You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by Jason Romo <ja...@securityarsenal.com> on 2016/05/27 09:42:24 UTC
SOLVED: RTMPS with Openmeetings 3.1.1
Ok SSL with RTMPS works, but Screen Share is broken. They are working on it , 3.1.2 is waiting for a resoution. Thanks to Maxim for helping resolve the proxyType issue. That was the one thing all docs missed the other was ports. I don’t think one document had a working config example for Openmeetings 3.1.1. Even the doc on RTMPS at the official website doesn’t work. This works! So enjoy stress free install using SSL.
To get SSL working with RTMPS you need to do the following:
If you want to use LetsEncrypt Free SSL do this use the following or skip and add your own valid cert from any location to the keystone. I add the LetsEncrypt because I couldn’t find a single source that had this correct either. It took a bit to resolve.
Install LetsEncrypt plenty of places to show you how to install. Then do cert-only install. You need to convert the cert to work with keystone.
cd /etc/letsencrypt/live/yourdomain
# Java cacerts you can add the x3-cross-sign.pem to it like this. You have to download the x3-cross-sign.pem from letsencrypt website. the default Java password is: changeit
keytool -importcert -file /etc/letsencrypt/live/yourdomain/x3-cross-sign.pem -keystore cacerts
# Make new keystore
#keytool -keysize 2048 -genkey -alias key -keyalg RSA -keystore keystore.jks
# Make sure you append the x3-cross-sign.pem to the chain.pem or it will not work.
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name red5 -CAfile chain.pem -caname root
# Import keys
keytool -importkeystore -deststorepass password -destkeypass password -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass d4h3j9nq1 -alias red5
cp keystore.jks /opt/yourinstall/conf/keystore.jks
cp keystore.jks /opt/yourinstall/conf/keystore.screen
cp keystore.jks /opt/yourinstall/conf/truststore.jks
vi conf/red5.properties
https.port=443
rtmps.port=443
rtmps.keystorepass=yourpass
rtmps.keystorefile=conf/keystore.jks
rtmps.truststorepass=yourpass
rtmps.truststorefile=conf/truststore.jks
Make sure you set proxyType to none or it will not work.
vi webapps/openmeetings/public/config.xml
<rtmpport>1935</rtmpport>
<rtmpsslport>443</rtmpsslport>
<useSSL>yes</useSSL>
<protocol>https</protocol>
# NOTE: don’t use best like other docs say. It doesn’t work!!
<proxyType>none</proxyType>
Now enable SSL in the jee-container.xml. I copy the file appending .ssl and .html to allow quick changes.
vi conf/jee-container.xml
<!-- Tomcat without SSL enabled
<bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader" depends-on="context.loader" init-method="start" lazy-init="true">
<property name="webappFolder" value="${red5.root}/webapps" />
<property name="connectors">
<list>
<bean name="httpConnector" class="org.red5.server.tomcat.TomcatConnector">
<property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address" value="${http.host}:${http.port}" />
<property name="redirectPort" value="${https.port}" />
</bean>
</list>
</property>
<property name="baseHost">
<bean class="org.apache.catalina.core.StandardHost">
<property name="name" value="${http.host}" />
</bean>
</property>
<property name="valves">
<list>
<bean id="valve.access" class="org.apache.catalina.valves.AccessLogValve">
<property name="directory" value="log" />
<property name="prefix" value="${http.host}_access." />
<property name="suffix" value=".log" />
<property name="pattern" value="common" />
<property name="rotatable" value="true" />
</bean>
</list>
</property>
</bean>
-->
<!-- Tomcat with SSL enabled -->
<bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader" depends-on="context.loader" init-method="start" lazy-init="true">
<property name="webappFolder" value="${red5.root}/webapps" />
<property name="connectors">
<list>
<bean name="httpConnector" class="org.red5.server.tomcat.TomcatConnector">
<property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address" value="${http.host}:${http.port}" />
<property name="redirectPort" value="${https.port}" />
</bean>
<bean name="httpsConnector" class="org.red5.server.tomcat.TomcatConnector">
<property name="secure" value="true" />
<property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
<property name="address" value="${http.host}:${https.port}" />
<property name="redirectPort" value="${http.port}" />
<property name="connectionProperties">
<map>
<entry key="port" value="${https.port}" />
<entry key="redirectPort" value="${http.port}" />
<entry key="SSLEnabled" value="true" />
<entry key="sslProtocol" value="TLS" />
<entry key="keystoreFile" value="${rtmps.keystorefile}" />
<entry key="keystorePass" value="${rtmps.keystorepass}" />
<entry key="keystoreType" value="JKS" />
<entry key="truststoreFile" value="${rtmps.truststorefile}" />
<entry key="truststorePass" value="${rtmps.truststorepass}" />
<entry key="clientAuth" value="false" />
<entry key="allowUnsafeLegacyRenegotiation" value="true" />
<entry key="maxKeepAliveRequests" value="${http.max_keep_alive_requests}"/>
<entry key="useExecutor" value="true"/>
<entry key="maxThreads" value="${http.max_threads}"/>
<entry key="acceptorThreadCount" value="${http.acceptor_thread_count}"/>
<entry key="processorCache" value="${http.processor_cache}"/>
</map>
</property>
</bean>
</list>
</property>
<property name="baseHost">
<bean class="org.apache.catalina.core.StandardHost">
<property name="name" value="${http.host}" />
</bean>
</property>
</bean>
You can now start up red5 from init if you followed the install instructions. You should be able to connect to https://yourdomain.com. If it complains the cert is not valid then you missed something in the keystone process. This is the script I use to build my keystone from a cron job just before it expires automatically so it should work.
