Design Guide for the Cisco Unified Videoconferencing Solution Using Desktop Component Release 5.5 - Configuring Desktop Server for HTTPS [Cisco Unified Videoconferencing 3500 Series Products]

Table Of Contents

Configuring Desktop Server for HTTPS

About Configuring Desktop Server for HTTPS

Configuring HTTPS for Cisco Unified Videoconferencing Manager

Configuring a Desktop Server

Configuring Windows Firewall

Configuring Desktop Server for HTTPS

•About Configuring Desktop Server for HTTPS

•Configuring HTTPS for Cisco Unified Videoconferencing Manager

•Configuring a Desktop Server

•Configuring Windows Firewall

About Configuring Desktop Server for HTTPS

Information provided in this appendix suits deployments in which Desktop Server and the Resource Manager component of the Cisco Unified Videoconferencing Manager are installed on the same server. This appendix is also relevant to the configuration of HTTPS on the Cisco Unified Videoconferencing Manager components for multiple-server installations.

If it is required that only HTTPS be used to access web pages, use "Configuring Windows Firewall" section.

Configuring HTTPS for Cisco Unified Videoconferencing Manager

Procedures in this section describe how to configure Cisco Unified Videoconferencing Manager for HTTPS access on an arbitrary port opened on the firewall. After the configuration is complete, use the following URL to access to Cisco Unified Videoconferencing Manager: https://<server>:<port>/cuvcmrm.

Note If Cisco Unified Videoconferencing Manager and Desktop Server are installed on separate servers, the standard HTTPS port number 443 might be used. In this case the URL to access Cisco Unified Videoconferencing Manager does not require the port designation. For example, https://<server>/cuvcmrm.

To perform procedures described in this section you need a keytool—a java tool that is installed using either a JRE (Java Runtime Environment) or JDK (Java Development Kit). Two methods of creating a new certificate for Cisco Unified Videoconferencing Manager are described:

•Sending a certificate request to a Certificate Authority (CA)

•Generating a self-signed certificate

Before You Begin

•Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately.

Procedure

Step 1 Generate a keystore file:

a. Open a Command Prompt on the Cisco Unified Videoconferencing Manager Server.

b. Enter the command:

set path="<installDir>\cuvcmrm\jre\bin"

where <installDir> represents the actual installation path.

c. Enter the command:

MKDIR C:\certificate

d. Enter the command:

CD C:\certificate

e. Enter the following command:

keytool -genkey -keyalg RSA

-dname "cn=product,ou=users,ou=US,DC=Company,DC=com"

-alias product -keypass passwd -keystore product.keystore

-storepass passwd

Note Do not press ENTER until the entire command is entered. Use a space before each hyphen.

Step 2 Generate a self-signed certificate:

a. Enter the following command:

keytool -selfcert -alias product -keypass passwd

-keystore product.keystore -storepass passwd

b. Continue with Step 6.

-or-

Step 3 Generate the certificate-signing request:

a. Enter the command:

keytool -certreq -v -alias product -file product.csr -keypass passwd -keystore icm.keystore -storepass passwd

b. Submit the content of the product.csr file to a CA for signing.

Step 4 After the signed certificate is returned by the CA, import this certificate into the keystore.

a. Verify that all relevant files are located in the folder you created while generating a keystore file. For example, c:\certificate.

b. Set the path for the keytool utility.

c. Enter the command:

keytool -import -alias CARoot -file <rootCertFromCA>.cer -keystore product.keystore -storepass passwd

Step 5 Import the certificate response from the CA by entering the command:

keytool -import -trustcacerts -alias product

-file <signedCertFromCA>.cer -keystore product.keystore

-storepass passwd

Step 6 Install the certificate:

a. Stop the service "Cisco Unified Videoconferencing Manager".

b. Using Microsoft Notepad or Microsoft Wordpad applications, open this file: <installDir>\cuvcmrm\jboss\server\default\deploy\jbossweb-tomcat55.sar\server.xml,

where <installDir> represents the actual installation path.

c. Locate the section in which the connectors are defined.

d. Modify the following SSL/TLS connector parameters as described below. The necessary changes are marked in bold.



