Configure software-based SSL When you configure software-based SSL, you can secure network connections to the web application server (HTTPS protocol), the meeting server (RTMPS protocol), or both. No matter which configuration you choose, you must create DNS records for your Connect servers first. HTTP is the protocol with which the Adobe Connect application server is accessed. This includes the Connect Central administration pages for managing your Connect instance, Connect user login, and the Connect web services. Securing the application server by using HTTPS is important to prevent unauthorized access of your Connect service. RTMP is the protocol which the Adobe Connect meeting server uses. RTMP connections contain media data such as video and audio streams from your Connect meetings, as well as data from the meeting rooms such as participant names and chat text. Securing the meeting server is important if you have sensitive information being exchanged in your Connect meetings. Configure the DNS server Create DNS entries that define addresses for the Fully Qualified Domain Name (FQDN) of each secured service. If you intend to secure traffic for both the application server and the meeting server, you must have a separate IP address for each service. The domain name for the Central application server is the address with which your end users will access Adobe Connect with. Enter this domain name as the Connect Host value on the Server Settings page in the Application Management Console. For example, a good value is connect.yourcompany.com. End users do not see the FQDN(s) for the meeting server(s). However, you must define a unique domain name for each meeting server if you want to conduct meetings over a secure connection. Enter this FQDN in the External Name box on the Server Settings page in the Application Management Console. For example, a good value is fms.yourcompany.com. Note: In a cluster of servers, all the application servers can share an SSL certificate, but each meeting server must have its own SSL certificate. On a single server, to secure both the HTTP (application server) and RTMP (meeting server) connections, you must have a total of two IP addresses, two FQDNs and two SSL certificates (one for each protocol). (You may also get a single, wildcard SSL certificate that can be used for multiple hosts in the same subdomain, e.g. *.yourcompany.com. This is simpler to manage, but typically costs more than a single domain name certificate.) Secure communications for both the application server and the meeting server (HTTP and RTMP). 1 Locate your installation media for Adobe Connect 9 and browse to \Connect\9.0.0.1\Merge_Modules\stunnel- 4.53.zip 2 Extract the stunnel-4.5.3.zip file to a new folder named stunnel under your Adobe Connect installation folder, as follows: [root_install_dir]\stunnel 2 Under the newly-created stunnel folder, open stunnel.conf and replace the following code (replace the code in italic with your own values): ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslversion = all fips = no ; Some performance tunings socket = l:tcp_nodelay=1
socket = r:tcp_nodelay=1 TIMEOUTclose=0 options = DONT_INSERT_EMPTY_FRAGMENTS [https vip] ; incoming vip for https (This is to secure Web) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443 accept = 123.123.123.1:443 ; When stunnel is on the same box, leave the below IP address as 127.0.0.1 ; send the unencrypted request to port 8443 connect = 127.0.0.1:8443 ; Certificate information for Connect. cert = AppServer CertificateNameHere.pem key = AppServer CerificateKeyNameHere.pem [rtmps vip] ; incoming vip for fms (This is to secure Meeting) IP address that resolves to meeting FQDN accept = 123.123.123.2:443 ; When stunnel is on the same box, leave the IP address as 127.0.0.1 ; Send unencrypted request to 1935 connect =127.0.0.1:1935 ; Certificate information for Connect Meetings. cert = Meeting Server CertificateNameHere.pem key = Meeting Server CerificateKeyNameHere.pem You must have two certificate files for each secure connection: one for the public SSL certificate and one for the private key belonging to the certificate. Specify the location of the public SSL certificate in the cert property. Specify the location of the private key in the key property. The server sends the public SSL certificate to clients. The private key remains on the server. 4 Open the custom.ini file located in the root installation directory and save a backup copy to another location. 5 Insert the following code in the custom.ini file without replacing or deleting any existing text: ADMIN_PROTOCOL=https:// SSL_ONLY=yes RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/ Note: The custom.ini file is case sensitive use capital letters for parameter names and lowercase letters for values.