Good luck,
Jason
Re: SOLVED: RTMPS with Openmeetings 3.1.1
Posted by Jason Romo <ja...@securityarsenal.com>.
Thanks for the heads-up.
Jason
On Jun 9, 2016, 10:56 PM, at 10:56 PM, Vasiliy Degtyarev <va...@unipro.ru> wrote:
>Hello Jason!
>
>Maxim in now out of office, he returns June 20
>so no updates on screen share for RTMPS.
>
>Thanks,
>Vasiliy
>
>On 10.06.2016 9:23, Jason Romo wrote:
>> Any update on getting RTMPS working with desktop share?
>>
>>
>>> On May 27, 2016, at 5:04 AM, Maxim Solodovnik <solomax666@gmail.com
>>> <ma...@gmail.com>> wrote:
>>>
>>> Thanks for sharing this Jason,
>>>
>>> I'll update instructions with 3.1.2 release, currently trying to fix
>
>>> RTMPS screen-sharing
>>>
>>> On Fri, May 27, 2016 at 3:42 PM, Jason Romo
>>> <jason@securityarsenal.com <ma...@securityarsenal.com>>
>wrote:
>>>
>>> Ok SSL with RTMPS works, but Screen Share is broken. They are
>>> working on it , 3.1.2 is waiting for a resoution. Thanks to
>Maxim
>>> for helping resolve the proxyType issue. That was the one thing
>>> all docs missed the other was ports. I don’t think one document
>>> had a working config example for Openmeetings 3.1.1. Even the
>doc
>>> on RTMPS at the official website doesn’t work. This works! So
>>> enjoy stress free install using SSL.
>>>
>>> To get SSL working with RTMPS you need to do the following:
>>>
>>> If you want to use LetsEncrypt Free SSL do this use the
>following
>>> or skip and add your own valid cert from any location to the
>>> keystone. I add the LetsEncrypt because I couldn’t find a single
>>> source that had this correct either. It took a bit to resolve.
>>>
>>> Install LetsEncrypt plenty of places to show you how to install.
>
>>> Then do cert-only install. You need to convert the cert to work
>>> with keystone.
>>>
>>> cd /etc/letsencrypt/live/yourdomain
>>>
>>> # Java cacerts you can add the x3-cross-sign.pem to it like
>this.
>>> You have to download the x3-cross-sign.pem from letsencrypt
>>> website. the default Java password is: changeit
>>> keytool -importcert -file
>>> /etc/letsencrypt/live/yourdomain/x3-cross-sign.pem -keystore
>cacerts
>>>
>>> # Make new keystore
>>> #keytool -keysize 2048 -genkey -alias key -keyalg RSA -keystore
>>> keystore.jks
>>>
>>> # Make sure you append the x3-cross-sign.pem to the chain.pem or
>>> it will not work.
>>> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out
>>> cert_and_key.p12 -name red5 -CAfile chain.pem -caname root
>>>
>>> # Import keys
>>> keytool -importkeystore -deststorepass password -destkeypass
>>> password -destkeystore keystore.jks -srckeystore
>cert_and_key.p12
>>> -srcstoretype PKCS12 -srcstorepass d4h3j9nq1 -alias red5
>>>
>>> cp keystore.jks /opt/yourinstall/conf/keystore.jks
>>> cp keystore.jks /opt/yourinstall/conf/keystore.screen
>>> cp keystore.jks /opt/yourinstall/conf/truststore.jks
>>>
>>>
>>>
>>> vi conf/red5.properties
>>> https.port=443
>>> rtmps.port=443
>>> rtmps.keystorepass=yourpass
>>> rtmps.keystorefile=conf/keystore.jks
>>> rtmps.truststorepass=yourpass
>>> rtmps.truststorefile=conf/truststore.jks
>>>
>>> Make sure you set proxyType to none or it will not work.
