Using OpenMeetings with RTMPS and HTTPS
There are 3 ways the client communicates with the server:
- The flash-client uses RTMP protocol to transfer Audio/Video and to send and receive the user data (login et cetera) to the server and back
- The browser uses HTTP protocol to load the SWF and to upload and download the files (documents, pdfs, images) to the server and back.
- The screensharing client uses RTMP protocol to transfer screen data and remote control to the server and back
'Real' certificate
Prerequisites
- You need OpenMeetings 1.9.x or later for this, OpenMeetings 1.8.x does not have those options.
- Install OpenMeetings according to the install instructions and check that it runs without problems
- Rename the existing keystore file
red5/conf/keystore.jmx
tored5/conf/keystore.bak
- Rename the existing truststore file
red5/conf/truststore.jmx
tored5/conf/truststore.bak
Create Keystore from the scratch
- Create a new keystore and key, use the same password for both:
keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore red5/conf/keystore.jks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: <your hostname, e.g demo.openmeetings.de> What is the name of your organizational unit? [Unknown]: Dev What is the name of your organization? [Unknown]: OpenMeetings What is the name of your City or Locality? [Unknown]: Henderson What is the name of your State or Province? [Unknown]: Nevada What is the two-letter country code for this unit? [Unknown]: US Is CN=demo.openmeetings.de, OU=Dev, O=OpenMeetings, L=Henderson, ST=Nevada, C=US correct? [no]: yes Enter key password for <red5>
- Generate a CSR:
keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore red5/conf/keystore.jks
- Submit CSR to your CA of choice and receive a signed certificate
- Import your chosen CA's root certificate into the keystore (may need to download it from their site - make sure to get the root CA and not the intermediate one):
keytool -import -alias root -keystore red5/conf/keystore.jks -trustcacerts -file root.crt
- Import the intermediate certificate(s) you normally receive with the certificate:
keytool -import -alias intermed -keystore red5/conf/keystore.jks -trustcacerts -file intermediate.crt
- Import the certificate you received:
keytool -import -alias red5 -keystore red5/conf/keystore.jks -trustcacerts -file demo.openmeetings.de.crt
- Please NOTE according to this http://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html guide you can split keystore and truststore (OPTIONAL you might just copy keystore to truststore)
- Create additional certificate as described above. Add this certificate to the following keystores:
red5/conf/keystore.screen
andred5/conf/keystore.jks
. (This step is required to be able to use screen-sharing web application, you can copy "main" keystore while testing)
Create Keystore using existing key-pair
Prerequisites
- Server key: red5.key
- Signed CSR: red5.crt
- CA's root certificate: root.crt
- ** Intermediate certificate(s): intermedXX.crt
Steps
- Export existing keys into PKCS12 format:
openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 -name red5 -certfile root.crt -certfile intermedXX.crt Enter Export Password: password Verifying - Enter Export Password: password
- Import resulting red5.p12 into keystore:
keytool -importkeystore -srcstorepass password -srckeystore red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore red5/conf/keystore.jks -alias red5
- Import your chosen CA's root certificate into the keystore (may need to download it from their site - make sure to get the root CA and not the intermediate one):
keytool -import -alias root -keystore red5/conf/keystore.jks -trustcacerts -file root.crt
- Import the intermediate certificate(s) you normally receive with the certificate:
keytool -import -alias intermed -keystore red5/conf/keystore.jks -trustcacerts -file intermedXX.crt
- Please NOTE according to this http://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html guide you can split keystore and truststore (OPTIONAL you might just copy keystore to truststore)
- Create additional certificate as described above. Add this certificate to the following keystores:
red5/conf/keystore.screen
andred5/conf/keystore.jks
. (This step is required to be able to use screen-sharing web application, you can copy "main" keystore while testing)
Self-signed certificate
Prerequisites
- Create CA's root certificate: ca.crt
- Create self-signed server certificate: red5.crt
Common Name (CN) while creating certificate should be assign to FQDN of your site, for example - vkc.company.com
- Rename the existing keystore file
red5/conf/keystore.jmx
tored5/conf/keystore.bak
- Rename the existing truststore file
red5/conf/truststore.jmx
tored5/conf/truststore.bak
Steps for OM server
- Export existing keys into PKCS12 format:
cd _folder_with_certificates_ openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 -name red5 -certfile ca.crt
- Import resulting red5.p12 into keystore:
keytool -importkeystore -srcstorepass changeit -srckeystore red5.p12 -srcstoretype PKCS12 -deststorepass changeit -destkeystore /opt/red5/conf/keystore.jks -alias red5
- Import your CA's root certificate into the keystore:
keytool -import -alias root -keystore /opt/red5/conf/keystore.jks -keystorepass changeit -trustcacerts -file ca.crt
- copy keystore to truststore
cp /opt/red5/conf/keystore.jks /opt/red5/conf/truststore.jks
- Change passwords in /opt/red5/conf/red5.properties
rtmps.keystorepass=changeit rtmps.truststorepass=changeit jmx.keystorepass=changeit
- Set up SSL according SSL for the web interface section.
