Posts in Category "Install"

SSL Configuration Checklist for Connect with AEM-based Events

This supplemental checklist alongside the  Adobe Connect installation guide and the SSL Configuration guide, will help expedite your SSL implementation of Connect with AEM-Events:

1. Always begin with a fully functional installation of Connect and AEM-based Events before adding SSL; Do not attempt to secure a server that is not fully tested to run all features without SSL: A server running all features in the clear with no problems manifested is the only place to begin.

2. Decide whether to use hardware-based or software-based SSL and obtain appropriate public certificates and FQDN’s. If needed, see Mohit’s excellent instructions to generate CSRs. If you are using software-based SSL, stunnel can either be installed locally or on a separate server. If you are using hardware-based SSL you will want to refer to the relevant third-party documentation along with that provided by Adobe. For F5 BIG-IP LTM, the following articles along with this blog article and the resources aforementioned will help:

For information about stunnel installation options with Connect 9, see Jim’s blog post on Adobe Connect 9.0.0.1 and 9.1 stunnel installation options. Within the 9.0.0.1 installation folder, under  \Adobe Connect 9.0.0.1\Adobe Connect\Merge_Modules, we provide the installer for  stunnel-4.53.  From there, you can install Stunnel 4.53 for your SSL deployment. Adobe QE has tested stunnel version 4.56 collocated with Connect – installed within the Connect installation directory. These days it is arguably prudent to use the latest security option tested. Depending on the version of Connect you are running, if you wish to use stunnel locally, then you would create and/or populate the stunnel directory under the root install directory: Connect\9.1.2\stunnel.

Click on this thumbnail diagram below to see what it would look like with a hardware-based SSL accelerator:

C9SSLAEMSingle

Click on this thumbnail diagram below to see what it would look like with stunnel collocated with Connect:

C9SSLAEMStunnel

The rest of this checklist & summary will assume stunnel is being used collocated with Connect, but the configuration variables will apply to hardware-based external SSL acceleration options as well and even a casual glance back at these diagrams will help you infer the differences.

The sample file editing offered herein will be based on the single server stunnel example depicted in the diagram above.

3. Four FQDN’s are required: This is how our working example FQDN list would appear in a host file.

  • 192.167.21.176  connectmtg.domain.com
  • 192.167.21.175 connect.domain.com
  • 192.167.21.174:443  cqauthor.domain.com
  • 192.167.21.173:443  cqpublisher.domain.com

4. Four certificates (or a wildcard certificate) is needed; here is the list of certificates for SSL following our example:

  • connectmtg.domain.com
  • connect.domain.com
  • cqauthor.domain.com
  • cqpublisher.domain.com

Note: These are depicted in our working example as a wildcard certificate: domain.com. If the certificates are not trusted public certificates, then meeting rooms will not open; self-signed certificates will not work with meeting unless they are installed on all clients. Place the certificates into the stunnel installation directory: \Connect\9.1.2\stunnel\

5. Backup and edit the stunnel.conf file: in the \Connect\9.1.2\stunnel\ directory to set up the four VIPs and pools:

stunnel.conf for four servers on one
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS
; Service-level configuration
[https-vip]
; incoming vip for https (to secure Connect Application Traffic)
; ip address of the server with stunnel on it
; listens on port 443
accept =192.167.21.175:443
; ip of the connect server
; send the unecrypted request to port 8443
connect =127.0.0.1:8443
; Certificate info for Connect cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[rtmps-vip]
; incoming vip for fms (to secure Connect Meeting Traffic)
accept = 192.167.21.176:443
; ip of the fms server
; Send unencrypted request to 1935
connect = 127.0.0.1:1935
; Certificate info for Connect meeting cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Author-vip]
; incoming vip for CQ-Author (to secure AEM-based Events Authoring)
accept = 192.167.21.174:443
; ip of the CQ Author server
; Send unencrypted request to 4502
connect = 127.0.0.1:4502
; Certificate info for CQ Author cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Publisher-vip]
; incoming vip for CQ-Publisher (to secure AEM-based Events Publishing)
accept = 192.167.21.173:443
; ip of the CQ Publisher server
; Send unencrypted request to 4503
connect = 127.0.0.1:4503
; Certificate info for CQ Publisher cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem

6. Next backup and edit the custom.ini file: By default, the custom.ini will point to 4502 and 4502 for CQ Author and Publisher respectively; you must change the links to reflect https rather than http and also change the  names to the correct FQDNs and also enable SSL for Connect with these following entries:

CQ_AUTHOR_SERVER=https://author.adobeconnect.com
CQ_PUBLISH_SERVER=https://publisher.adobeconnect.com
DOMAIN_COOKIE=adobeconnect.com
ADMIN_PROTOCOL=https://
SSL_ONLY=yes
RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/

7. Next backup and edit the server.xml file; in the \appserv\conf\ directory; uncomment two sections depicted here to enable SSL:

<Executor name=”httpsThreadPool”
namePrefix=”https-8443-”
maxThreads=”350″
minSpareThreads=”25″/>

<Connector port=”8443″ protocol=”HTTP/1.1″
executor=”httpsThreadPool”
enableLookups=”false”
acceptCount=”250″
connectionTimeout=”20000″
SSLEnabled=”false”
scheme=”https”
secure=”true”
proxyPort=”443″
URIEncoding=”utf-8″/>

Note: Be sure to test the server.xml file for correct editing by opening it in a browser and viewing any syntax errors.

8. After configuring the stunnel.conf, the custom.ini and the server.xml file for all four server instances, stop all five the services in the following order:

  • Adobe Connect CQ Author
  • Adobe Connect CQ Publisher
  • Adobe Connect Server
  • Adobe Flash Media Server
  • stunnel

9. After all services are completely stopped, start all five services in reverse order; do not cheat and just restart each one successively.

  • stunnel
  • Adobe Flash Media Server
  • Adobe Connect Server
  • Adobe Connect CQ Publisher
  • Adobe Connect CQ Author

10. Open a browser on the Connect server; go to localhost:4502 and log into CQ5 Author as an administrator and edit the URL

  • Select CRXDE Lite on the menu list on the right side of the screen
  • Go to: content>connect>c1>jcr:content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://connect.domain.com

11. Open a browser on the Connect server and go to localhost:4503 and log into CQ5 Publisher as an administrator and edit the URL

  • Select CRXDE Lite on the right menu list
  • Go to content>connect>c1>jcr content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://connect.domain.com

12. Open a browser on the Connect server and go to localhost:4502/system/console/configmgr and log in as an administrator and edit the author externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Author server
  • cqauthor.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4502 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqauthor.domain.com/libs/wcm/stats/tracker

13. Open a browser on the Connect server and go to localhost:4503/system/console/configmgr and log in as an administrator and edit the publisher externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Publisher server
  • cqpublisher.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4503 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqpublisher.domain.com/libs/wcm/stats/tracker

14. Stop all services and and restart as shown in steps 8 & 9 or reboot the server

15. Log into Connect and test all features including the Events module.

Troubleshooting appendix:

  • Check to make sure all five  services are running and start any that are not running.
  • Once all the services are up, click on the stunnel.exe icon in the stunnel directory and insure that stunnel runs without errors
    • If stunnel.exe throws an error then examine the stunnel.conf for syntax problems
    • If stunnel.exe starts successfully then look elsewhere for problems
  • If  Firefox browsers Fail to Connect when stunnel is used to secure Adobe Connect, then double check to be sure that the
    • sslVersion = all
    • fips = no
  • To make certain the help files are served via SSL, follow the instructions in Jim’s blog article: Changing the Help Links to use HTTPS://
  • Make sure there is not a passphrase on stunnel: see Jim’s blog article Adobe Connect Stunnel prompting for passphrase when server/services restarts
  • If stunnel does not start with Connect upon reboot, this technique will help: Stunnel does not Startup with Connect
  • Depending on the version of Connect you are running, you may need to add the certificate to the java CA certificates in Connect in order to allow images in the AEM-based Events module to appear in Connect. Ignore this step unless you are running Connect 9.0.0.1 and even then, if at all possible, simply use a later version of Connect instead as this issue has been fixed and this workaround is made superfluous for later versions:
    • For 9.0.0.1, export and then import the SSL certificate: Log into Connect and click on the lock in the URL line to the left of HTTPS and click the button in the pop-up: More Information>View Certificates>Details>Export to export the SSL certificate. Save the certificate in the jre\bin directory in the root install directory for Connect: Connect\9.0.0.1\jre\bin
    • Use the command prompt to complete the importation: F:\Connect\9.0.0.1\jre\bin> keytool -import -trustcacerts -alias connect -file certificate-name -keystore cacerts
      • The default password is changeit.
      • Overwrite any existing certificate.
      • The italicized alias connect is a variable
      • The italicized certificate-name must match the name of the certificate
      • When importing the cert to cacerts, you need to specify the path to the correct cacerts location.
        • Otherwise you just end up with the cacerts file in the same location from which you launched the keytool
        • In Connect <install-drive>:\Connect\9.0.0.1\jre\lib\security\cacerts
        • Note: –import command works, but isn’t listed under keytool –help; it should be –importcert

Connect on-premise server: Warning messages in Event viewer, registry connection rejected

On some installations of Connect on-premise in combination with FMG you might observe a large number of regular warning messages for the FMS Edge process in the Windows Event viewer as well as the servers edge.log file.

The message in \Connect\logs\support\diagnostic\edge.00.log would look like this:

Connection rejected by server. Reason : [ Server.Reject ] : Registry connection rejected, this adaptor is _defaultRoot_ and the registry only accepts connections on originhost -

In the Event Viewer you would see this in regular intervals:

event_viewer_registryConnectionRejected

 

If you see these in the logs on your Connect server machine and FMG is hosted on the same machine, do the following:

1. Browse to: C:\Connect\9.1.1\Flash Media Gateway\2.0.1.19_8x8\conf\

or if you run 9.0.x browse to:   C:\Connect\Flash Media Gateway\2.0.1.15\conf\

2. Take a backup copy of the rtmp.xml

3. Open the file rtmp.xml in an XML friendly editor like Notepad++ or Textpad.

4. Locate this section at the top:

<Registrations>
<LegService>
<!-- List of FMS & service names for LegService registry connnections                    -->
<!-- Format is <Server host = "Flash Media server IP/hostname">servicename</Server>        -->
<!-- Please refer to documentations for applicable restriction on the values            -->
<Server host = "localhost">telephony</Server>
</LegService>
<ControlService>
<!-- List of FMS & service names for ControlService registry connections    -->
<!-- Format is <Server host = "server IP/hostname">servicename</Server>        -->
<!-- Sample entry:                                                            -->
<Server host = "localhost">telephony_control</Server>
</ControlService>
</Registrations>

5.  In the above section, modify these two lines:

<Server host = “localhost”>telephony</Server>

<Server host = “localhost”>telephony_control</Server>

to include a port number:

<Server host = “localhost:8506“>telephony</Server>

<Server host = “localhost:8506“>telephony_control</Server>

6. Save the changes and restart the FMG service.

 

 

 

Adobe Connect 9.1.2 Licensed (On Prem) Updates Now Available

We have released the 9.1.2 Licensed updates for Adobe Connect.  They can be downloaded directly from:

http://helpx.adobe.com/adobe-connect/kb/connect-90-patches.html

Along with the 9.1.2 update are two additional patches:  9.1.2a and 9.1.2b.

9.1.2a and 9.1.2b should be put on top of 9.1.2 immediately after updating your system to 9.1.2.

9.1.2 needs to be put on top of a system running 9.1 (9.1.1).  Then, once 9.1.2 is applied, proceed with 9.1.2a and 9.1.2b in that order.

9.1.2a resolves the issue in bug: 3670250 –  Which is an issue creating meetings when a user’s profile is something other than German, English, Japanese, Korean, Portugese or Chinese.