6 Save the custom.ini file. 7Open /appserv/conf/server.xml and uncomment the following section: <Connector port="8443" protocol="http/1.1" executor="httpsthreadpool" enablelookups="false" acceptcount="250" connectiontimeout="20000" SSLEnabled="false" scheme="https" secure="true" proxyport="443" URIEncoding="utf-8"/> 8 Restart Adobe Connect Server: a) Choose Start > Programs > Adobe Connect Server > Stop Adobe Connect Application Server b) Choose Start > Programs > Adobe Connect Server > Stop Adobe Connect Meeting Server c) Choose Start > Programs > Adobe Connect Server > Start Adobe Connect Meeting Server d) Choose Start > Programs > Adobe Connect Server > Start Adobe Connect Application Server e) Start stunnel.exe from [root_install_directory]\stunnel 9 Open the Application Management Console (http://localhost:8510/console or Start > Programs > Adobe Connect Server > Configure Connect Server 10 On the Application Settings screen, select Server Settings and do the following: a) Enter the FQDN for your Adobe Connect account in the Connect Host box. This FQDN is the URL end users use to connect to Adobe Connect. b) Enter the FQDN for the Connect meeting server in the Host Mappings External Name box. The server uses this value internally. Secure the web application server (HTTP) only 1 Locate your installation media for Adobe Connect 9 and browse to \Connect\9.0.0.1\Merge_Modules\stunnel- 4.53.zip 2 Extract the stunnel-4.5.3.zip file to a new folder named stunnel under your Adobe Connect installation folder, as follows: [root_install_dir]\stunnel 3 Under the newly-created stunnel folder, open stunnel.conf and replace the following code (replace the code in italic with your own values): ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslversion = all fips = no ; Some performance tunings socket = l:tcp_nodelay=1 socket = r:tcp_nodelay=1 TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS [https vip] ; incoming vip for https (This is to secure Web) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443 accept = 123.123.123.1:443 ; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; send the unencrypted request to port 8443 connect = 127.0.0.1:8443 ; Certificate information for Connect. cert = AppServer CertificateNameHere.pem key = AppServer CerificateKeyNameHere.pem You must have two certificate files for each secure connection: one for the public SSL certificate and one for the private key belonging to the certificate. Specify the location of the public SSL certificate in the cert property. Specify the location of the private key in the key property. The server sends the public SSL certificate to clients. The private key remains on the server. 4 Open the custom.ini file located in the root installation directory (c:\connect, by default) and save a backup copy to another location. 5 Insert the following code in the custom.ini file without replacing or deleting any existing text: ADMIN_PROTOCOL=https:// SSL_ONLY=yes Note: The custom.ini file is case sensitive use capital letters for parameter names and lowercase letters for values. 6 Save the custom.ini file. 7 Open /appserv/conf/server.xml and uncomment the following section: <Connector port="8443" protocol="http/1.1" executor="httpsthreadpool" enablelookups="false" acceptcount="250" connectiontimeout="20000" SSLEnabled="false" scheme="https" secure="true" proxyport="443" URIEncoding="utf-8"/> 8 Restart Adobe Connect Server: a) Choose Start > Programs > Adobe Connect Server > Stop Adobe Connect Application Server. b) Choose Start > Programs > Adobe Connect Server > Start Adobe Connect Application Server. c) Start stunnel.exe from [root_install_directory]\stunnel
9 Open the Application Management Console (http://localhost:8510/console or Start > Programs > Adobe Connect Server > Configure Connect Server 10 On the Application Settings screen, select Server Settings and do the following: a) Enter the fully qualified domain name for your Adobe Connect account in the Connect Host box. This is the domain name end users use to connect to Adobe Connect. Secure the meeting server (RTMP) only 1 Locate your installation media for Adobe Connect 9 and browse to \Connect\9.0.0.1\Merge_Modules\stunnel- 4.53.zip 2 Extract the stunnel-4.5.3.zip file to a new folder named stunnel under your Adobe Connect installation folder, as follows: [root_install_dir]\stunnel 3 Under the newly-created stunnel folder, open stunnel.conf and replace the following code (replace the code in italic with your own values): ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslversion = all fips = no ; Some performance tunings socket = l:tcp_nodelay=1 socket = r:tcp_nodelay=1 TIMEOUTclose=0 options = DONT_INSERT_EMPTY_FRAGMENTS [rtmps vip] ; incoming vip for fms (This is to secure Meeting) IP address that resolves to meeting FQDN accept = 123.123.123.2:443 ; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1 ; Send unencrypted request to 1935 connect =127.0.0.1:1935 ; Certificate information for Connect Meetings. cert = MeetingServer CertificateNameHere.pem key = Meeting Server CerificateKeyNameHere.pem You must have two certificate files for each secure connection: one for the public SSL certificate and one for the private key belonging to the certificate. Specify the location of the public SSL certificate in the cert property. Specify the location of the private key in the key property. The server sends the public SSL certificate to clients. The private key remains on the server. 4 Open the custom.ini file located in the root installation directory (c:\connect, by default) and save a backup copy to another location. 5 Insert the following code in the custom.ini file without replacing or deleting any existing text: RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/
