Securing Adobe Connect with the AEM-based Events Module
This article only pertains to on-premise Adobe Connect implementations running the Events Module.
Note: This article contains images. You may need to refresh the WordPress page in your browser to view them.
This supplemental article alongside the Adobe Connect Installation Guide and the SSL Configuration guides for software and hardware-based SSL options, will help expedite your SSL implementation of Connect with AEM-based Events.
1. It is prudent to begin with a fully functional installation of Adobe Connect and AEM-based Events before adding SSL; Do not attempt to secure a server or cluster that is not fully tested to run all features without SSL as it may cause a need for some rework on installation steps.
2. Decide whether to use hardware-based or software-based SSL and obtain appropriate public certificates and FQDN’s. If you are using software-based SSL, stunnel can either be installed locally or on a separate server. If you are using hardware-based SSL you will want to refer to the relevant third-party hardware accelerator documentation along with that provided by Adobe. Simplified diagrams of lab options follow:
The rest of this article and checklist summary will assume stunnel is being used, but the configuration variables will apply to hardware-based external SSL acceleration options as well and a casual glance back at these diagrams will help you infer the differences between the two options with reference to the configuration of the Events Module.
3. Six FQDN’s and certificates are required for a full lab, but we will focus here on the two for Adobe Connect Events Author and Publisher. This is how our full working example FQDN list might appear.
- 10.10.10.1 connect.adobe.com
- 10.10.10.2 meeting.adobe.com
- 10.10.10.3 acts.adobe.com
- 10.10.10.4 signal.adobe.com
- 10.10.10.5 author.domain.com
- 10.10.10.6 publisher.domain.com
4. Six certificates or a wildcard certificate is needed; here is the list of the certificates for SSL following our lab example:
- meeting.adobe.com
- connect.adobe.com
- acts.adobe.com
- signal.adobe.com
- author.adobe.com
- publisher.adobe.com
If using stunnel, follow the procedure documented in: Installing and Configuring stunnel with Adobe Connect Note the differentiating portion for securing Events is with the stunnel VIPs for Author and Publisher as they appear in the stunnel.conf file; see VIP examples here below:
; AEM author / HTTPS
[aemauthor-vip]
accept = 10.10.10.5:443
connect = 127.0.0.1:4502
cert = C:\Connect\stunnel\certs\aemauthor-cert.pem
key = C:\Connect\stunnel\certs\aemauthor-key.key
;configure ciphers as per your requirement and client support.
;this should work for most:
ciphers = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES
; AEM publish / HTTPS
[aempublish-vip]
accept = 10.10.10.6:443
connect = 127.0.0.1:4503
cert = C:\Connect\stunnel\certs\aempublish-cert.pem
key = C:\Connect\stunnel\certs\aempublish-key.key
;configure ciphers as per your requirement and client support.
;this should work for most:
ciphers = TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES
6. Next backup and edit the custom.ini file: By default, the custom.ini will point to 4502 and 4503 for AEM Author and Publisher respectively; you must change the links to reflect https rather than http and also change the names to the correct FQDNs and also enable SSL for Connect with these following entries:
Note: CQ_AUTHOR_SERVER and CQ_PUBLISHER_SERVER entries are for customers who are using the classic, pre Connect 12.4, Event templates. The AEM_AUTHOR_SERVER and AEM_PUBLISHER_SERVER entries are for the new responsive Event Templates.
CQ_AUTHOR_SERVER=https://author.adobe.com
CQ_PUBLISH_SERVER=https://publisher.adobe.com
AEM_AUTHOR_SERVER=https://author.adobe.com
AEM_PUBLISH_SERVER=https://publisher.adobe.com
DOMAIN_COOKIE=adobe.com
ADMIN_PROTOCOL=https://
SSL_ONLY=yes
RTMP_SEQUENCE=rtmps://external-host:443/?rtmp://localhost:8506/
7. Next backup and edit the server.xml file; in the \appserv\conf\ directory; uncomment two sections depicted here to enable SSL:
Note: A simple way to edit server.xml is to simply search for the word uncomment to find the relevant sections to edit
<Executor name=”httpsThreadPool”
namePrefix=”https-8443-”
maxThreads=”350″
minSpareThreads=”25″/>
<Connector port=”8443″ protocol=”HTTP/1.1″
executor=”httpsThreadPool”
enableLookups=”false”
acceptCount=”250″
connectionTimeout=”20000″
SSLEnabled=”false”
scheme=”https”
secure=”true”
proxyPort=”443″
URIEncoding=”utf-8″/>
Note: Be sure to test the server.xml file for correct editing by opening it in a browser and viewing any syntax errors.
8. After configuring the stunnel.conf, the custom.ini and the server.xml file for all server instances, stop all services in the following order:
- Adobe Connect AEM Author
- Adobe Connect AEM Publisher
- Adobe Connect Transmuxing Server
- Adobe Connect Server
- Adobe Media Server
- stunnel
9. After all services are completely stopped, start all services in reverse order; do not cheat and just restart each one successively.
- stunnel
- Adobe Media Server
- Adobe Connect Server
- Adobe Connect Transmuxing Server
- Adobe Connect AEM Publisher
- Adobe Connect AEM Author
10. Open a browser on the server hosting Events Author; go to localhost:4502 and log into Author as an administrator and edit the URL
- Select CRXDE Lite on the menu list on the right side of the screen
- Go to: content>connect>c1>jcr:content
- Scroll to the serverURL line
- Edit the URL for https
- https://connect.adobe.com
11. Open a browser on the Connect server and go to localhost:4503 and log into Publisher as an administrator and edit the URL
- Select CRXDE Lite on the right menu list
- Go to content>connect>c1>jcr content
- Scroll to the serverURL line
- Edit the URL for https
- https://connect.adobe.com
12. Open a browser on the server hosting Events Producer and go to localhost:4502/system/console/configmgr and log in as an administrator and edit the author externalizer name and statistics URL
- Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Author server
- author.adobe.com
- Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4502 URL to reflect the FQDN of the Author server and HTTPS
- https://author.adobe.com/libs/wcm/stats/tracker
13. Open a browser on the Connect server and go to localhost:4503/system/console/configmgr and log in as an administrator and edit the publisher externalizer name and statistics URL
- Scroll to and edit the Day CQ Link Externalizer and edit the hostname value to reflect the FQDN of the Publisher server
- publisher.adobe.com
- Scroll to and edit the Day CQ WCM Page Statistics and edit the localhost:4503 URL to reflect the FQDN of the Author server and HTTPS
- https://publisher.adobe.com/libs/wcm/stats/tracker
For more details on externalizing URLs see: Externalizing URLs
14. Restart all services and as shown in steps 8 & 9 or reboot
15. Log into Connect and test the Events module.
Troubleshooting appendix:
- Check to make sure services are running and start any that are not running.
- Once all the services are up, click on the stunnel.exe icon in the stunnel directory and insure that stunnel runs without errors
- If stunnel.exe throws an error then examine the stunnel.conf for syntax problems
- If stunnel.exe starts successfully then look elsewhere for problems
- To make certain the help files are served via SSL, follow the instructions here: Changing the Help Links to use HTTPS://
Note: if running SSO, with the Author Instance, SSO is not needed as it is logged in through the the Adobe Connect Server. For the Publisher Instance:
- In Publish eventlogin/eventRegistration page, when the event page is rendered. It calls the API to the CPS fetch the event metadata like (eventName, date-begin etc)
- In the same API, it fetched the information that SSO is enabled and for which domain.
- When user type the email address in the event page, it matched the sso domain if matched , redirect to IDP page else not redirect.