<Connector port="8444" address="${jboss.bind.address}"

maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"

emptySessionPath="true"

scheme="https" secure="true" clientAuth="false"

keystoreFile="C://certificate/product.keystore"

keystorePass="passwd" sslProtocol = "TLS" />



Note To disable non-SSL connections (HTTP) to Cisco Unified Videoconferencing Manager on port 8080, configure Microsoft Windows Firewall to block this port from external access.

e. Disable the default connector on port 8443 by placing "" at the end. The necessary changes are marked in bold.



Step 7 Save the file and close Microsoft Notepad or Microsoft Wordpad.

Step 8 Start the " Cisco Unified Videoconferencing Manager" service.

Configuring a Desktop Server

It is not possible to configure Desktop web access to accept an SSL connection on the standard 443 port because that port is already used to accept tunnelled connections from the Desktop Client. This procedure explains how to configure Desktop Server to forward HTTPS requests to its web server.

Before You Begin

•Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately.

Procedure

Step 1 After Desktop Server is installed, stop the service "Cisco Unified Videoconferencing Desktop - Apache Tomcat".

Step 2 Stop the service "Cisco Unified Videoconferencing Desktop- Conference Server.7.7.100."

Step 3 Modify the server.xml file:

a. Using Microsoft Notepad or Microsoft Wordpad, open the following file:

<installDir>\tomcat\conf\server.xml,

where <installDir> represents the actual installation directory.

b. Locate the section in which the connectors are defined.

c. Add the following non-SSL connector:



<Connector port="8443" maxHttpHeaderSize="8192"

proxyPort="443" maxThreads="150"

minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="false"

clientAuth="false" />

Note To disable non-SSL connections (HTTP) to Desktop Server, comment the connector on port 80 by surrounding it with "", as shown in the example below.

Example of disabled connector on port 80:



Step 4 Save the file.

Step 5 Close the application you used for editing the file.

Step 6 Modify the ctmx.ini file:

a. Using Microsoft Notepad or Microsoft Wordpad, open the following file:

<installDir>\tomcat\webapps\cuvm\WEB-INF\data\ctmx.ini,

where <installDir> represents the actual installation directory.

b. Locate the section [icmcontrol].

c. Modify the line as shown below. The necessary changes are marked in bold:

virtualroomurl=https://<address>:8444/icm/handovervirtualroom

Note If you install the Resource Manager of the Cisco Unified Videoconferencing Manager on a separate server and configure the Resource Manager port as port 443, the port number above must be 443 or can be omitted.

d. Locate the section "[additional server commands]" and add the following lines at the end of the section.

cmd7=https-forward-host 127.0.0.1:8443

cmd8=https-forward-host on

Note By default there are six commands in the [additional server commands] section. If the section has been previously modified, the number of commands might be different. Be sure to increment the command numbers sequentially.

Step 7 Save the file.

Step 8 Close the application you used for editing the file.

Step 9 Start the service "Cisco Unified Videoconferencing Desktop- Conference Server.7.7.100.".

Step 10 Start the service "Cisco Unified Videoconferencing Desktop - Apache Tomcat".

Configuring Windows Firewall

Use the procedure described in this section to disable non-SSL access to Desktop Server and to enable secure connections to Desktop Server.

Note If you install the Resource Manager component of the Cisco Unified Videoconferencing Manager on a separate server, you must modify Windows Firewall on both servers.

Before You Begin

•Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately.

Procedure

Step 1 Open Windows Firewall by clicking Start > Control Panel > Windows Firewall.

Step 2 Click On to turn on firewall protection.

Step 3 Click the Exceptions tab.

Step 4 Click the Add Port button.

Step 5 Enter iVIEW Suite conn. from SDResource Manager connections from Desktop in the Name field.

Step 6 Enter 8080 in the Port number field.

Step 7 Verify that the TCP option is selected.

Step 8 Click Change scope.

Step 9 Click Custom list.

Step 10 Enter "127.0.0.1,<D IP address>" in the field, where <D IP address> represents the actual address of the Desktop Server. For example, "127.0.0.1,192.168.112.9".

Step 11 Click OK.

Step 12 Click OK.

Step 13 Click the Advanced tab.

Step 14 In the Network Connection Settings area, choose Local Area Connection, and then click Settings.

Step 15 Click Secure Web Server (HTTPS) to enable access to Desktop Server.

Step 16 Click Add.

Step 17 Define service settings:

a. In the Description field, enter Secure Cisco Unified Videoconferencing Manager.

b. In the Name or server address field, enter the name of the server.

c. In the External port number and Internal port number fields, enter 8444.

d. Verify that TCP is chosen.

e. Click OK to enable secure access to Cisco Unified Videoconferencing Manager.