9.1.2b resolves the issue in bug: 3653594 – Which is an issue with non-required fields being inadvertently required when creating new users.

 

 

Adobe Connect Server Licensing for Disaster Recovery

This question is commonly asked: Does my license for On-Premise Adobe Connect allow me install Adobe Connect servers for disaster recovery purposes?

First let’s define the terms: Disaster Recovery Environment refers to your technical environment designed solely to allow you to respond to an interruption in service due to an event beyond your control that creates an inability on your part to provide critical business functions for a material period of time. That is to say, it refers to a secondary site that would not be utilized in production unless the primary site went offline due to a natural or human-inflicted disaster that is beyond your control. Use of Adobe Connect servers in Disaster Recovery Environments is within the scope of your license and no additional fees are due to Adobe Systems Incorporated. For example, for the architecture depicted here, you would need four Adobe Connect server licenses. 

 

Connect_DR_cluster

 

However, adding one or more Adobe Connect servers to a local cluster is outside the scope of your license, and you will need to purchase additional licenses from Adobe Systems Incorporated to accomplish this.  Additional licenses are needed when adding any Adobe Connect servers that increase scalability in the form of:

  • Availability — What percentage of time is Connect available to geographically distributed users?
  • Reliability — How often does Connect experience problems that affect availability?
  • Performance — How fast does Connect consistently and qualitatively respond to user requests?
  • Concurrency – How many users can a Connect deployment handle concurrently?

Information around cluster expansion is here: Adobe® Connect™ server pools/clusters and hardware-based load-balancing devices with SSL acceleration

If you were to geographically distribute an active Connect cluster by placing Adobe Connect servers into two separate data centers, that would also require additional licensing. Connect servers in a cluster cannot have more than 2-3ms of latency between and among Connect servers.  Generally you would not geographically distribute Adobe Connect servers into different data centers, however, there is a chapter in the aforementioned clustering article on the topic. With that said, the architecture depicted below, is an example of a distributed active Adobe Connect cluster that is is spread between two local data-centers with nominal latency between those data-centers (less than 3ms of latency). All four servers are in production and all are actively hosting meetings and serving on-demand content.  This Connect architecture example depicted in the diagram below requires a four-server Connect cluster license:

 

Cross-DC-CLUSTER

 

Adobe Connect Meeting Add-in for 9.1.2 is Now Available

The new Adobe Connect Meeting Add-in is now available.  This latest version of Adobe Connect Add-in is 11.2.392.0 for both Windows and Mac platforms.  Please see the following knowledge base article below for the latest information including the list of issues that have been fixed in this release as well as the links to download both the Windows and Mac versions of the Add-in.

http://helpx.adobe.com/adobe-connect/kb/latest-connect-91-addin.html

7.x Recordings Not Playing after Upgrading to 9.1.1

If you have recently upgraded an Adobe Connect on premise deployment from version 7.x to 9.1.1 (with various 8.x steps possibly in-between), you may encounter an issue where older recordings no longer launch.  However, newly created recordings open and playback without issue.

If this is the case, please check the following directories…

First check:

[Root Connect Install]\9.1.1\appserv\common\meeting\shell

This directory should contain the following SWF files:

  • BreezeUIComponents.swf
  • CorePodCollection.swf
  • meeting.swf
  • meeting_sgn.swf
  • shell.swf
  • shell_sgn.swf
  • StamperSymbols.swf

If they do NOT exist in that directory (but just the ‘breezeLive’ folder and xml files are the only files present), please download the files from here and place into the directory.

Then check:

[Root Connect Install]\9.1.1\appserv\common\meeting\launcher

This directory should contain the following SWF files:

  • listener.swf
  • openmeeting.swf
  • openmeetingversioncheck.swf

If they do NOT exist in that directory, please download the files from here and place into the directory.

After confirming these files are now in those directories, retry launching an older Connect recording.  No restart is required.

Upgrade to Adobe Connect 9.1 causes Avaya Adaptor to be broken

Problem :

If you’ve upgraded your Adobe Connect server to version 9.1 and you already have Avaya adaptor configured, you might find it broken after the upgrade.