Note: The custom.ini file is case sensitive use capital letters for parameter names and lowercase letters for values. 6 Save the custom.ini file. 7 Restart Adobe Connect Server: a) Choose Start > Programs > Adobe Connect Server > Stop Adobe Connect Meeting Server b) Choose Start > Programs > Adobe Connect Server > Start Adobe Connect Meeting Server c) Start stunnel.exe from [root_install_directory]\stunnel 8 Open the Application Management Console (http://localhost:8510/console or Start > Programs > Adobe Connect Server > Configure Connect Server). 9 On the Application Settings screen, select Server Settings and do the following: a) Enter the fully qualified domain name for your Adobe Connect account in the Connect Host box. This is the domain name end users use to connect to Adobe Connect. b) Enter the fully qualified domain name for the Connect meeting server in the Host Mappings External Name box. The server uses this value internally. Secure communications for the Adobe Connect Edge Server This section describes how to configure software SSL with the optional Adobe Connect Edge Server product. It assumes that you have already configured your Adobe Connect server for SSL. It also assumes that you have purchased and installed the Adobe Connect Edge Server product and are now prepared to secure it with software SSL. The supported Adobe Connect Software SSL solution, STunnel, does not come packaged as part of the Adobe Connect Edge Server installer. First you will need to get a copy of the supported version of STunnel and install it on the server which hosts your Edge Server. 1 Locate your installation media for Adobe Connect 9 and browse to \Connect\9.0.0.1\Merge_Modules\stunnel- 4.53.zip 2 Extract the stunnel-4.5.3.zip file to a new folder named stunnel under your Adobe Connect installation folder, as follows: [root_install_dir]\stunnel 3 Under the newly-created stunnel folder, open stunnel.conf and replace the following code (replace the code in italic with your own values):; Protocol version (all, SSLv2, SSLv3, TLSv1) sslversion = all ; Some performance tunings socket = l:tcp_nodelay=1 socket = r:tcp_nodelay=1 TIMEOUTclose=0 options = DONT_INSERT_EMPTY_FRAGMENTS [https vip] ; incoming vip for https (This is to secure Web) ; ip address that resolves to the ConnectProHost (Web App FQDN). ; listens on port 443 accept = 123.123.123.1:443 ; When stunnel is on the same box, leave the below IP address as 127.0.0.1 ; send the unencrypted request to port 8443
connect = 127.0.0.1:8443 ; Certificate information for Connect. cert = AppServer CertificateNameHere.pem key = AppServer CerificateKeyNameHere.pem [rtmps vip] ; incoming vip for fms (This is to secure Meeting) IP address that resolves to meeting FQDN accept = 123.123.123.2:443 ; When stunnel is on the same box, leave the IP address as 127.0.0.1 ; Send unencrypted request to 1935 connect =127.0.0.1:1935 ; Certificate information for Connect Meetings. cert = Meeting Server CertificateNameHere.pem key = Meeting Server CerificateKeyNameHere.pem You must have two certificate files for each secure connection: one for the public SSL certificate and one for the private key belonging to the certificate. Specify the location of the public SSL certificate in the cert property. Specify the location of the private key in the key property. The server sends the public SSL certificate to clients. The private key remains on the server. 4 Change the DNS entry you are using to redirect Connect traffic to the Edge server to use the ip address of the httpsvip from the STunnel configuration file. 5 Open the custom.ini file located in the Adobe Connect root installation directory (c:\connect, by default) and save a backup copy to another location. 6 Configure the edge server to point to your main Connect server by inserting the following code in the custom.ini file: FCS_EDGE_REGISTER_HOST=connect.yourdomain.com:8443 FCS.HTTPCACHE_BREEZE_SERVER_SECURE_PORT= connect.yourdomain.com:443 Note: The custom.ini file is case sensitive use capital letters for parameter names and lowercase letters for values. 7 Save the custom.ini file. 8Open breeze\edgeserver\win32\conf\httpcache.xml. Edit the HostName tag and enter the FQDN for the FMS VIP of the Edge Server: <HostName>edge-fms.yourdomain.com</HostName> 9 Restart Adobe Connect Edge Server: d) Choose Start > Programs > Adobe Connect Edge Server > Stop Connect Edge Server. e) Choose Start > Programs > Adobe Connect Edge Server > Start Connect Edge Server. 10 Restart the STunnel service. 11 Go to your Adobe Connect server and open the Application Management Console (http://localhost:8510/console or Start > Programs > Adobe Connect Server > Configure Connect Server).
12 On the Application Settings screen, select Server Settings and verify that your edge server now appears listed under the Host Mappings heading. Test the configuration 1If you secured the application server, log in to Adobe Connect Central. You see a lock in your browser. 2If you secured the meeting server, enter an Adobe Connect meeting room. You see a lock in the connection light.