Posts in Category "SSL"

Adobe Connect SSL guide

Here’s a new SSL configuration guide (PDF) aimed at Connect 9 and higher. It should help you get SSL working in most environments with and without Events module (CQ).

Connect SSL Guide

Please contact support via the usual channels should you feel you need additional help with SSL.

 

Connect on-premise: Event Emails may fail to be sent.

This is specific to Connect on-premise installations with Events and with SSL configured for the Event service.

 

When you create a new Event there are a bunch of different email notifications available, including confirmation of new registrations, event reminders, thank you notes etc.
These emails are created from email templates that the Connect application server needs to download from the CQ publish server before they’re sent out.

If you have the CQ service configured with SSL the Connect server needs to trust the certificates you configured on the remote CQ publish host, otherwise it will fail on the template download and you will get a log message as below written in the debug.log on your Connect server:

 
[…]
[03-21 08:37:52,983] cqEmailer0 (INFO) 1ms spid:197 fetch com.macromedia.breeze.model.CQTemplate(“84457”)
[03-21 08:37:52,990] cqEmailer0 (INFO) Error while fetching template from CQ: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[03-21 08:37:52,990] cqEmailer0 (ERROR) Exception thrown
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[…]

 
To fix this, import the SSL certificate of your CQ publish server to the Connect server keystore.

On the Connect server, open a command line and change to this directory:   <drive>:\Connect\9.x\jre\bin\

The command to import the certificate is as follows (of course replace c:\pathToCertFile\cert.crt with your own path and filename). Also, make sure the path to the keystore is correct for your environment and version of Connect.

keytool -importcert -trustcacerts -alias connectcerts -file c:\pathToCertFile\cert.crt -keystore c:\Connect\9.x\jre\lib\security\cacerts

 

(If you are using intermediate certificates, you can import the whole chain as one single .crt file).

 

 

 

New Adobe Connect Support Blog Subscription Option

Now you can stay on top of the new articles and posts by subscribing to the Adobe Connect Support Blog. Simply go to the Adobe Connect Support Blog home page and enter your email address and check off the categories about which you would like to be notified. Click “Subscribe me” and you will begin receiving  regular updates:

subscribe.fw

 

 

Event Template does not show data, blank white page appears

Problem:
Event template, Event catalog or Email template doesn’t load in iFrame rather gets displayed as blank white page.

Description:
When we click on Event Management -> Event Template or Event Catalog or Email Template, we get a white page in the area where the Event Template data should have been visible.

Reason:
This issue occurs if Adobe connect is running on SSL (HTTPS), however, CQ is not running on SSL. Hence the data coming from CQ is not secured. When secure and unsecure data is received by the browser over a secure connection, it is called Mixed content. Every browser has a setting where it usually blocks mixed content i.e. un-encrypted data coming from CQ gets blocked.

The page usually appears as shown below:

Event Template does not show any data

You may also get a prompt depending on the settings of Internet Explorer.

Internet Explorer 7 or earlier

Display Mixed content IE_Old

Internet Explorer 11

Prompt to display Mixed content

Prompt to display Mixed content at Bottom of Page

 

Solution:

It is possible to change this behavior of a browser where it allows mixed data and displays data sent without securing it over a connection which is secured using SSL.

Below steps allow us to modify this behavior:

Internet Explorer:
Internet Option -> Security -> Custom Level -> Display Mixed content -> Enable;

Enable Mixed Content in Internet Explorer

Google Chrome:
Click the shield icon on top right -> Click “Load unsafe scripts”;

Enable Mixed content in Google Chrome

 

Mozilla Firefox:
Click the shield icon on top left -> Under “Insecure content” -> “Disable protection for now” ;

Enable Mixed content in Mozilla Firefox

These are the basic steps to fix this problem. Depending on the permission on the account, you may or may not be able to make these changes.

 

Troubleshooting Verbose Meeting Addin Logging

On occasion it can be difficult to get verbose addin logging to work. The tech-note describing how to set it up is here: Enable logging | Meeting Add-in

The tech-note correctly describes where to place the customized mms.cfg file for use with both 64 bit and 32 bit Windows clients as well as for the Mac OS.

