Running OpenSSL with NLB-clustered Connect Pro Server

  
1 Votes

This article is intended as a supplement to the Clustering Connect Pro Servers with Microsoft Network Load Balancing tutorial and the Network Load Balancing (NLB) documentation provided by Microsoft; this article is not exhaustive and does not serve as a replacement for NLB documentation. For details on NLB see Windows Server 2003 Network Load Balancing (NLB) Technical Library. This article is also a supplement to the Migrating, Installing, and Configuring Adobe Acrobat Connect Pro Server 7 documentation and as such does not provide all the information needed to fully install and configure a Connect Pro Server. This article also assumes that you will run each of your Connect Pro applications, including Adobe Presenter, Connect Pro Meeting, Connect Pro Training, and Connect Pro Events, using the built-in OpenSSL option.

Requirements

Prerequisite knowledge: Basic networking skills, familiarity with OpenSSL and the Windows Server IP stack and NLB, skill with DNS name resolution, masochistic tendencies disguised under a veneer of congeniality.

Table of contents

Placing SSL certificates on each Connect Pro Server
Editing the custom.ini file on each Connect Pro server
Editing the Adapter.xml file on each Connect Pro server
Editing the vhosts file on each Connect Pro server
Testing Connect Pro Server with NLB and OpenSSL
Optional Step

 

Placing SSL certificates on each Connect Pro Server

The configuration of NLB is described in the Clustering Connect Pro Servers with Microsoft Network Load Balancing tutorial. This article serves as an appendix or part two to the article on NLB. If you do not want to set up a cluster, but only want to set up a single Connect Pro server with OpenSSL, then ignore the NLB portion of the article and use a single server with a single network interface card (or with two on the same subnet) and two IP addresses: one for your Connect Pro Server and one for your Connect Pro Meeting server. Figure 1 illustrates a single server configuration that corresponds with the clustered OpenSSL/NLB example used in the article. The FQDNs in red require SSL certificates.

 

Figure 1. Single server names

To use this article as a guide to configure OpenSSL on a single server without NLB, simply use these instructions for one of the servers instead of for both and where there is reference made to the shared NLB FQDN (connect.enterprisecluster.com) simply use it as a single server FQDN, (connect.enterprisecluster.com).

Following the example in Clustering Connect Pro Servers with Microsoft Network Load Balancing, we will begin in our lab environment where you will gain familiarity with the clustered OpenSSL configuration. Table 1 lists the relevant DNS or host file entries.

Table 1. Host file entries

IP	Host
10.10.10.1	criseyde.enterprisecluster.com
10.10.10.4	troilus.enterprisecluster.com
10.10.10.2	connectappc.enterprisecluster.com
10.10.10.5	connectappt.enterprisecluster.com
10.10.10.3	connectprofc.enterprisecluster.com
10.10.10.6	connectproft.enterprisecluster.com
10.10.10.7	connect.enterprisecluster.com

Note: The FQDNs in red require SSL certificates.

Figure 2. Open SSL Connect Pro Server NLB-NIC configuration

Of the FQDNs listed in Table 1, you will need SSL certificates for the last three: one SSL certificate for each Connect Pro server and an SSL certificate for the shared host name that maps to the shared NLB IP address. Even though you are beginning in a lab environment, you will want to run your tests with valid SSL certificates. If you generate your own internal test certificates locally, you will need to install a client-side certificate into the browser of test clients so that they recognize and trust the internal certificates. This could generate faulty results as many different browsers negotiate the public certificates differently; Adobe recommends testing the production configuration with public certificates for more accurate results.

Copy the certificates to the root Connect Pro installation directory of each Connect Pro server (our example uses c:\connect\). Since the FQDN connect.enterprisecluster.com is shared via NLB, you will want to place that certificate on each server. When creating the certificates you may wish to give them file names that are easily recognized by making the names correspond to their appropriate FQDNs. Beware, if you name the certificate (PEM) files; you must not use characters that will prevent the Adaptor.xml file from parsing the certificate. For example, the filename connectprofc-enterprisecluster.pem will work but the filename connectprofc_enterprisecluster.pem will not work; the underscore will affect the Adapter.xml file.

Be careful when generating requests for the certificates; both the private key files and the public certificates are needed as the Adaptor.xml file on the Connect Pro server(s) will point to both. I our example, each PEM file contains both the private key and the public certificate.

Copy connectprofc-enterprisecluster.pem and connect-enterprisecluster.pem to the Connect installation directory on the server with the administrative name criseyde.enterprisecluster.com. Copy connectproft-enterprisecluster.pem and connect-enterprisecluster.pem to the Connect installation directory on the server with the administrative name troilus.enterprisecluster.com.

 

Editing the custom.ini file on each Connect Pro server

The custom.ini file on each server must each have the following entries added to them to enable SSL for all Connect Pro applications running on Connect Pro Server:

#Beginning of SSL CONFIG
HTTPS_PORT=8443
ADMIN_PROTOCOL=https://
SSL_ONLY=yes
RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/
# End of SSL configuration

After adding these lines to each custom.ini file, be certain to save the custom.ini files. If you have not already, now is a good time to stop the Connect Services on each server; be sure to include the FMS service (see Figure 3).

