtained from the first common-info call will NOT work in calls after the login call authenticates the user.  Once the login API is called, you MUST call common-info one more time immediately after the OK response comes back from the login call.  When you run common-info again, you will notice you will get a DIFFERENT session cookie value.  That second cookie value is the session you need to include in your subsequent calls going forward.  If you do not use that second value in your API call, and instead include the value from the first common-info call result, you will get the following error response:

<results>
<status code=”no-access” subcode=”no-login“/>
</results>

So in summary:

Before Enhanced Security the workflow was:

1) common-info API to get cookie session value
2) login API using the cookie session value
3) continue on making API calls with that same session cookie throughout the user session

After Enhanced Security (post 9.0.4):

1) common-info API to get cookie session value
2) login API using the cookie session value
3) common-info API again a second time to get the final cookie session value to use going forward in all other calls
4) continue on making API calls with that NEW session cookie throughout the user session

Again, it is best to code your application to always look for a session cookie again AFTER logging a user in.  That way, even if you are still using the same session (say if the account had Enhanced Security set to OFF), your application will still work fine and in the cases where the account does have Enhanced Security turned ON, it will still continue to work as expected.

Adobe Connect Server Licensing for Disaster Recovery

This question is commonly asked: Does my license for On-Premise Adobe Connect allow me install Adobe Connect servers for disaster recovery purposes?

First let’s define the terms: Disaster Recovery Environment refers to your technical environment designed solely to allow you to respond to an interruption in service due to an event beyond your control that creates an inability on your part to provide critical business functions for a material period of time. That is to say, it refers to a secondary site that would not be utilized in production unless the primary site went offline due to a natural or human-inflicted disaster that is beyond your control. Use of Adobe Connect servers in Disaster Recovery Environments is within the scope of your license and no additional fees are due to Adobe Systems Incorporated. For example, for the architecture depicted here, you would need four Adobe Connect server licenses. 

 

Connect_DR_cluster

 

However, adding one or more Adobe Connect servers to a local cluster is outside the scope of your license, and you will need to purchase additional licenses from Adobe Systems Incorporated to accomplish this.  Additional licenses are needed when adding any Adobe Connect servers that increase scalability in the form of:

  • Availability — What percentage of time is Connect available to geographically distributed users?
  • Reliability — How often does Connect experience problems that affect availability?
  • Performance — How fast does Connect consistently and qualitatively respond to user requests?
  • Concurrency – How many users can a Connect deployment handle concurrently?

Information around cluster expansion is here: Adobe® Connect™ server pools/clusters and hardware-based load-balancing devices with SSL acceleration

If you were to geographically distribute an active Connect cluster by placing Adobe Connect servers into two separate data centers, that would also require additional licensing. Connect servers in a cluster cannot have more than 2-3ms of latency between and among Connect servers.  Generally you would not geographically distribute Adobe Connect servers into different data centers, however, there is a chapter in the aforementioned clustering article on the topic. With that said, the architecture depicted below, is an example of a distributed active Adobe Connect cluster that is is spread between two local data-centers with nominal latency between those data-centers (less than 3ms of latency). All four servers are in production and all are actively hosting meetings and serving on-demand content.  This Connect architecture example depicted in the diagram below requires a four-server Connect cluster license:

 

Cross-DC-CLUSTER

 

Adding the Passcode Feature for Connect Meetings

You may add a passcode feature as an additional security option for Connect Meeting room access in Connect versions 8 and 9. Each Meeting room can have its own passcode.  The parameter will appear under the Edit Information tab of the Connect Meeting:

pc2.fw

This is a great option. For example, it allows you to pop up a fast ad hoc meeting with full guest access while requiring guests to apply a pass-code to enter:

pc.fw

It also allows an additional layer of security for registered users as well; they also would need to enter a passcode in addition to any permissions (even host-level) granted to the room.

pc1.fw

Once applied, when a users hits the Meeting URL they will be presented with the passcode field:

pc3.fw

To add this feature, simple log onto your on-premise adobe Connect server as a Connect Administrator and enter the following into the URL line in Connect Central:

http://YOURDOMAINNAME/api/xml?action=meeting-feature-update&account-id=7&feature-id=fid-meeting-passcode-notallowed&enable=false

Where “YOURDOMAINNAME” is actually your domain name.

If this executes correctly, you will see the following output when you follow-up by entering this command into the same URL line in Connect Central:

http://YOURDOMAINNAME/api/xml?action=meeting-feature-info&account-id=7

Output: feature-id=fid-meeting-passcode-notallowed

Alternatively you could simply check and see if the feature is available under the Edit Information tab of any Meeting.

Note: Your Meeting passcode can be up to 16 letters or numbers; keep in mind that it is a convenient supplementary security mechanism rather than a primary means. You will see this warning if your passcode is not supported go over that: Your passcode must be between 1 and 16 characters long (letters or numbers, no spaces).

In adding this feature you have invoked the Web Services API in Connect. If you are not familiar with the API see the following document; it is rich with options: http://help.adobe.com/en_US/connect/9.0/webservices/connect_9_webservices.pdf

Note also that with Connect 9.2, in Connect Central under Administration > Users and Groups > Edit Login and Password Policies, there are two relevant check boxes, one to enable and the other one to force the use of the passcode:

passcode.fw

Setting Email Sender for all messages to a generic address

This is a way to workaround a mail server blocking emails where the sender and mail server domain do not match.

Before you do this, make sure you have a working backup copy of your database!
First step: make sure the admin email address is set to the generic address you want to use.

You can do this on the database by running this SQL update query:
update PPS_CONFIG set VALUE = ‘genericaddress@mailserverdomain.com’ where NAME=’config-system-email';

Next switch on the feature to send emails from this address:
insert into PPS_ACCOUNT_FEATURES (ACCOUNT_ID, FEATURE_ID, DATE_BEGIN, DATE_END, RECORDCREATED)
values (7, 84, GETUTCDATE(), ‘3000-01-01 00:00:00.000′, GETUTCDATE());

After setting this, emails should be sent in the format:

“genericaddress@mailserverdomain.com on behalf of user@othermailserver.com”