Step 18 Click OK.

Step 19 Click OK.

	Design Guide for the Cisco Unified Videoconferencing Solution Using Desktop Component Release 5.5
	Configuring Desktop Server for HTTPS
Design Guide for the Cisco Unified Videoconferencing Solution Using Desktop Component Release 5.5 Selecting a Cisco Unified Videoconferencing Solution Deployment Topology Installing and Upgrading Desktop Components of the Cisco Unified Videoconferencing Manager Configuring Cisco Unified Videoconferencing Solution Components Testing Your Deployment Configuring Desktop Server for HTTPS Configuring Dual-NIC Deployments Configuring Cisco Unified Videoconferencing Manager Prefix Firewall and NAT Rules	Download this chapter Configuring Desktop Server for HTTPS Download the complete book Design Guide for the Cisco Unified Videoconferencing Solution Using Desktop Component Release 5.5 (PDF - 830 KB) Table Of Contents Configuring Desktop Server for HTTPS About Configuring Desktop Server for HTTPS Configuring HTTPS for Cisco Unified Videoconferencing Manager Configuring a Desktop Server Configuring Windows Firewall Configuring Desktop Server for HTTPS •About Configuring Desktop Server for HTTPS •Configuring HTTPS for Cisco Unified Videoconferencing Manager •Configuring a Desktop Server •Configuring Windows Firewall About Configuring Desktop Server for HTTPS Information provided in this appendix suits deployments in which Desktop Server and the Resource Manager component of the Cisco Unified Videoconferencing Manager are installed on the same server. This appendix is also relevant to the configuration of HTTPS on the Cisco Unified Videoconferencing Manager components for multiple-server installations. If it is required that only HTTPS be used to access web pages, use "Configuring Windows Firewall" section. Configuring HTTPS for Cisco Unified Videoconferencing Manager Procedures in this section describe how to configure Cisco Unified Videoconferencing Manager for HTTPS access on an arbitrary port opened on the firewall. After the configuration is complete, use the following URL to access to Cisco Unified Videoconferencing Manager: https://<server>:<port>/cuvcmrm. Note If Cisco Unified Videoconferencing Manager and Desktop Server are installed on separate servers, the standard HTTPS port number 443 might be used. In this case the URL to access Cisco Unified Videoconferencing Manager does not require the port designation. For example, https://<server>/cuvcmrm. To perform procedures described in this section you need a keytool—a java tool that is installed using either a JRE (Java Runtime Environment) or JDK (Java Development Kit). Two methods of creating a new certificate for Cisco Unified Videoconferencing Manager are described: •Sending a certificate request to a Certificate Authority (CA) •Generating a self-signed certificate Before You Begin •Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately. Procedure Step 1 Generate a keystore file: a. Open a Command Prompt on the Cisco Unified Videoconferencing Manager Server. b. Enter the command: `set path="<installDir>\cuvcmrm\jre\bin"` where <installDir> represents the actual installation path. c. Enter the command: `MKDIR C:\certificate` d. Enter the command: `CD C:\certificate` e. Enter the following command: `keytool -genkey -keyalg RSA` `-dname "cn=product,ou=users,ou=US,DC=Company,DC=com"` `-alias product -keypass passwd -keystore product.keystore` `-storepass passwd` Note Do not press ENTER until the entire command is entered. Use a space before each hyphen. Step 2 Generate a self-signed certificate: a. Enter the following command: `keytool -selfcert -alias product -keypass passwd` `-keystore product.keystore -storepass passwd` b. Continue with Step 6. -or- Step 3 Generate the certificate-signing request: a. Enter the command: `keytool -certreq -v -alias product -file product.csr -keypass passwd -keystore icm.keystore -storepass passwd` b. Submit the content of the product.csr file to a CA for signing. Step 4 After the signed certificate is returned by the CA, import this certificate into the keystore. a. Verify that all relevant files are located in the folder you created while generating a keystore file. For example, c:\certificate. b. Set the path for the keytool utility. c. Enter the command: `keytool -import -alias CARoot -file <rootCertFromCA>.cer -keystore product.keystore -storepass passwd` Step 5 Import the certificate response from the CA by entering the command: `keytool -import -trustcacerts -alias product` `-file <signedCertFromCA>.cer -keystore product.keystore` `-storepass passwd` Step 6 Install the certificate: a. Stop the service "Cisco Unified Videoconferencing Manager". b. Using Microsoft Notepad or Microsoft Wordpad applications, open this file: <installDir>\cuvcmrm\jboss\server\default\deploy\jbossweb-tomcat55.sar\server.xml, where <installDir> represents the actual installation path. c. Locate the section in which the connectors are defined. d. Modify the following SSL/TLS connector parameters as described below. The necessary changes are marked in bold. <!