Figure 3. Connect Pro Service

Stop the Connect Enterprise service first, and then stop the Flash Media Server service last. Stopping the Flash Media Server service first may cause the Connect Enterprise Service to hang.

 

Editing the Adapter.xml file on each Connect Pro server

You must edit the Adapter.xml file; prior to editing this file, make a backup copy of it. You may simply use notepad to edit the Adapter.xml file and you may simply cut and paste the text from this article into your Adapter.xml files. The server specific portions of each entry are highlighted in red. You will notice that each name in red corresponds to the appropriate certificate file for Connect Pro FQDNs. Go to:

\connect\comserv\win32\conf\_defaultRoot_\Adaptor.xml

Add the following lines to the Adaptor.xml file near the beginning of the file after the <Adaptor> tag on the server with the administrative FQDN criseyde.enterprisecluster.com:

<SSL>
<Edge name="meeting">
<SSLServerCtx>
<SSLCertificateFile>c:\connect\connectprofc-enterprisecluster.pem</SSLCertificateFile>
<SSLCertificateKeyFile type="PEM">c:\connect\connectprofc-enterprisecluster.pem</SSLCertificateKeyFile>
<SSLPassPhrase>tigerc</SSLPassPhrase>
<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</SSLCipherSuite>
<SSLSessionTimeout>5</SSLSessionTimeout>
</SSLServerCtx>
</Edge>
<Edge name="webapp">
<SSLServerCtx>
<SSLCertificateFile>c:\connect\connect-enterprisecluster.pem</SSLCertificateFile>
<SSLCertificateKeyFile type="PEM">c:\connect\connect-enterprisecluster.pem</SSLCertificateKeyFile>
<SSLPassPhrase>tiger</SSLPassPhrase>
<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</SSLCipherSuite>
<SSLSessionTimeout>5</SSLSessionTimeout>
</SSLServerCtx>
</Edge>
</SSL>

Similarly, on the server with the administrative FQDN troilus.enterprisecluster.com, add the following lines to the Adaptor.xml file near the beginning of the file after the <Adaptor> tag:

<SSL>
<Edge name="meeting">
<SSLServerCtx>
<SSLCertificateFile>c:\connect\connectproft-enterprisecluster.pem</SSLCertificateFile>
<SSLCertificateKeyFile type="PEM">c:\connect\connectproft-enterprisecluster.pem</SSLCertificateKeyFile>
<SSLPassPhrase>tigert</SSLPassPhrase>
<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</SSLCipherSuite>
<SSLSessionTimeout>5</SSLSessionTimeout>
</SSLServerCtx>
</Edge>
<Edge name="webapp">
<SSLServerCtx>
<SSLCertificateFile>c:\connect\connect-enterprisecluster.pem</SSLCertificateFile>
<SSLCertificateKeyFile type="PEM">c:\connect\connect-enterprisecluster.pem</SSLCertificateKeyFile>
<SSLPassPhrase>tiger</SSLPassPhrase>
<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</SSLCipherSuite>
<SSLSessionTimeout>5</SSLSessionTimeout>
</SSLServerCtx>
</Edge>
</SSL>

On each of the two servers, delete the following line from the Adapter.xml file:

<HostPort name="edge1">${DEFAULT_FCS_HOSTPORT}</HostPort>

In place of what you just deleted, add the following lines on the server with the administrative FQDN criseyde.enterprisecluster.com:

<HostPort name="meeting" ctl_channel=":19350">10.10.10.3:-443</HostPort>
<HostPort name="webapp" ctl_channel=":19351">10.10.10.7:-443</HostPort>

Add the following lines on the server with the administrative FQDN troilus.enterprisecluster.com:

<HostPort name="meeting" ctl_channel=":19350">10.10.10.6:-443</HostPort>
<HostPort name="webapp" ctl_channel=":19351">10.10.10.7:-443</HostPort>

Note: You have designated the Connect Pro Meeting IP address for connectproft.enterprisecluster.com and the shared NLB address for connect.enterprisecluster.com. The latter is the only URL that the end users will actually see in the browser.

Editing the vhosts file on each Connect Pro server

Make a backup copy of the vhosts file in the following location; be careful to edit the correct vhosts file; there are three of them and you only want to edit the one in the remote directory:

\connect\comserv\win32\conf\_defaultRoot_\remote\Vhost.xml

Remove this line:

<RouteEntry></RouteEntry>

Replace it with this line:

<RouteEntry protocol="rtmp">*:*;*:${ORIGIN_PORT}</RouteEntry>

Note: If you are only setting up a single server and not a cluster, then you could use this line incorporating the loopback address instead:

<RouteEntry protocol="rtmp">*:*;127.0.0.1:${ORIGIN_PORT}</RouteEntry>

Check both the Adaptor.xml and the Vhost.xml files by opening them in a browser; fix any configuration errors that the browser reveals.