>>> vi webapps/openmeetings/public/config.xml
>>> <rtmpport>1935</rtmpport>
>>> <rtmpsslport>443</rtmpsslport>
>>> <useSSL>yes</useSSL>
>>> <protocol>https</protocol>
>>> # NOTE: don’t use best like other docs say. It doesn’t work!!
>>> <proxyType>none</proxyType>
>>>
>>>
>>> Now enable SSL in the jee-container.xml. I copy the file
>>> appending .ssl and .html to allow quick changes.
>>> vi conf/jee-container.xml
>>>
>>> <!-- Tomcat without SSL enabled
>>> <bean id="tomcat.server"
>>> class="org.red5.server.tomcat.TomcatLoader"
>>> depends-on="context.loader" init-method="start"
>lazy-init="true">
>>>
>>> <property name="webappFolder"
>value="${red5.root}/webapps" />
>>>
>>> <property name="connectors">
>>> <list>
>>> <bean name="httpConnector"
>>> class="org.red5.server.tomcat.TomcatConnector">
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11NioProtocol" />
>>> <property name="address" value="${http.host}:${http.port}" />
>>> <property name="redirectPort" value="${https.port}" />
>>> </bean>
>>> </list>
>>> </property>
>>>
>>> <property name="baseHost">
>>> <bean class="org.apache.catalina.core.StandardHost">
>>> <property name="name" value="${http.host}" />
>>> </bean>
>>> </property>
>>>
>>> <property name="valves">
>>> <list>
>>> <bean id="valve.access"
>>> class="org.apache.catalina.valves.AccessLogValve">
>>> <property name="directory" value="log" />
>>> <property name="prefix" value="${http.host}_access." />
>>> <property name="suffix" value=".log" />
>>> <property name="pattern" value="common" />
>>> <property name="rotatable" value="true" />
>>> </bean>
>>> </list>
>>> </property>
>>>
>>> </bean>
>>> -->
>>> <!-- Tomcat with SSL enabled -->
>>> <bean id="tomcat.server"
>>> class="org.red5.server.tomcat.TomcatLoader"
>>> depends-on="context.loader" init-method="start"
>lazy-init="true">
>>>
>>> <property name="webappFolder"
>value="${red5.root}/webapps" />
>>>
>>> <property name="connectors">
>>> <list>
>>> <bean name="httpConnector"
>>> class="org.red5.server.tomcat.TomcatConnector">
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11NioProtocol" />
>>> <property name="address" value="${http.host}:${http.port}" />
>>> <property name="redirectPort" value="${https.port}" />
>>> </bean>
>>> <bean name="httpsConnector"
>>> class="org.red5.server.tomcat.TomcatConnector">
>>> <property name="secure" value="true" />
>>> <property name="protocol"
>>> value="org.apache.coyote.http11.Http11NioProtocol" />
>>> <property name="address" value="${http.host}:${https.port}" />
>>> <property name="redirectPort" value="${http.port}" />
>>> <property name="connectionProperties">
>>> <map>
>>> <entry key="port" value="${https.port}" />
>>> <entry key="redirectPort" value="${http.port}" />
>>> <entry key="SSLEnabled" value="true" />
>>> <entry key="sslProtocol" value="TLS" />
>>> <entry key="keystoreFile" value="${rtmps.keystorefile}" />
>>> <entry key="keystorePass" value="${rtmps.keystorepass}" />
>>> <entry key="keystoreType" value="JKS" />
>>> <entry key="truststoreFile" value="${rtmps.truststorefile}"
>/>
>>> <entry key="truststorePass" value="${rtmps.truststorepass}"
>/>
>>> <entry key="clientAuth" value="false" />
>>> <entry key="allowUnsafeLegacyRenegotiation" value="true" />
>>> <entry key="maxKeepAliveRequests"
>>> value="${http.max_keep_alive_requests}"/>
>>> <entry key="useExecutor" value="true"/>
>>> <entry key="maxThreads" value="${http.max_threads}"/>
>>> <entry key="acceptorThreadCount"
>>> value="${http.acceptor_thread_count}"/>
>>> <entry key="processorCache"
>value="${http.processor_cache}"/>
>>> </map>
>>> </property>
>>> </bean>
>>> </list>
>>> </property>
>>>
>>> <property name="baseHost">
>>> <bean class="org.apache.catalina.core.StandardHost">
>>> <property name="name" value="${http.host}" />
>>> </bean>
>>> </property>
>>>
>>> </bean>
>>>
>>>
>>> You can now start up red5 from init if you followed the install
>>> instructions. You should be able to connect to
>>> https://yourdomain.com <https://yourdomain.com/>. If it
>>> complains the cert is not valid then you missed something in the
>>> keystone process. This is the script I use to build my keystone
>>> from a cron job just before it expires automatically so it
>should
>>> work.
