Google Git
Sign in
apache / openmeetings / 3.1.x / . / openmeetings-server / src / site / xdoc / RTMPSAndHTTPS.xml
blob: ffeec0be80a4da16503449b221158801963babf1 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document xmlns="http://maven.apache.org/XDOC/2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
<properties>
<title>Using OpenMeetings with RTMPS and HTTPS</title>
<author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author>
</properties>
<body>
<section name="Using OpenMeetings with RTMPS and HTTPS">
<p>There are 3 ways the client communicates with the server: </p>
<ul>
<li>The flash-client uses RTMP protocol to transfer Audio/Video and
to send and receive the user data (login et cetera) to the server
and back
</li>
<li>The browser uses HTTP protocol to load the SWF and to upload and
download the files (documents, pdfs, images) to the server and
back.
</li>
<li>The screensharing client uses RTMP protocol to transfer screen
data and remote control to the server and back
</li>
</ul>
</section>
<section name="Prerequisites">
<ul>
<li>You need OpenMeetings 1.9.x or later for this, OpenMeetings 1.8.x does not have those options.</li>
<li>Install OpenMeetings according to the install instructions and check that it runs without problems</li>
<li>Rename the existing keystore file <tt>red5/conf/keystore.jmx</tt> to <tt>red5/conf/keystore.bak</tt></li>
<li>Rename the existing truststore file <tt>red5/conf/truststore.jmx</tt> to <tt>red5/conf/truststore.bak</tt></li>
</ul>
</section>
<section name="Create Keystore from the scratch (*)">
<ol>
<li>
Create a new keystore and key, use the same password for both:<br/>
<br/><source><![CDATA[
keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore red5/conf/keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: <your hostname, e.g demo.openmeetings.de>
What is the name of your organizational unit?
[Unknown]: Dev
What is the name of your organization?
[Unknown]: OpenMeetings
What is the name of your City or Locality?
[Unknown]: Henderson
What is the name of your State or Province?
[Unknown]: Nevada
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=demo.openmeetings.de, OU=Dev, O=OpenMeetings, L=Henderson, ST=Nevada, C=US correct?
[no]: yes
Enter key password for <red5>
]]></source>
</li>
<li>Generate a CSR: <source><![CDATA[keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore red5/conf/keystore]]></source>
</li>
<li>Submit CSR to your CA of choice and receive a signed certificate
</li>
<li>Import your chosen CA's root certificate into the keystore (may
need to download it from their site - make sure to get the root CA and
not the intermediate one):
<source><![CDATA[keytool -import -alias root -keystore red5/conf/keystore -trustcacerts -file root.crt]]></source>
(note: you may receive a warning that the certificate already exists in the system wide keystore - import
anyway)
</li>
<li>Import the intermediate certificate(s) you normally receive with
the certificate:
<source><![CDATA[keytool -import -alias intermed -keystore red5/conf/keystore -trustcacerts -file intermediate.crt]]></source>
</li>
<li>Import the certificate you received:
<source><![CDATA[keytool -import -alias red5 -keystore red5/conf/keystore -trustcacerts -file demo.openmeetings.de.crt]]></source>
</li>
<li>Please NOTE according to this <a href="http://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html">http://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html</a>
guide you can split keystore and truststore (OPTIONAL you might just copy keystore to truststore)
</li>
<li>Create additional certificate as described above.
Add this certificate to the following keystores: <tt>red5/conf/keystore.screen</tt> and <tt>red5/conf/keystore</tt>. (This step is required to be able to use
screen-sharing web application, you can copy "main" keystore while testing)
</li>
</ol>
</section>
<section name="Create Keystore using existing key-pair (**)">
<p>Prerequicites:</p>
<ul>
<li>Server key: red5.key</li>
<li>Signed CSR: red5.crt</li>
<li>CA's root certificate: root.crt</li>
<li>** Intermediate certificate(s): intermedXX.crt</li>
</ul>
<ol>
<li>
Export existing keys into PKCS12 format:<br/>
<br/><source><![CDATA[
openssl pkcs12 -export -in red5.crt -inkey red5.key -out red5.p12 -name red5 -certfile root.crt -certfile intermedXX.crt
Enter Export Password: password
Verifying - Enter Export Password: password
]]></source>
</li>
<li>Import resulting red5.p12 into keystore: <source><![CDATA[
keytool -importkeystore -srcstorepass password -srckeystore red5.p12 -srcstoretype PKCS12 -deststorepass password -destkeystore red5/conf/keystore -alias red5
]]></source>
</li>
<li>Import your chosen CA's root certificate into the keystore (may
need to download it from their site - make sure to get the root CA and
not the intermediate one):
<source><![CDATA[keytool -import -alias root -keystore red5/conf/keystore -trustcacerts -file root.crt]]></source>
(note: you may receive a warning that the certificate already exists in the system wide keystore - import
anyway)
</li>
<li>Import the intermediate certificate(s) you normally receive with
the certificate:
<source><![CDATA[keytool -import -alias intermed -keystore red5/conf/keystore -trustcacerts -file intermedXX.crt]]></source>
</li>
<li>Please NOTE according to this <a href="http://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html">http://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html</a>
guide you can split keystore and truststore (OPTIONAL you might just copy keystore to truststore)
</li>
<li>Create additional certificate as described above.