If after following the instructions in the tech-note, you still do not see any verbose addin logs, one possible cause is that there may be an additional mms.cfg file in an alternate location on the client that is blocking the log creation process. To remedy this, add the customized debug mms.cfg to the following locations after renaming any existing mms.cfg files (to allow them to be restored after verbose logging or debugging is complete):

Here are the locations (more than in the tech-note):

  • Windows (32 bit) :

In: C:\Windows\System32\Macromed\Flash\mms.cfg
or C:\Windows\System32\mms.cfg

  • Windows 7 (64 bit):

In: c:\Windows\SysWOW64\Macromed\Flash\mms.cfg
or c:\Windows\SysWOW64\mms.cfg

After placing the mms.cfg in both folders, be sure to close all addin browsers and then to open the addin only in the one Meeting that you wish to troubleshoot.

Connect on-premise – SSL – Convert .pfx to .pem format

Connect can be configured with Stunnel to support HTTPS and RTMPS. Stunnel requires you to provide a private key and a public cert file in .pem format.

You probably run Stunnel as a service (you should) so you also need to save the private key without a passphrase.

If you have a .pfx file with your private key and public certificate, you need to extract the key and cert from the .pfx file and save them to individual .pem files.

Here’s how to do just that:

  1. Install OpenSSL from here: https://www.openssl.org/related/binaries.html
  2.  Open a command line window and change to the directory where you installed OpenSSL, i.e. c:\OpenSLL-Win64\bin\.
  3. Run the following command to extract the private key and save it to a new file:
    openssl pkcs12 -in yourpfxfile.pfx -nocerts -out privatekey.pem -nodes
  4. Now run the following command to also extract the public cert and save it to a new file:
    openssl pkcs12 -in yourpfxfile.pfx -nokeys -out publiccert.pem -nodes
  5. Now you can use the files in your Stunnel config.

You can find more on configuring SSL and a sample config for Stunnel here:

https://blogs.adobe.com/connectsupport/adobe-connect-ssl-guide/

https://blogs.adobe.com/connectsupport/ssl-configuration-checklist-for-connect-with-aem-based-events

 

 

Configuring Secure SQL with Connect

It may be prudent to secure the connection between the Adobe Connect application servers and the SQL database.

Begin with the SQL server and then move onto the Connect server(s); if your SQL server is shared then begin with a change request to the DBA who has charge over the shared SQL environment. If your SQL database is already secure, you may skip Part I.

Part I. Securing the MS SQL Database Server:

First open the Certificates snap-in:

1. Open the MMC console, click Start, and then click Run; In the Run dialog box type:  MMC
2. From the  File menu, click Add/Remove Snap-in….
3. Click Add, and then click Certificates. Click Add again.
4. You are prompted to open the snap-in for the current user account, the service account or for the computer account. Select the Computer Account.
5. Select Local Computer, and then click Finish.
6. Click Close in the Add Standalone Snap-in dialog box.
7. Click OK in the Add/Remove Snap-in dialog box. Your installed certificates are located in the Certificates folder in the Personal container.

Use the MMC snap-in to install the certificate on the server:

  1. Click to select the Personal folder in the left-hand pane.
  2. Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate….
  3. The Certificate Request Wizard dialog box opens. Click Next. Select Certificate type is “computer”.
  4. In the Friendly Name text box you can type a friendly name for the certificate or leave the text box blank, and then complete the wizard. After the wizard finishes, you will see the certificate in the folder with the fully qualified computer domain name.

You are done now with installation of certificate on the SQL server, next you will need to export the certificate so that the same can be imported in the Connect application server.

  1. Open MMC, and then locate your certificate in the Personal folder.
  2. Right-click the certificate name, and then click Open.
  3. Review the Certification Path tab. Note the top most item.
  4. Navigate to the Trusted Root Certification Authorities folder, and then locate the Certificate Authority noted in step 3..
  5. Right-click CA, point to All Tasks, and then click Export.
  6. Select all the defaults, and then save the exported file to a location where the Connect application server can gain access to it.