>>>
>>> Good luck,
>>> Jason
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>
Re: SOLVED: RTMPS with Openmeetings 3.1.1
Posted by Vasiliy Degtyarev <va...@unipro.ru>.
Hello Jason!
Maxim in now out of office, he returns June 20
so no updates on screen share for RTMPS.
Thanks,
Vasiliy
On 10.06.2016 9:23, Jason Romo wrote:
> Any update on getting RTMPS working with desktop share?
>
>
>> On May 27, 2016, at 5:04 AM, Maxim Solodovnik <solomax666@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> Thanks for sharing this Jason,
>>
>> I'll update instructions with 3.1.2 release, currently trying to fix
>> RTMPS screen-sharing
>>
>> On Fri, May 27, 2016 at 3:42 PM, Jason Romo
>> <jason@securityarsenal.com <ma...@securityarsenal.com>> wrote:
>>
>> Ok SSL with RTMPS works, but Screen Share is broken. They are
>> working on it , 3.1.2 is waiting for a resoution. Thanks to Maxim
>> for helping resolve the proxyType issue. That was the one thing
>> all docs missed the other was ports. I don\u2019t think one document
>> had a working config example for Openmeetings 3.1.1. Even the doc
>> on RTMPS at the official website doesn\u2019t work. This works! So
>> enjoy stress free install using SSL.
>>
>> To get SSL working with RTMPS you need to do the following:
>>
>> If you want to use LetsEncrypt Free SSL do this use the following
>> or skip and add your own valid cert from any location to the
>> keystone. I add the LetsEncrypt because I couldn\u2019t find a single
>> source that had this correct either. It took a bit to resolve.
>>
>> Install LetsEncrypt plenty of places to show you how to install.
>> Then do cert-only install. You need to convert the cert to work
>> with keystone.
>>
>> cd /etc/letsencrypt/live/yourdomain
>>
>> # Java cacerts you can add the x3-cross-sign.pem to it like this.
>> You have to download the x3-cross-sign.pem from letsencrypt
>> website. the default Java password is: changeit
>> keytool -importcert -file
>> /etc/letsencrypt/live/yourdomain/x3-cross-sign.pem -keystore cacerts
>>
>> # Make new keystore
>> #keytool -keysize 2048 -genkey -alias key -keyalg RSA -keystore
>> keystore.jks
>>
>> # Make sure you append the x3-cross-sign.pem to the chain.pem or
>> it will not work.
>> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out
>> cert_and_key.p12 -name red5 -CAfile chain.pem -caname root
>>
>> # Import keys
>> keytool -importkeystore -deststorepass password -destkeypass
>> password -destkeystore keystore.jks -srckeystore cert_and_key.p12
>> -srcstoretype PKCS12 -srcstorepass d4h3j9nq1 -alias red5
>>
>> cp keystore.jks /opt/yourinstall/conf/keystore.jks
>> cp keystore.jks /opt/yourinstall/conf/keystore.screen
>> cp keystore.jks /opt/yourinstall/conf/truststore.jks
>>
>>
>>
>> vi conf/red5.properties
>> https.port=443
>> rtmps.port=443
>> rtmps.keystorepass=yourpass
>> rtmps.keystorefile=conf/keystore.jks
>> rtmps.truststorepass=yourpass
>> rtmps.truststorefile=conf/truststore.jks
>>
>> Make sure you set proxyType to none or it will not work.
>> vi webapps/openmeetings/public/config.xml
>> <rtmpport>1935</rtmpport>
>> <rtmpsslport>443</rtmpsslport>
>> <useSSL>yes</useSSL>
>> <protocol>https</protocol>
>> # NOTE: don\u2019t use best like other docs say. It doesn\u2019t work!!
