Using OpenMeetings with RTMPS and HTTPS
There are 3 ways the client communicates with the server:
- The flash-client uses RTMP protocol to transfer Audio/Video and
to send and receive the user data (login et cetera) to the server
and back
- The browser uses HTTP protocol to load the SWF and to upload and
download the files (documents, pdfs, images) to the server and
back.
- The screensharing client uses RTMP protocol to transfer screen
data and remote control to the server and back
Prerequisites
- You need OpenMeetings 1.9.x for this, OpenMeetings 1.8.x does
not
have those options.
- Install OpenMeetings according to the install instructions and
check that it runs without problems
- Rename the existing keystore file red5/conf/keystore to
keystore.bak
Configuring RTMPS for the Flash Client
-
Create a new keystore and key, use the same password for both:
keytool -keysize 2048 -genkey -alias red5 -keyalg RSA -keystore red5/conf/keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: <your hostname, e.g demo.openmeetings.de>
What is the name of your organizational unit?
[Unknown]: Dev
What is the name of your organization?
[Unknown]: OpenMeetings
What is the name of your City or Locality?
[Unknown]: Henderson
What is the name of your State or Province?
[Unknown]: Nevada
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=demo.openmeetings.de, OU=Dev, O=OpenMeetings, L=Henderson, ST=Nevada, C=US correct?
[no]: yes
Enter key password for <red5>
- Generate a CSR:
keytool -certreq -keyalg RSA -alias red5 -file red5.csr -keystore red5/conf/keystore
- Submit CSR to your CA of choice and receive a signed certificate
- Import your chosen CA's root certificate into the keystore (may
need to download it from their site - make sure to get the root CA and
not the intermediate one):
keytool -import -alias root -keystore red5/conf/keystore -trustcacerts -file root.crt
(note: you may receive a warning that the certificate already exists in the system wide keystore - import
anyway)
- Import the intermediate certificate(s) you normally receive with
the certificate:
keytool -import -alias intermed -keystore red5/conf/keystore -trustcacerts -file intermediate.crt
- Import the certificate you received:
keytool -import -alias red5 -keystore red5/conf/keystore -trustcacerts -file demo.openmeetings.de.crt
- Please NOTE according to this http://javarevisited.blogspot.com/2012/09/difference-between-truststore-vs-keyStore-Java-SSL.html
guide you can split keystore and truststore (OPTIONAL you might just copy keystore to truststore)
- Create additional certificate as described above.
Add this certificate to the following keystores: red5/conf/keystore.screen and red5/conf/keystore. (This step is required to be able to use
screen-sharing web application, you can copy "main" keystore while testing)
Set up RTMPS
-
Uncomment <!-- RTMPS --> section in red5/conf/red5-core.xml
- Default RTMPS port is 8443, you can change it by editing red5/conf/red5.properties and change the port here: rtmps.port=8443
Please set rtmps.keystorepass=password and rtmps.truststorepass=password
(password = password you set on your new keystore(s))
Additionally you need to set rtmps.screen.keystorepass=screenpassword (screenpassword = password you set on your keystore for screen-sharing application)
-
Edit red5/webapps/openmeetings/public/config.xml and set
<rtmpsslport>8443</rtmpsslport>,
<useSSL>yes</useSSL> and
<proxyType>best</proxyType>
- Please NOTE https port set in red5/conf/red5.properties should be in sync with the one set in
red5/webapps/openmeetings/public/config.xml
- Restart red5 and try to connect - your connection should now be
made via RTMPS (close port 1935 to be sure)
SSL for the web interface
If you want to use SSL for the web interface in addition to RTMPS,
you need to make some further modifications. This is mainly to secure
the server against MITM attacks, additionally some other features
like file uploads also use a plain HTTP connection if this is not
done. The following instructions assume that you have already set up
RTMPS successfully.
-
Edit red5/conf/jee-container.xml file:
Comment Tomcat without SSL enabled section
UNComment Tomcat with SSL enabled section
-
Edit red5/webapps/openmeetings/public/config.xml and set
<protocol>https</protocol>
-
Edit red5/webapps/openmeetings/public/config.xml and set
<red5httpport>5443</red5httpport> port
- In webapps/openmeetings/WEB-INF/conf/axis2.xml add (below the existing http transportReceiver (around line 225))
<transportReceiver name="https" class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">5443</parameter>
</transportReceiver>
- Please NOTE https port set in red5/conf/red5.properties should be in sync with the one set
in red5/webapps/openmeetings/public/config.xml and webapps/openmeetings/WEB-INF/conf/axis2.xml
-
Restart red5 and try to connect to
https://your.server:5443 - you should be redirected to the OpenMeetings
app and all access should be via HTTPS or RTMPS (close port 5080 to be sure).
Credits
Credits goto: Nexus and Holger Rabbach for their help and
contribution and configuration documention!