Adobe Connect User Community
Menu

#1 2020-06-12 10:44:50

Farhad

ACTS over SSL problem

hello,
i've installed 2 adobe connect servers and one sql server and separate ACTS server. they work without any problem until i've configured SSL for communications. i configured ssl for https and RTMS step by step of this guide:
https://blogs.adobe.com/connectsupport/files/2016/04/Connect-SSL-Guide.pdf
after that HTTPS and RTMS work without any problem and i can connect to meeting by Adobe Connect Client but when i try to connect to HTML5 meeting, it's stuck at preparing the room and after some minutes it shows connection error. i'm sure cause of this issue is SSL configuration of ACTS server. i try to configure SSL for ACTS server like this link:
https://blogs.adobe.com/connectsupport/adobe-connect-10-1-switch-the-default-acts-service-protocol-from-ws-to-wss/
but there is some question about certificates that i must to use. in this document mention two certificates:
public_certificate_acts-server.pem & private_key_meeting-server.key.pem.
i don't know how to generate these certificates? please tell me how can i generate this kind of certificates.
thanks in advanced.

Offline

#2 2020-06-12 12:15:34

Jorma_at_CoSo

Re: ACTS over SSL problem

You should have generated those certificates for the application and media servers that are now using SSL. The ACTS server just needs a third set of certificates, unless you were using wild card certificates for the other servers.

Since the ACTS servers should be on a unique FQDN, they will need their own SSL certificates and encrypting/decrypting application like Stunnel if you are having the SSL encrypting/decrypting done on the servers.

It's also worth noting you can't have RTMPS and WS or RTMP and WSS. Both the AMS and ACTS servers need to have the same level of security or you will see exactly the behavior that your deployment is showing. More FYI than anything.

Offline

#3 2020-06-12 13:26:55

Farhad

Re: ACTS over SSL problem

thank you dear Jorma.
i want to test it in my lab, is it possible to use self-signed certificates?
i've generated certificates for HTTPS and RTMS (for RTMS SSL i added second network card and assigned second IP address)  separately. I've installed ACTS on separate server and it's has a FQDN and i also install stunnel on it. i changed replaced stunnel.conf  with configuration that mansions in this link:

https://blogs.adobe.com/connectsupport/adobe-connect-10-1-switch-the-default-acts-service-protocol-from-ws-to-wss/

it seems acts server certificates are different with other SSL (like HTTPS, RTMS) cause it need private key of meeting server and two certificates must be in pem format. can you tell me how can i create those certificates with openssl command in linux?
best regards and thanks a lot.

Offline

#4 2020-06-12 14:26:10

Jorma_at_CoSo

Re: ACTS over SSL problem

Self signed certs should be fine.

The ACTS SSL configuration information isn't different than the AMS (RTMPS) configuration. All require the cert and the key.

In the documents referenced, here are the configurations given for the stunnel.conf file:

Application and Meeting (HTTPS and RTMPS):

; Protocol version (all, SSLv2, SSLv3, TLSv1)
; we want TLS1, TLS1.1 and TLS1.2 active, so set =all and then say "not SSLv2, SSLv3"
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
options = DONT_INSERT_EMPTY_FRAGMENTS
options = CIPHER_SERVER_PREFERENCE
renegotiation=no
fips = no
;Some performance tunings:
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
; application server SSL / HTTPS
[https-vip]
accept = 10.1.1.1:443
connect = 127.0.0.1:8443
cert = C:\Connect\stunnel\certs\public_certificate_app-server.pem
key = C:\Connect\stunnel\certs\private_key_app-server.key

;configure ciphers as per your requirement and client support.
;this should work for most:
ciphers = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES
; meeting SSL / RTMPS
[rtmps-vip]
accept = 10.1.1.2:443
connect = 127.0.0.1:1935
cert = C:\Connect\stunnel\certs\public_certificate_meeting-server.pem
key = C:\Connect\stunnel\certs\private_key_meeting-server.key

;configure ciphers as per your requirement and client support.
;this should work for most:
ciphers = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES

ACTS (WSS):

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
fips = no


; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS

[acts]
; accept = ACTS IP:443
accept = 10.1.1.3:443

; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1
connect = 127.0.0.1:9002

; Certificate information for Connect Meetings.
; This assumes you put the cert and key in the root folder of stunnel
;cert = CertificateNameHere.pem
;key = CerificateKeyNameHere.pem
cert = C:\Connect\stunnel\certs\public_certificate_acts-server.pem
key = C:\Connect\stunnel\certs\private_key_acts-server.key.pem

; ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
ciphers = ALL:!AECDH:!ADH:!LOW:!EXP:!MD5:@STRENGTH

Offline

#5 2020-06-13 03:12:19

Farhad

Re: ACTS over SSL problem

thanks. my problem is exactly this part of configuration:
Cert= C:\Connect\stunnel\certs\public_certificate_acts-server.pem
key = C:\Connect\stunnel\certs\private_key_meeting-server.key.pem
i generated a certificate for ACTS server (example: public key:acts.pem private key:acts.key.pem) and put it in Cert variable (C:\Connect\stunnel\certs\acts.pem). then in key variable i put my meeting server private key (key = C:\Connect\stunnel\certs\meeting.key.pem) but stunnel can not start cause of public key and private key mismatch. i don't know how to resolve this issue, i've tried many time but problem not resolved.

Offline

#6 2020-06-15 11:09:40

Jorma_at_CoSo

Re: ACTS over SSL problem

Ah, I see the typo in Adobe's documentation I updated my post, as the cert and the key should be for the ACTS server. I'll let Adobe know so they can update the article.

Offline

#7 2020-06-17 21:23:20

Farhad

Re: ACTS over SSL problem

thanks a lot dear Jorma :) ;)

Offline

#8 2020-06-21 13:03:24

Farhad

Re: ACTS over SSL problem

is it possible to use self-signed ssl for adobe connect components (HTTPS,RTMPS,ACTS)? [i want to deploy it in lab]
i've done what you said but HTML5 not open and stuck on preparing the room.

Offline

#9 2020-06-22 11:13:43

Jorma_at_CoSo

Re: ACTS over SSL problem

Yes, you should be able to use a self signed cert. Keep in mind you'll need at least 3 certs or a wildcard cert that covers the FQDNs.

Offline

#10 2020-06-22 13:19:46

Farhad

Re: ACTS over SSL problem

thank you. may i ask you share with me openssl command for creating certificates that Adobe Connect accepts.

Offline

#11 2020-06-22 15:36:43

Jorma_at_CoSo

Re: ACTS over SSL problem

I believe you can create a self-signed key and certificate with the following command in OpenSSL:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Then answer the questions asked and you should end up with both files. Your CN should be your FQDN or IP for the server.

Offline

#12 2020-06-23 04:30:32

Farhad

Re: ACTS over SSL problem

i've created three certificates and configured stunnel.conf as you said but when i access to html5 session stunnel shows certificate unknown and html5 stuck at preparing room: (Link edited)
https://ibb.co/NNGhnH5

FluxBB bbcode test

Last edited by Farhad (2020-06-24 00:25:57)

Offline

#13 2020-06-23 09:48:09

Jorma_at_CoSo

Re: ACTS over SSL problem

I'd recommend you reach out to Adobe Support directly. You should have a contact path to Platinum Support, being on-premise, but can also leverage your reseller. I believe this is getting to the point that Adobe needs to be involved to help with your deployment.

I can't read your image, it's too small. But my first shot in the dark would be to verify that Stunnel started up and is running.

Offline

#14 2020-06-24 00:30:35

Farhad

Re: ACTS over SSL problem

i've uploaded screenshot with better quality.

Offline

#15 2020-08-06 08:43:06

fbconnect

Re: ACTS over SSL problem

same issue going on close to 6 months
adobe connect support has been no help, reseller no help

Offline

#16 2020-08-27 09:18:35

Nasser

Re: ACTS over SSL problem

I really enjoyed your posts. I have a question. It might sound silly to you gigs but let me ask.
I have a wildcard ssl.
Do I have to buy two other certificates to have my Adobeconnet server run on Html5 or it suffices the scenario?
btw
How many Ips do I need?
I just want to have adobeconnect9.8 run from a browser and pc application without installing Adobe Flash.