Add this certificate to the following keystores: <tt>red5/conf/keystore.screen</tt> and <tt>red5/conf/keystore</tt>. (This step is required to be able to use
screen-sharing web application, you can copy "main" keystore while testing)
</li>
</ol>
</section>
<section name="SSL for the web interface">
<p>Please perform following steps if you want to use SSL for the web interface.
This is mainly to secure the server against MITM attacks, additionally some other features
like file uploads also use a plain HTTP connection if this is not
done. The following instructions assume that you have already set up
RTMPS successfully. </p>
<ol>
<li>
Edit <tt>red5/conf/jee-container.xml</tt> file:<br/>
Comment <tt>Tomcat without SSL enabled</tt> section<br/>
UNComment <tt>Tomcat with SSL enabled</tt> section
</li>
<li>
Edit <tt>red5/webapps/openmeetings/public/config.xml</tt> and set
<br/><source><![CDATA[
<protocol>https</protocol>
<red5httpport>5443</red5httpport>
]]></source>
</li>
<li>
Restart red5 and try to connect to
<u>https://your.server:5443</u> - you should be redirected to the OpenMeetings
app and all access should be via HTTPS and/or RTMPS (close port 5080 to be sure).
</li>
</ol>
</section>
<section name="Set up RTMPS">
<h3>Tunneling RTMPS</h3>
<ol>
<li>HTTPS need to be enabled otherwise tunneling will not work (it can be set up using frontend nginx/apache as well)</li>
<li>
Edit <tt>red5/webapps/openmeetings/public/config.xml</tt> and set<br/>
<br/><source><![CDATA[
<rtmpsslport>5443</rtmpsslport>
<useSSL>yes</useSSL>
<proxyType>none</proxyType>
]]></source>
</li>
<li>Please NOTE <tt>rtmpsslport</tt> port set in <tt>red5/webapps/openmeetings/public/config.xml</tt> should match
<tt>https</tt> port set in <tt>red5/conf/red5.properties</tt>
</li>
<li>Restart red5 and try to connect - your connection should now be made via RTMPS (close port 1935 to be sure)
</li>
</ol>
<h3>Native RTMPS</h3>
<ol>
<li> Default RTMPS port is 8443, you can change it by editing <tt>red5/conf/red5.properties</tt> and change the port here: <tt>rtmps.port=8443</tt><br/>
Please set <tt>rtmps.keystorepass=password</tt> and <tt>rtmps.truststorepass=password</tt>
(password = password you set on your new keystore(s))<br/>
Additionally you need to set <tt>rtmps.screen.keystorepass=screenpassword</tt> (screenpassword = password you set on your keystore for screen-sharing application)
</li>
<li>
Edit <tt>red5/conf/red5-core.xml</tt> file:<br/>
UNComment <tt>RTMPS</tt> section
</li>
<li>
Edit <tt>red5/webapps/openmeetings/public/config.xml</tt> and set<br/>
<br/><source><![CDATA[
<rtmpsslport>8443</rtmpsslport>
<useSSL>yes</useSSL>
<proxyType>best</proxyType>
]]></source>
</li>
<li>Please NOTE <tt>rtmps</tt> port set in <tt>red5/conf/red5.properties</tt> should be in sync with the <tt>rtmpsslport</tt> set in
<tt>red5/webapps/openmeetings/public/config.xml</tt>
</li>
<li>Restart red5 and try to connect - your connection should now be made via RTMPS (close port 1935 to be sure)
</li>
</ol>
</section>
<section name="Credits">
<p>Credits goto: Nexus and Holger Rabbach for their help and
contribution and configuration documention! </p>
</section>
</body>
</document>