Configure SSL encryption in the MS SQL instance:

1. On the SQL server start menu open Microsoft SQL Server>Configuration Tools> SQL Server Configuration Manager:

SQLsecure1.fw

2. Expand SQL Server Network Configuration, then right-click Protocols for MSSQLSERVER, and choose Properties. Select the Flags tab and change the Force Encryption setting to Yes.

sqlserverencryptionstep2

3. Under the Certificate tab, choose the certificate created earlier from the drop down list:

SQLsecure4

The database is now ready for secure connection with the Connect application server.

Part II. Configure the Connect application server to support a secure SQL connection:

Importing the certificate onto the Connect application server

  1. Copy the certificate from MS SQL Database server to the Connect application server(s) or to an accessible share.
  2. Navigate the Connect application sever by using the MMC snap-in, and then browse to the Trusted Root Certification Authorities folder.
  3. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click Import.
  4. Browse, and then select the certificate (.cer file) that you copied in step 1. Select the defaults to complete the remaining part of the wizard.

Create a Trust Store

1.  Be sure to have java installed on your Connect application server; at the command prompt, navigate to the bin directory of your JRE, and execute the following command:

keytool -import -file  <certificate file path> -alias firstCA -keystore <any name for trust store>
Note: This step will queue for a password, create and record a password for future reference.

2. In the ConnectProSvc.conf in the appserv\conf directory, add the following entries in the list of JAVA arguments:

wrapper.java.additional.28=-Djavax.net.ssl.trustStore= <path of Trust Store file created in step 1>
wrapper.java.additional.29=-Djavax.net.ssl.trustStorePassword=<password you created in step 1>

Configure the secure connection in Connect:

1. In custom.ini file under the root Connect installation directory, add the following entries:

DB_ENCRYPTION_METHOD=SSL
DB_VALIDATE_SERVER_CERTIFICATE=true

2. Cycle the services or reboot the server:

Adobe Connect Service
Flash Media Service

Note: For secure LDAP or LDAPS with Connect and for additional granularity around the paths and keystore see the following tech-note: Configure Connect Directory Services to use LDAPS

SSL Configuration Checklist for Connect with AEM-based Events

This supplemental checklist alongside the  Adobe Connect installation guide and the SSL Configuration guide, will help expedite your SSL implementation of Connect with AEM-Events:

1. Always begin with a fully functional installation of Connect and AEM-based Events before adding SSL; Do not attempt to secure a server that is not fully tested to run all features without SSL: A server running all features in the clear with no problems manifested is the only place to begin.

2. Decide whether to use hardware-based or software-based SSL and obtain appropriate public certificates and FQDN’s. If needed, see Mohit’s excellent instructions to generate CSRs. If you are using software-based SSL, stunnel can either be installed locally or on a separate server. If you are using hardware-based SSL you will want to refer to the relevant third-party documentation along with that provided by Adobe. For F5 BIG-IP LTM, the following articles along with this blog article and the resources aforementioned will help:

For information about stunnel installation options with Connect 9, see Jim’s blog post on Adobe Connect 9.0.0.1 and 9.1 stunnel installation options. Within the 9.0.0.1 installation folder, under  \Adobe Connect 9.0.0.1\Adobe Connect\Merge_Modules, we provide the installer for  stunnel-4.53.  From there, you can install Stunnel 4.53 for your SSL deployment. Adobe QE has tested stunnel version 4.56 collocated with Connect – installed within the Connect installation directory. These days it is arguably prudent to use the latest security option tested. Depending on the version of Connect you are running, if you wish to use stunnel locally, then you would create and/or populate the stunnel directory under the root install directory: Connect\9.1.2\stunnel.