 

Testing Your Connect Pro Server with NLB and OpenSSL

Now it is time to test your OpenSSL/NLB cluster; if you already tested your Connect Pro Server with NLB, now you will test Connect Pro Server with NLB and OpenSSL. At this point you may either start the Connect and FMS services or reboot both Connect Pro servers. If the FMS service fails to start, or starts then terminates, the most likely cause is that something is improperly configured in the Adapter.xml file. A quick way to troubleshoot the Adapter.xml file is simply to open it in a browser window and examine any error messages that may appear. A stray space or a simple typo in that file will be problematic. Edit the Adapter.xml file as needed.

After the Connect Pro services (including FMS) have started and remained running, you will want to test connectivity, file uploading, and failover as follows:

1. Log in to connect.enterprisecluster.com from a client, and upload content (JPG is fine) to the Content Library. (You will need author permission.) Make sure it can be viewed.
   
2. Create a meeting room and upload content into the room; make sure it can be viewed. Check for a lock icon in the upper right corner of the meeting room.
   
3. Pull content into the meeting room from the content library, and make sure it can be viewed.
   
4. While in a meeting room click the Help tab and holding down the Shift key, scroll to and click About Connect Pro Meeting.
   
5. Determine from the RTMP path whether you are on Troilus or Criseyde; the second named parameter presented in the string shows which platform is hosting the meeting room, while the first server displayed shows the path to the meeting room.
   
6. Shut down the Connect Pro server that is hosting your meeting (Troilus or Criseyde).

If your session goes from green to grey and back to green, you have witnessed the failover of a Connect Pro meeting room. Seamless Connect Pro meeting failover works with NLB if both Connect Pro servers are running when the meeting is initialized; when the server on which a meeting is hosted shuts down, the meeting will be reestablished on the remaining server in a matter of about 10 seconds. In the rare case that only one server is running when a meeting room is opened and subsequently a second server is brought online, if the server hosting the meeting shuts down, the session will have to be reestablished manually.

At this stage you have a cluster of Connect Pro servers running both NLB and OpenSSL. If you followed the model we set out in this article and in Clustering Connect Pro Servers with Microsoft Network Load Balancing, then your cluster is represented by the diagram in Figure 4.

Figure 4. Microsoft NLB and OpenSSL Connect Enterprise clustering test lab

You can gain access to the server settings tab of the application console by selecting Start > Programs > Adobe Acrobat Connect Pro Server 7 > Configure Connect Pro Server 7 (this takes you to port 8510 on the localhost in a browser). You will notice that the server is configured to allow in coming traffic on port 80; this traffic will be redirected to 443. If you wish to restrict all traffic inbound on port 80, change the HTTP Port setting to 8080 under the Server Settings tab.

 

Optional Step

As an added step, you may want to send out new user account information that contain HTTPS links rather than HTTP links; the Connect Pro Server needs a file edited to generate HTTPS URLs for new users. To change that link, you must go to the en.xml file and carefully edit it after you back up the original. As with the adaptor.xml and the vhosts.xml files, this file is easily corrupted. Make sure you make a backup copy and when you open it, make sure that you have the Connect services shut off. It is best to use Dreamweaver to edit this file because you must save it in UTF-8 format. If you save it as a regular ASCII file, you will corrupt it.

Within the en.xml file, you will find the URL parameter; add the letter s after http. The en.xml file is in the following location:

\connect\appserv\apps\lang

The portion to edit is under the heading "To start using your Adobe Acrobat Connect Pro account, use the following link:

http://{account-url}/common/help/en/support/startmain{if-not:{match:{account-features},Presenter presentation},_live}.htm

Change the link to read https:

https://{account-url}/common/help/en/support/startmain{if-not:{match:{account-features},Presenter presentation},_live}.htm

 

Where to go from here

As mentioned in the introduction, software-based SSL and software-based load balancing can be combined to provide an inexpensive means of securing a mission-critical application without incurring the expense of purchasing a hardware-based load balancing and SSL termination solution. Watch for future ConnectUsers.com tutorials describing best practice procedures for configuring Connect Pro Edge servers with OpenSSL to secure aggregated traffic to the Connect Pro server(s). In the meantime, enjoy the savings commensurate with employing this software-based solution.

 

About the authors

Before joining BrightTiger/Allaire/Macromedia/Adobe in June 1997, Frank S. DeRienzo had a distinguished military career with the U.S. Army Rangers and Special Forces. He is a graduate of Gordon College and holds an MBA from the University of Massachusetts. During his tenure with Adobe (and Macromedia before), he has focused on high availability and scalability through website clustering and web server integration with various hardware load-balancing and content-management platforms. Currently he is part of the Adobe Professional Services team, where his primary focus is on Adobe Acrobat Connect Professional Server implementation and training.

Nick Calenda is a senior Product Support Engineer working on the Connect Pro Escalations team at Adobe with over eight years of experience with developing, maintaining, and configuring web-based applications. Nick has been working with ColdFusion for over six years, four years with J2EE applications and four years with Adobe Acrobat Connect Professional (formerly Macromedia Breeze Meeting) and Adobe Acrobat Connect Professional solutions and Adobe Connect Enterprise Server.