>> <proxyType>none</proxyType>
>>
>>
>> Now enable SSL in the jee-container.xml. I copy the file
>> appending .ssl and .html to allow quick changes.
>> vi conf/jee-container.xml
>>
>> <!-- Tomcat without SSL enabled
>> <bean id="tomcat.server"
>> class="org.red5.server.tomcat.TomcatLoader"
>> depends-on="context.loader" init-method="start" lazy-init="true">
>>
>> <property name="webappFolder" value="${red5.root}/webapps" />
>>
>> <property name="connectors">
>> <list>
>> <bean name="httpConnector"
>> class="org.red5.server.tomcat.TomcatConnector">
>> <property name="protocol"
>> value="org.apache.coyote.http11.Http11NioProtocol" />
>> <property name="address" value="${http.host}:${http.port}" />
>> <property name="redirectPort" value="${https.port}" />
>> </bean>
>> </list>
>> </property>
>>
>> <property name="baseHost">
>> <bean class="org.apache.catalina.core.StandardHost">
>> <property name="name" value="${http.host}" />
>> </bean>
>> </property>
>>
>> <property name="valves">
>> <list>
>> <bean id="valve.access"
>> class="org.apache.catalina.valves.AccessLogValve">
>> <property name="directory" value="log" />
>> <property name="prefix" value="${http.host}_access." />
>> <property name="suffix" value=".log" />
>> <property name="pattern" value="common" />
>> <property name="rotatable" value="true" />
>> </bean>
>> </list>
>> </property>
>>
>> </bean>
>> -->
>> <!-- Tomcat with SSL enabled -->
>> <bean id="tomcat.server"
>> class="org.red5.server.tomcat.TomcatLoader"
>> depends-on="context.loader" init-method="start" lazy-init="true">
>>
>> <property name="webappFolder" value="${red5.root}/webapps" />
>>
>> <property name="connectors">
>> <list>
>> <bean name="httpConnector"
>> class="org.red5.server.tomcat.TomcatConnector">
>> <property name="protocol"
>> value="org.apache.coyote.http11.Http11NioProtocol" />
>> <property name="address" value="${http.host}:${http.port}" />
>> <property name="redirectPort" value="${https.port}" />
>> </bean>
>> <bean name="httpsConnector"
>> class="org.red5.server.tomcat.TomcatConnector">
>> <property name="secure" value="true" />
>> <property name="protocol"
>> value="org.apache.coyote.http11.Http11NioProtocol" />
>> <property name="address" value="${http.host}:${https.port}" />
>> <property name="redirectPort" value="${http.port}" />
>> <property name="connectionProperties">
>> <map>
>> <entry key="port" value="${https.port}" />
>> <entry key="redirectPort" value="${http.port}" />
>> <entry key="SSLEnabled" value="true" />
>> <entry key="sslProtocol" value="TLS" />
>> <entry key="keystoreFile" value="${rtmps.keystorefile}" />
>> <entry key="keystorePass" value="${rtmps.keystorepass}" />
>> <entry key="keystoreType" value="JKS" />
>> <entry key="truststoreFile" value="${rtmps.truststorefile}" />
>> <entry key="truststorePass" value="${rtmps.truststorepass}" />
>> <entry key="clientAuth" value="false" />
>> <entry key="allowUnsafeLegacyRenegotiation" value="true" />
>> <entry key="maxKeepAliveRequests"
>> value="${http.max_keep_alive_requests}"/>
>> <entry key="useExecutor" value="true"/>
>> <entry key="maxThreads" value="${http.max_threads}"/>
>> <entry key="acceptorThreadCount"
>> value="${http.acceptor_thread_count}"/>
>> <entry key="processorCache" value="${http.processor_cache}"/>
>> </map>
>> </property>
>> </bean>
>> </list>
>> </property>
>>
>> <property name="baseHost">
>> <bean class="org.apache.catalina.core.StandardHost">
>> <property name="name" value="${http.host}" />
>> </bean>
>> </property>
>>
>> </bean>
>>
>>
>> You can now start up red5 from init if you followed the install
>> instructions. You should be able to connect to
>> https://yourdomain.com <https://yourdomain.com/>. If it
>> complains the cert is not valid then you missed something in the
>> keystone process. This is the script I use to build my keystone
>> from a cron job just before it expires automatically so it should
>> work.
>>
>> Good luck,
>> Jason
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>
Re: SOLVED: RTMPS with Openmeetings 3.1.1
Posted by Jason Romo <ja...@securityarsenal.com>.