Click on this thumbnail diagram below to see what it would look like with a hardware-based SSL accelerator:

C9SSLAEMSingle

Click on this thumbnail diagram below to see what it would look like with stunnel collocated with Connect:

C9SSLAEMStunnel

The rest of this checklist & summary will assume stunnel is being used collocated with Connect, but the configuration variables will apply to hardware-based external SSL acceleration options as well and even a casual glance back at these diagrams will help you infer the differences.

The sample file editing offered herein will be based on the single server stunnel example depicted in the diagram above.

3. Four FQDN’s are required: This is how our working example FQDN list would appear in a host file.

  • 192.167.21.176  connectmtg.domain.com
  • 192.167.21.175 connect.domain.com
  • 192.167.21.174  cqauthor.domain.com
  • 192.167.21.173  cqpublisher.domain.com

4. Four certificates (or a wildcard certificate) is needed; here is the list of certificates for SSL following our example:

  • connectmtg.domain.com
  • connect.domain.com
  • cqauthor.domain.com
  • cqpublisher.domain.com

Note: These are depicted in our working example as a wildcard certificate: domain.com. If the certificates are not trusted public certificates, then meeting rooms will not open; self-signed certificates will not work with meeting unless they are installed on all clients. Place the certificates into the stunnel installation directory: \Connect\9.1.2\stunnel\

5. Backup and edit the stunnel.conf file: in the \Connect\9.1.2\stunnel\ directory to set up the four VIPs and pools:

stunnel.conf for four servers on one
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS
; Service-level configuration
[https-vip]
; incoming vip for https (to secure Connect Application Traffic)
; ip address of the server with stunnel on it
; listens on port 443
accept =192.167.21.175:443
; ip of the connect server
; send the unecrypted request to port 8443
connect =127.0.0.1:8443
; Certificate info for Connect cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[rtmps-vip]
; incoming vip for fms (to secure Connect Meeting Traffic)
accept = 192.167.21.176:443
; ip of the fms server
; Send unencrypted request to 1935
connect = 127.0.0.1:1935
; Certificate info for Connect meeting cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Author-vip]
; incoming vip for CQ-Author (to secure AEM-based Events Authoring)
accept = 192.167.21.174:443
; ip of the CQ Author server
; Send unencrypted request to 4502
connect = 127.0.0.1:4502
; Certificate info for CQ Author cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem
[CQ_Publisher-vip]
; incoming vip for CQ-Publisher (to secure AEM-based Events Publishing)
accept = 192.167.21.173:443
; ip of the CQ Publisher server
; Send unencrypted request to 4503
connect = 127.0.0.1:4503
; Certificate info for CQ Publisher cert key in stunnel root
cert = domain.com.cert.pem
key = domain.com.key.pem

6. Next backup and edit the custom.ini file: By default, the custom.ini will point to 4502 and 4502 for CQ Author and Publisher respectively; you must change the links to reflect https rather than http and also change the  names to the correct FQDNs and also enable SSL for Connect with these following entries:

CQ_AUTHOR_SERVER=https://author.adobeconnect.com
CQ_PUBLISH_SERVER=https://publisher.adobeconnect.com
DOMAIN_COOKIE=adobeconnect.com
ADMIN_PROTOCOL=https://
SSL_ONLY=yes
RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/

7. Next backup and edit the server.xml file; in the \appserv\conf\ directory; uncomment two sections depicted here to enable SSL:

<Executor name=”httpsThreadPool”
namePrefix=”https-8443-”
maxThreads=”350″
minSpareThreads=”25″/>

<Connector port=”8443″ protocol=”HTTP/1.1″
executor=”httpsThreadPool”
enableLookups=”false”
acceptCount=”250″
connectionTimeout=”20000″
SSLEnabled=”false”
scheme=”https”
secure=”true”
proxyPort=”443″
URIEncoding=”utf-8″/>

Note: Be sure to test the server.xml file for correct editing by opening it in a browser and viewing any syntax errors.

8. After configuring the stunnel.conf, the custom.ini and the server.xml file for all four server instances, stop all five the services in the following order:

  • Adobe Connect CQ Author
  • Adobe Connect CQ Publisher
  • Adobe Connect Server
  • Adobe Flash Media Server
  • stunnel

9. After all services are completely stopped, start all five services in reverse order; do not cheat and just restart each one successively.