You might also run into this issue if you have a fresh installation of 9.1 and you are configuring Avaya adaptor for the first time

Reason :

The adaptor path is incorrect in the telephony configuration files in version 9.1

Environments Affected : Connect 9.1.1 Licensed

Solution :

  • Locate the following folder on your Adobe Connect 9.1.1 root installation : {Connect-Root}\9.1.1\TelephonyService\conf
  • Create a backup copy of  telephony-settings.xml file
  • Open the file in a text editor and locate the following lines for Avaya adaptor : <telephony-adaptor class-name=”com.macromedia.breeze_ext.telephony.AvayaAdaptor” enabled=”true” id=”avaya-adaptor”>
  • Replace the line with the following : <telephony-adaptor class-name=”com.macromedia.breeze_ext.telephony.Avaya.AvayaAdaptor” enabled=”true” id=”avaya-adaptor”>
  • Save the file and reopen the file with IE to make sure there are no errors.
  • Next, Create a backup copy of  telephony-capabilities.xml file
  • Open the file in a text editor and locate the following lines for Avaya adaptor : <telephony-adaptor class-name=”com.macromedia.breeze_ext.telephony.AvayaAdaptor” enabled=”true” id=”avaya-adaptor”>
  • Replace the line with the following : <telephony-adaptor class-name=”com.macromedia.breeze_ext.telephony.Avaya.AvayaAdaptor” enabled=”true” id=”avaya-adaptor”>
  • Save the file and reopen the file with IE to make sure there are no errors.
  • Restart the Adobe Connect & Telephony services.

 

Connect on VMWare – some deployment tips

Issue: VMWare is ubiquitous in the enterprise and while it opens up huge potential for management of the Connect infrastructure, it must be planned and executed with an eye toward robustness.

This advice is gleaned from conversations with senior persons on our operations team as well as from support cases generated by various customers with on-premise VMWare deployments of Connect.

One of the most important and often overlooked variables about virtualization is to make certain that  VMware is compatible with all the underlying components of the server and network architecture. The infrastructure supporting VMWare must be verified by VMware under their Hardware Certification Program or Partner Verified and Supported Products (PSVP) program; be sure to use certified hardware.

Here is the link to the compatibility reference:  http://www.vmware.com/resources/compatibility

With Connect you must consider both Tomcat and  FMS; the former can run on most anything, while the latter is a bit more demanding; RTMP can be acutely;y affected by latency and packet transmissions. If you notice unpredicted latency or a surprise crash of FMS with Connect 9.1, a good test would be to check the network components; sniff for packet transmission issues – have the vNIC of the guest VMs configured to use VMXNET3; this is a good place to start.

With reference to recommendations and best practices, it really depends on the VMware infrastructure adopted. The following references serve as a guide for an enhanced environment:

Enterprise Java Applications on VMware – Best Practices Guide: http://www.vmware.com/resources/techresources/1087

Best Practices for Performance Tuning of Latency-Sensitive Workloads in vSphere VMs: https://www.vmware.com/resources/techresources/10220

Performance Best Practices for VMware vSphere 5.1: https://www.vmware.com/resources/techresources/10329

The key with Network Storage is speed. If you lose connectivity to the shared storage then only what is cached on the origins will be available.

Shared storage requirements

  • Disk specs: 10,000–15,000 RPM — Fibre Channel preferred
  • Network link: TCP/IP — 1GB I/O throughput or better
  • Controller: Dual controllers with Active/Active multipatch capability
  • Protocol: CIFS or equivalent

Avoid, virtualizing the Connect database if possible.