Any update on getting RTMPS working with desktop share?
> On May 27, 2016, at 5:04 AM, Maxim Solodovnik <so...@gmail.com> wrote:
>
> Thanks for sharing this Jason,
>
> I'll update instructions with 3.1.2 release, currently trying to fix RTMPS screen-sharing
>
> On Fri, May 27, 2016 at 3:42 PM, Jason Romo <jason@securityarsenal.com <ma...@securityarsenal.com>> wrote:
> Ok SSL with RTMPS works, but Screen Share is broken. They are working on it , 3.1.2 is waiting for a resoution. Thanks to Maxim for helping resolve the proxyType issue. That was the one thing all docs missed the other was ports. I don’t think one document had a working config example for Openmeetings 3.1.1. Even the doc on RTMPS at the official website doesn’t work. This works! So enjoy stress free install using SSL.
>
> To get SSL working with RTMPS you need to do the following:
>
> If you want to use LetsEncrypt Free SSL do this use the following or skip and add your own valid cert from any location to the keystone. I add the LetsEncrypt because I couldn’t find a single source that had this correct either. It took a bit to resolve.
>
> Install LetsEncrypt plenty of places to show you how to install. Then do cert-only install. You need to convert the cert to work with keystone.
>
> cd /etc/letsencrypt/live/yourdomain
>
> # Java cacerts you can add the x3-cross-sign.pem to it like this. You have to download the x3-cross-sign.pem from letsencrypt website. the default Java password is: changeit
> keytool -importcert -file /etc/letsencrypt/live/yourdomain/x3-cross-sign.pem -keystore cacerts
>
> # Make new keystore
> #keytool -keysize 2048 -genkey -alias key -keyalg RSA -keystore keystore.jks
>
> # Make sure you append the x3-cross-sign.pem to the chain.pem or it will not work.
> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name red5 -CAfile chain.pem -caname root
>
> # Import keys
> keytool -importkeystore -deststorepass password -destkeypass password -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass d4h3j9nq1 -alias red5
>
> cp keystore.jks /opt/yourinstall/conf/keystore.jks
> cp keystore.jks /opt/yourinstall/conf/keystore.screen
> cp keystore.jks /opt/yourinstall/conf/truststore.jks
>
>
>
> vi conf/red5.properties
> https.port=443
> rtmps.port=443
> rtmps.keystorepass=yourpass
> rtmps.keystorefile=conf/keystore.jks
> rtmps.truststorepass=yourpass
> rtmps.truststorefile=conf/truststore.jks
>
> Make sure you set proxyType to none or it will not work.
> vi webapps/openmeetings/public/config.xml
> <rtmpport>1935</rtmpport>
> <rtmpsslport>443</rtmpsslport>
> <useSSL>yes</useSSL>
> <protocol>https</protocol>
> # NOTE: don’t use best like other docs say. It doesn’t work!!
> <proxyType>none</proxyType>
>
>
> Now enable SSL in the jee-container.xml. I copy the file appending .ssl and .html to allow quick changes.
> vi conf/jee-container.xml
>
> <!-- Tomcat without SSL enabled
> <bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader" depends-on="context.loader" init-method="start" lazy-init="true">
>
> <property name="webappFolder" value="${red5.root}/webapps" />
>
> <property name="connectors">
> <list>
> <bean name="httpConnector" class="org.red5.server.tomcat.TomcatConnector">
> <property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
> <property name="address" value="${http.host}:${http.port}" />
> <property name="redirectPort" value="${https.port}" />
> </bean>
> </list>
> </property>
>
> <property name="baseHost">
> <bean class="org.apache.catalina.core.StandardHost">
> <property name="name" value="${http.host}" />
> </bean>
> </property>
>
> <property name="valves">
> <list>
> <bean id="valve.access" class="org.apache.catalina.valves.AccessLogValve">
> <property name="directory" value="log" />
> <property name="prefix" value="${http.host}_access." />
> <property name="suffix" value=".log" />
> <property name="pattern" value="common" />
> <property name="rotatable" value="true" />
> </bean>
> </list>
> </property>
>
> </bean>
> -->
> <!-- Tomcat with SSL enabled -->
> <bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader" depends-on="context.loader" init-method="start" lazy-init="true">
>
> <property name="webappFolder" value="${red5.root}/webapps" />
>
> <property name="connectors">
> <list>
> <bean name="httpConnector" class="org.red5.server.tomcat.TomcatConnector">
> <property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
> <property name="address" value="${http.host}:${http.port}" />