Last edited by Nasser (2020-08-27 09:19:06)

Offline

#17 2020-08-27 15:41:12

Jorma_at_CoSo

Re: ACTS over SSL problem

Nasser,

The point of a wildcard cert is that you can use it on any subdomain on that domain. So if you were to go to Connect 10/11 and add the ACTS servers then you would need new IPs and FQDNs for those servers, but the wild card cert could be used for SSL on those servers. The numbers of IPs required would be tied to the number of servers deployed in your solution.

For Connect 9.8, there is no browser solution that isn't Flash. The Connect App has a sand boxed version of Flash that doesn't rely on Flash in the browser. Realistically, the version you'd want to move to if non-Flash, browser based meetings are important would be Connect 11.

Offline

#18 2020-10-10 06:41:19

payman

Re: ACTS over SSL problem

Hi
I think one thing was missed, if ACTS server is installed on the same server : Changing the ACTS server FQDN.
In PPS_SERVICE_HOSTS table ACTS server is specified with type=9. Its external name must be changed to the FQDN defined for the 10.1.1.3 IP.

And if it is on another server then "connect = 127.0.0.1:9002" is not correct.

Last edited by payman1 (2020-10-10 07:32:24)

Offline

#19 2021-09-12 00:57:55

hsa

Re: ACTS over SSL problem

Jorma_at_CoSo wrote:

Self signed certs should be fine.

The ACTS SSL configuration information isn't different than the AMS (RTMPS) configuration. All require the cert and the key.

In the documents referenced, here are the configurations given for the stunnel.conf file:

Application and Meeting (HTTPS and RTMPS):

; Protocol version (all, SSLv2, SSLv3, TLSv1)
; we want TLS1, TLS1.1 and TLS1.2 active, so set =all and then say "not SSLv2, SSLv3"
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
options = DONT_INSERT_EMPTY_FRAGMENTS
options = CIPHER_SERVER_PREFERENCE
renegotiation=no
fips = no
;Some performance tunings:
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
; application server SSL / HTTPS
[https-vip]
accept = 10.1.1.1:443
connect = 127.0.0.1:8443
cert = C:\Connect\stunnel\certs\public_certificate_app-server.pem
key = C:\Connect\stunnel\certs\private_key_app-server.key

;configure ciphers as per your requirement and client support.
;this should work for most:
ciphers = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES
; meeting SSL / RTMPS
[rtmps-vip]
accept = 10.1.1.2:443
connect = 127.0.0.1:1935
cert = C:\Connect\stunnel\certs\public_certificate_meeting-server.pem
key = C:\Connect\stunnel\certs\private_key_meeting-server.key

;configure ciphers as per your requirement and client support.
;this should work for most:
ciphers = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES

ACTS (WSS):

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
fips = no


; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS

[acts]
; accept = ACTS IP:443
accept = 10.1.1.3:443

; When stunnel is on the same box, simply leave the below IP address as 127.0.0.1
connect = 127.0.0.1:9002

; Certificate information for Connect Meetings.
; This assumes you put the cert and key in the root folder of stunnel
;cert = CertificateNameHere.pem
;key = CerificateKeyNameHere.pem
cert = C:\Connect\stunnel\certs\public_certificate_acts-server.pem
key = C:\Connect\stunnel\certs\private_key_acts-server.key.pem

; ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
ciphers = ALL:!AECDH:!ADH:!LOW:!EXP:!MD5:@STRENGTH

hi
do you means we must have 3 ips ?
we have 2 sever :one installed AdobeConnect 11.8 and on another ACTS

Offline

#20 2021-09-13 13:09:17

Jorma_at_CoSo

Re: ACTS over SSL problem

If everything is SSL encrypted, yes.

Offline

Board footer