  • stunnel
  • Adobe Flash Media Server
  • Adobe Connect Server
  • Adobe Connect CQ Publisher
  • Adobe Connect CQ Author

10. Open a browser on the Connect server; go to localhost:4502 and log into CQ5 Author as an administrator and edit the URL

  • Select CRXDE Lite on the menu list on the right side of the screen
  • Go to: content>connect>c1>jcr:content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://connect.domain.com

11. Open a browser on the Connect server and go to localhost:4503 and log into CQ5 Publisher as an administrator and edit the URL

  • Select CRXDE Lite on the right menu list
  • Go to content>connect>c1>jcr content
  • Scroll to the serverURL line
    • Edit the URL for https
    • https://connect.domain.com

12. Open a browser on the Connect server and go to localhost:4502/system/console/configmgr and log in as an administrator and edit the author externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Author server
  • cqauthor.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4502 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqauthor.domain.com/libs/wcm/stats/tracker

13. Open a browser on the Connect server and go to localhost:4503/system/console/configmgr and log in as an administrator and edit the publisher externalizer name and statistics URL

  • Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Publisher server
  • cqpublisher.domain.com
  • Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4503 URL to reflect the FQDN of the Author server and HTTPS
  • https://cqpublisher.domain.com/libs/wcm/stats/tracker

14. Stop all services and and restart as shown in steps 8 & 9 or reboot the server

15. Log into Connect and test all features including the Events module.

Troubleshooting appendix:

  • Check to make sure all five  services are running and start any that are not running.
  • Once all the services are up, click on the stunnel.exe icon in the stunnel directory and insure that stunnel runs without errors
    • If stunnel.exe throws an error then examine the stunnel.conf for syntax problems
    • If stunnel.exe starts successfully then look elsewhere for problems
  • If  Firefox browsers Fail to Connect when stunnel is used to secure Adobe Connect, then double check to be sure that the
    • sslVersion = all
    • fips = no
  • To make certain the help files are served via SSL, follow the instructions in Jim’s blog article: Changing the Help Links to use HTTPS://
  • Make sure there is not a passphrase on stunnel: see Jim’s blog article Adobe Connect Stunnel prompting for passphrase when server/services restarts
  • If stunnel does not start with Connect upon reboot, this technique will help: Stunnel does not Startup with Connect
  • Depending on the version of Connect you are running, you may need to add the certificate to the java CA certificates in Connect in order to allow images in the AEM-based Events module to appear in Connect. Ignore this step unless you are running Connect 9.0.0.1 and even then, if at all possible, simply use a later version of Connect instead as this issue has been fixed and this workaround is made superfluous for later versions:
    • For 9.0.0.1, export and then import the SSL certificate: Log into Connect and click on the lock in the URL line to the left of HTTPS and click the button in the pop-up: More Information>View Certificates>Details>Export to export the SSL certificate. Save the certificate in the jre\bin directory in the root install directory for Connect: Connect\9.0.0.1\jre\bin
    • Use the command prompt to complete the importation: F:\Connect\9.0.0.1\jre\bin> keytool -import -trustcacerts -alias connect -file certificate-name -keystore cacerts
      • The default password is changeit.
      • Overwrite any existing certificate.
      • The italicized alias connect is a variable
      • The italicized certificate-name must match the name of the certificate
      • When importing the cert to cacerts, you need to specify the path to the correct cacerts location.
        • Otherwise you just end up with the cacerts file in the same location from which you launched the keytool
        • In Connect <install-drive>:\Connect\9.0.0.1\jre\lib\security\cacerts
        • Note: –import command works, but isn’t listed under keytool –help; it should be –importcert

Stunnel Support with Adobe Connect 9.x

Up until Adobe Connect 9.0.0.1 (full installer) for on-premise (licensed) deployments, Adobe packaged Stunnel with the Connect application to handle the software SSL.  With the release of 9.0.0.1 of Adobe Connect, we included Stunnel 4.53 but do not unpack and install it with the installer (as we previously had done with Connect 8.x).  If you install (or are running) 9.0.0.1 and are looking for the Stunnel package, you need to navigate into the unpacked Adobe Connect 9.0.0.1 installer folder ({unpacked folder}\Adobe Connect 9.0.0.1\Adobe Connect\Merge_Modules) and look for the stunnel-4.53.zip file.  From there, you can install Stunnel 4.53 for your SSL deployment.