> <property name="redirectPort" value="${https.port}" />
> </bean>
> <bean name="httpsConnector" class="org.red5.server.tomcat.TomcatConnector">
> <property name="secure" value="true" />
> <property name="protocol" value="org.apache.coyote.http11.Http11NioProtocol" />
> <property name="address" value="${http.host}:${https.port}" />
> <property name="redirectPort" value="${http.port}" />
> <property name="connectionProperties">
> <map>
> <entry key="port" value="${https.port}" />
> <entry key="redirectPort" value="${http.port}" />
> <entry key="SSLEnabled" value="true" />
> <entry key="sslProtocol" value="TLS" />
> <entry key="keystoreFile" value="${rtmps.keystorefile}" />
> <entry key="keystorePass" value="${rtmps.keystorepass}" />
> <entry key="keystoreType" value="JKS" />
> <entry key="truststoreFile" value="${rtmps.truststorefile}" />
> <entry key="truststorePass" value="${rtmps.truststorepass}" />
> <entry key="clientAuth" value="false" />
> <entry key="allowUnsafeLegacyRenegotiation" value="true" />
> <entry key="maxKeepAliveRequests" value="${http.max_keep_alive_requests}"/>
> <entry key="useExecutor" value="true"/>
> <entry key="maxThreads" value="${http.max_threads}"/>
> <entry key="acceptorThreadCount" value="${http.acceptor_thread_count}"/>
> <entry key="processorCache" value="${http.processor_cache}"/>
> </map>
> </property>
> </bean>
> </list>
> </property>
>
> <property name="baseHost">
> <bean class="org.apache.catalina.core.StandardHost">
> <property name="name" value="${http.host}" />
> </bean>
> </property>
>
> </bean>
>
>
> You can now start up red5 from init if you followed the install instructions. You should be able to connect to https://yourdomain.com <https://yourdomain.com/>. If it complains the cert is not valid then you missed something in the keystone process. This is the script I use to build my keystone from a cron job just before it expires automatically so it should work.
>
> Good luck,
> Jason
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> WBR
> Maxim aka solomax
Re: SOLVED: RTMPS with Openmeetings 3.1.1
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks for sharing this Jason,
I'll update instructions with 3.1.2 release, currently trying to fix RTMPS
screen-sharing
On Fri, May 27, 2016 at 3:42 PM, Jason Romo <ja...@securityarsenal.com>
wrote:
> Ok SSL with RTMPS works, but Screen Share is broken. They are working on
> it , 3.1.2 is waiting for a resoution. Thanks to Maxim for helping resolve
> the proxyType issue. That was the one thing all docs missed the other was
> ports. I don’t think one document had a working config example for
> Openmeetings 3.1.1. Even the doc on RTMPS at the official website doesn’t
> work. This works! So enjoy stress free install using SSL.
>
> To get SSL working with RTMPS you need to do the following:
>
> If you want to use LetsEncrypt Free SSL do this use the following or skip
> and add your own valid cert from any location to the keystone. I add the
> LetsEncrypt because I couldn’t find a single source that had this correct
> either. It took a bit to resolve.
>
> Install LetsEncrypt plenty of places to show you how to install. Then do
> cert-only install. You need to convert the cert to work with keystone.
>
> cd /etc/letsencrypt/live/yourdomain
>
> # Java cacerts you can add the x3-cross-sign.pem to it like this. You have
> to download the x3-cross-sign.pem from letsencrypt website. the default
> Java password is: changeit
> keytool -importcert -file
> /etc/letsencrypt/live/yourdomain/x3-cross-sign.pem -keystore cacerts
>
> # Make new keystore
> #keytool -keysize 2048 -genkey -alias key -keyalg RSA -keystore
> keystore.jks
>
> # Make sure you append the x3-cross-sign.pem to the chain.pem or it will
> not work.
> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out
> cert_and_key.p12 -name red5 -CAfile chain.pem -caname root
>
> # Import keys
> keytool -importkeystore -deststorepass password -destkeypass password
> -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype
> PKCS12 -srcstorepass d4h3j9nq1 -alias red5
>
> cp keystore.jks /opt/yourinstall/conf/keystore.jks
> cp keystore.jks /opt/yourinstall/conf/keystore.screen
> cp keystore.jks /opt/yourinstall/conf/truststore.jks
>
>
>
> vi conf/red5.properties
> https.port=443
> rtmps.port=443
> rtmps.keystorepass=yourpass
> rtmps.keystorefile=conf/keystore.jks
> rtmps.truststorepass=yourpass
> rtmps.truststorefile=conf/truststore.jks
>
> Make sure you set proxyType to none or it will not work.