I have seen that in some customer-based VMWare environments that are overtaxed, that latency among the servers on 8507 (and 8506), can cause problems. Intra-cluster latency (server to server communication) should never exceed 2-3ms. When it does we see intermittent crashes. I had one customer who had a particularly weak infrastructure and for whom I could predict his crashes; he was doing back-ups and running other tasks at a certain time weekly that would tax and hamper network connectivity for about an hour; these tasks were so all-consuming on the network, they turned every cluster resource into an individual asset on its own island. The log traces bore this out and we knew with precision what was going on. He knew he needed to upgrade his infrastructure and in the meantime we worked out a reaction plan to deal with the issue; it included:

  1. Place a higher than normal percentage of cache on each server to limit invoking shared storage
  2. Set the JDBC driver reconnection string for Database connectivity
  3. Plan Connect usage around these maintenance activities and when possible, do Connect maintenance activities at the same time as well – not very difficult as these were after hours, but being a  global operation, still not a given.

Presenter 9.0.2 Now Available

Presenter 9.0.2 is now available as an updater here:

http://www.adobe.com/support/downloads/product.jsp?product=153&platform=Windows

This is the update for existing Presenter 9.0 customers.

The full installer for Adobe Presenter 9.0.2 will be made live on November 18th – which means the existing build of Presenter 9.0 will be replaced on the Adobe online store, trial downloads, our Licensing system, and DVDs, with Presenter (9.0 + 9.0.2) consolidated installer.

The normal Presenter release notes have therefore been updated to include Presenter 9.0 PLUS Presenter 9.0.2 features and is live now. View the release notes here.

Release notes specific to Presenter 9.0.2 are found here and point out Presenter 9.0.2 details separately.

You can also download and install the update directly from inside of Adobe Presenter 9 by going to the Adobe Presenter > Help > Updates menu (pictured below).

 

presenter902

 

 

In the end (after updating), you should see the following version when going to: Adobe Presenter > Help > About Adobe Presenter…

presenter902a

 

 

Issue with upgrading CQ (Events) on standalone server

Note:

This article is for On-Premise (Licensed) Adobe Connect customers with the Events module who may be thinking of upgrading to 9.1.

This only applies to customers who meet ALL of the following criteria:

  • Customers who have installed CQ at the Adobe Connect 9.0 level (officially 9.0.0.1) and who are upgrading to 9.1 (officially 9.1.1)
  • Customers who have installed CQ on a standalone machine (so not on the same server or servers as Adobe Connect)
  • Customers who have installed CQ on a drive other than C:/.  

We have uncovered an issue with upgrading CQ (Events Module) from 9.0 version to 9.1 version on a standalone server where you would have installed CQ on a drive other than the C:/ drive.

With Adobe Connect 9.0.0.1 (the full 9.0 installer’s actual version), we introduced Adobe CQ as the backend for the Events module in Adobe Connect.  This required you to install CQ on either the same server as Adobe Connect, or on it’s own dedicated (preferred) server or servers (if in a cluster).  A typical workflow would have been to install the CQ application for both the Author and the Publisher instances of CQ on a drive other than the C:/ drive on the server (or servers).  The full installation of the original 9.0 version of CQ would have given  you the option of installing CQ wherever you wanted (say for this example, the ‘E:/’ drive).

With the latest (as of October, 2013) version of Adobe Connect and CQ (9.1.1 officially), we introduced a new version of CQ.  So customers who already installed CQ at version 9.0, would have already had CQ on a machine and would be upgrading CQ by running the new 9.1 .1 Adobe Connect installer on that server.  This is where the problem is.  The installer, for an upgrade to CQ will not give you the option to choose the installation folder/location. It just goes through and installs in the C:/ drive, which is obviously not correct if you installed in another location.

There is a workaround for this.

For now, you can work around this problem by adding a property value – USER_INSTALL_DIR=<old Installation directory> to the file <INSTALLER_ROOT>\Standard_DVD\Connect\9.1.1\Disk1\InstData\VM\cps.properties. Any valid installation path can be provided but format of the old installation path has to be either E:/Connect or E:\\CONNECT (or whatever drive letter you are using).

Note: Again, the full installation of 9.1 will allow you to choose the installation directory. The issue detailed above is only for upgrades from 9.0 to 9.1 CQ.

This issue with the installer will be addressed in Adobe Connect 9.2, which will be coming in Q1 of 2014.