With the release of Adobe Connect 9.1.1, we no longer even ship the Connect installer with the Stunnel bits.  So you will need to obtain the Stunnel installer from either Stunnel’s website or from a 9.0.0.1 installer of Adobe Connect.  The last shipped version of Stunnel (with Connect 9.0.0.1) was 4.53, but again it was not ‘unpacked and installed’ as of 9.0.0.1.

The latest build of Stunnel that Adobe QE has tested with is version 4.56, which at the time of this article, is the latest production Stunnel build.

 

 

 

Connect on VMWare – some deployment tips

Issue: VMWare is ubiquitous in the enterprise and while it opens up huge potential for management of the Connect infrastructure, it must be planned and executed with an eye toward robustness.

This advice is gleaned from conversations with senior persons on our operations team as well as from support cases generated by various customers with on-premise VMWare deployments of Connect.

One of the most important and often overlooked variables about virtualization is to make certain that  VMware is compatible with all the underlying components of the server and network architecture. The infrastructure supporting VMWare must be verified by VMware under their Hardware Certification Program or Partner Verified and Supported Products (PSVP) program; be sure to use certified hardware.

Here is the link to the compatibility reference:  http://www.vmware.com/resources/compatibility

With Connect you must consider both Tomcat and  FMS; the former can run on most anything, while the latter is a bit more demanding; RTMP can be acutely;y affected by latency and packet transmissions. If you notice unpredicted latency or a surprise crash of FMS with Connect 9.1, a good test would be to check the network components; sniff for packet transmission issues – have the vNIC of the guest VMs configured to use VMXNET3; this is a good place to start.

With reference to recommendations and best practices, it really depends on the VMware infrastructure adopted. The following references serve as a guide for an enhanced environment:

Enterprise Java Applications on VMware – Best Practices Guide: http://www.vmware.com/resources/techresources/1087

Best Practices for Performance Tuning of Latency-Sensitive Workloads in vSphere VMs: https://www.vmware.com/resources/techresources/10220

Performance Best Practices for VMware vSphere 5.1: https://www.vmware.com/resources/techresources/10329

The key with Network Storage is speed. If you lose connectivity to the shared storage then only what is cached on the origins will be available.

Shared storage requirements

  • Disk specs: 10,000–15,000 RPM — Fibre Channel preferred
  • Network link: TCP/IP — 1GB I/O throughput or better
  • Controller: Dual controllers with Active/Active multipatch capability
  • Protocol: CIFS or equivalent

Avoid, virtualizing the Connect database if possible.

I have seen that in some customer-based VMWare environments that are overtaxed, that latency among the servers on 8507 (and 8506), can cause problems. Intra-cluster latency (server to server communication) should never exceed 2-3ms. When it does we see intermittent crashes. I had one customer who had a particularly weak infrastructure and for whom I could predict his crashes; he was doing back-ups and running other tasks at a certain time weekly that would tax and hamper network connectivity for about an hour; these tasks were so all-consuming on the network, they turned every cluster resource into an individual asset on its own island. The log traces bore this out and we knew with precision what was going on. He knew he needed to upgrade his infrastructure and in the meantime we worked out a reaction plan to deal with the issue; it included:

  1. Place a higher than normal percentage of cache on each server to limit invoking shared storage
  2. Set the JDBC driver reconnection string for Database connectivity
  3. Plan Connect usage around these maintenance activities and when possible, do Connect maintenance activities at the same time as well – not very difficult as these were after hours, but being a  global operation, still not a given.