> vi webapps/openmeetings/public/config.xml
> <rtmpport>1935</rtmpport>
> <rtmpsslport>443</rtmpsslport>
> <useSSL>yes</useSSL>
> <protocol>https</protocol>
> # NOTE: don’t use best like other docs say. It doesn’t work!!
> <proxyType>none</proxyType>
>
>
> Now enable SSL in the jee-container.xml. I copy the file appending .ssl
> and .html to allow quick changes.
> vi conf/jee-container.xml
>
> <!-- Tomcat without SSL enabled
> <bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader"
> depends-on="context.loader" init-method="start" lazy-init="true">
>
> <property name="webappFolder" value="${red5.root}/webapps" />
>
>
> <property name="connectors">
> <list>
> <bean name="httpConnector"
> class="org.red5.server.tomcat.TomcatConnector">
> <property name="protocol"
> value="org.apache.coyote.http11.Http11NioProtocol" />
> <property name="address" value="${http.host}:${http.port}" />
> <property name="redirectPort" value="${https.port}" />
>
> </bean>
> </list>
> </property>
>
>
> <property name="baseHost">
> <bean class="org.apache.catalina.core.StandardHost">
> <property name="name" value="${http.host}" />
> </bean>
> </property>
>
> <property name="valves">
> <list>
> <bean id="valve.access"
> class="org.apache.catalina.valves.AccessLogValve">
> <property name="directory" value="log" />
> <property name="prefix" value="${http.host}_access." />
> <property name="suffix" value=".log" />
> <property name="pattern" value="common" />
> <property name="rotatable" value="true" />
> </bean>
> </list>
> </property>
>
>
> </bean>
> -->
> <!-- Tomcat with SSL enabled -->
> <bean id="tomcat.server" class="org.red5.server.tomcat.TomcatLoader"
> depends-on="context.loader" init-method="start" lazy-init="true">
>
> <property name="webappFolder" value="${red5.root}/webapps" />
>
>
> <property name="connectors">
> <list>
> <bean name="httpConnector"
> class="org.red5.server.tomcat.TomcatConnector">
> <property name="protocol"
> value="org.apache.coyote.http11.Http11NioProtocol" />
> <property name="address"
> value="${http.host}:${http.port}" />
> <property name="redirectPort" value="${https.port}" />
>
> </bean>
> <bean name="httpsConnector"
> class="org.red5.server.tomcat.TomcatConnector">
> <property name="secure" value="true" />
> <property name="protocol"
> value="org.apache.coyote.http11.Http11NioProtocol" />
> <property name="address"
> value="${http.host}:${https.port}" />
> <property name="redirectPort" value="${http.port}" />
> <property name="connectionProperties">
> <map>
> <entry key="port" value="${https.port}" />
> <entry key="redirectPort" value="${http.port}"
> />
> <entry key="SSLEnabled" value="true" />
> <entry key="sslProtocol" value="TLS" />
> <entry key="keystoreFile"
> value="${rtmps.keystorefile}" />
> <entry key="keystorePass"
> value="${rtmps.keystorepass}" />
> <entry key="keystoreType" value="JKS" />
> <entry key="truststoreFile"
> value="${rtmps.truststorefile}" />
> <entry key="truststorePass"
> value="${rtmps.truststorepass}" />
> <entry key="clientAuth" value="false" />
>
> <entry key="allowUnsafeLegacyRenegotiation"
> value="true" />
> <entry key="maxKeepAliveRequests"
> value="${http.max_keep_alive_requests}"/>
> <entry key="useExecutor" value="true"/>
> <entry key="maxThreads"
> value="${http.max_threads}"/>
> <entry key="acceptorThreadCount"
> value="${http.acceptor_thread_count}"/>
> <entry key="processorCache"
> value="${http.processor_cache}"/>
> </map>
> </property>
> </bean>
> </list>
> </property>
>
>
> <property name="baseHost">
> <bean class="org.apache.catalina.core.StandardHost">
> <property name="name" value="${http.host}" />
> </bean>
> </property>
>
>
> </bean>
>
>
> You can now start up red5 from init if you followed the install
> instructions. You should be able to connect to https://yourdomain.com.
> If it complains the cert is not valid then you missed something in the
> keystone process. This is the script I use to build my keystone from a
> cron job just before it expires automatically so it should work.
>
> Good luck,
> Jason
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
WBR
Maxim aka solomax