- Set up RTMPS according Tunneling RTMPS or Native RTMPS sections.
- Restart OM service or whole OM server. Now OM server is ready to accept SSL-connections.
Steps for client machines
Windows specific steps are marked with (**)
- (**)Add the ca.crt certificate as trusted into the CA's list on all windows PC at the system level (certmgr.msc applet)
- Add the ca.crt certificate as trusted into Chrome/Firefox if it used
- Add the ca.crt certificate into ${JAVA_HOME}/lib/security/cacerts with keytool utility on a PC that organizes screensharing
(**)
For example, Java Version 8 Update 144 has been installed on Windows machine by default location path.
Copy ca.crt to a folder : c:\ca.crt
Start command line interface as administrator:
runas /user:AdminAccount cmd.exe
Enter admin password
Enter to bin directory of java:
cd "c:\Program Files\Java\jre1.8.0_144\bin"
Import ca.crt into keystore:
keytool -import -alias root -keystore ..\lib\security\cacerts -file c:\ca.crt
Enter the password to keystore: changeit
SSL for the web interface
Please perform following steps if you want to use SSL for the web interface. This is mainly to secure the server against MITM attacks, additionally some other features like file uploads also use a plain HTTP connection if this is not done. The following instructions assume that you have already set up RTMPS successfully.
- Edit
red5/conf/jee-container.xml
file:
CommentTomcat without SSL enabled
section
UNCommentTomcat with SSL enabled
section - Restart red5 and try to connect to https://your.server:5443 - you should be redirected to the OpenMeetings app and all access should be via HTTPS and/or RTMPS (close port 5080 to be sure).
Set up RTMPS
Tunneling RTMPS
- HTTPS need to be enabled otherwise tunneling will not work (it can be set up using frontend nginx/apache as well)
- In Administration->Configuration set
flash.secure = true flash.secure.proxy = none
- Restart red5 and try to connect - your connection should now be made via RTMPS (close port 1935 to be sure)
Native RTMPS
- Default RTMPS port is 8443, you can change it by editing
red5/conf/red5.properties
and change the port here:rtmps.port=8443
Please setrtmps.keystorepass=password
andrtmps.truststorepass=password
(password = password you set on your new keystore(s))
Additionally you need to setrtmps.screen.keystorepass=screenpassword
(screenpassword = password you set on your keystore for screen-sharing application) - Edit
red5/conf/red5-core.xml
file:
UNCommentRTMPS
section - In Administration->Configuration set
flash.secure = true flash.secure.proxy = best
- Restart red5 and try to connect - your connection should now be made via RTMPS (close port 1935 to be sure)
Setting up different set of allowed cithers
- Open
conf/jee-container.xml
using your favorite text editor - Go to
"Tomcat with SSL enabled" -> "tomcat.server" -> "connectors" -> "httpsConnector" -> "connectionProperties"
- Add following entry
<entry key="ciphers" value="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA" />
Credits
Thanks to Nexus, Holger Rabbach and Yakovlev Nick for their help and contribution to configuration and documentation!