-- SSL/TLS Connector configuration using the admin devl guide keystore --> <Connector port="8444" address="${jboss.bind.address}" `maxThreads="100"` strategy="ms" maxHttpHeaderSize="8192" `emptySessionPath="true"` `scheme="https" secure="true" clientAuth="false"` keystoreFile="C://certificate/product.keystore" keystorePass="passwd" sslProtocol = "TLS" /> <!-- --> Note To disable non-SSL connections (HTTP) to Cisco Unified Videoconferencing Manager on port 8080, configure Microsoft Windows Firewall to block this port from external access. e. Disable the default connector on port 8443 by placing "<!--" at the beginning of the connector definition and "-->" at the end. The necessary changes are marked in bold. <!-- `<Connector port="8443" address="${jboss.bind.address}"` `maxThreads="100" minSpareThreads="5" maxSpareThreads="15"` `scheme="https" secure="true" clientAuth="false"` keystoreFile="${jboss.server.home.dir}/conf/CUVCMRM`service.keystore"` `keystorePass="<company>"` truststoreFile="${jboss.server.home.dir}/conf/CUVCMRM`service.keystore"` `truststorePass="<company>"` `sslProtocol = "TLS" />` --> Step 7 Save the file and close Microsoft Notepad or Microsoft Wordpad. Step 8 Start the " Cisco Unified Videoconferencing Manager" service. Configuring a Desktop Server It is not possible to configure Desktop web access to accept an SSL connection on the standard 443 port because that port is already used to accept tunnelled connections from the Desktop Client. This procedure explains how to configure Desktop Server to forward HTTPS requests to its web server. Before You Begin •Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately. Procedure Step 1 After Desktop Server is installed, stop the service "Cisco Unified Videoconferencing Desktop - Apache Tomcat". Step 2 Stop the service "Cisco Unified Videoconferencing Desktop- Conference Server.7.7.100." Step 3 Modify the server.xml file: a. Using Microsoft Notepad or Microsoft Wordpad, open the following file: <installDir>\tomcat\conf\server.xml, where <installDir> represents the actual installation directory. b. Locate the section in which the connectors are defined. c. Add the following non-SSL connector: `<!-- Define a non-SSL HTTP/1.1 Connector on port 8443 -->` `<Connector port="8443" maxHttpHeaderSize="8192"` `proxyPort="443" maxThreads="150"` `minSpareThreads="25" maxSpareThreads="75"` `enableLookups="false" disableUploadTimeout="true"` `acceptCount="100" scheme="https" secure="false"` `clientAuth="false" />` Note To disable non-SSL connections (HTTP) to Desktop Server, comment the connector on port 80 by surrounding it with "<!--" and "-->", as shown in the example below. Example of disabled connector on port 80: <!-- `<Connector port="80" maxHttpHeaderSize="8192"` `maxThreads="130" minSpareThreads="25" maxSpareThreads="75"` `enableLookups="false" redirectPort="8443"` `acceptCount="300"` `connectionTimeout="20000" disableUploadTimeout="true" />` --> Step 4 Save the file. Step 5 Close the application you used for editing the file. Step 6 Modify the ctmx.ini file: a. Using Microsoft Notepad or Microsoft Wordpad, open the following file: <installDir>\tomcat\webapps\cuvm\WEB-INF\data\ctmx.ini, where <installDir> represents the actual installation directory. b. Locate the section [icmcontrol]. c. Modify the line as shown below. The necessary changes are marked in bold: virtualroomurl=https://<address>:8444/icm/handovervirtualroom Note If you install the Resource Manager of the Cisco Unified Videoconferencing Manager on a separate server and configure the Resource Manager port as port 443, the port number above must be 443 or can be omitted. d. Locate the section "[additional server commands]" and add the following lines at the end of the section. `cmd7=https-forward-host 127.0.0.1:8443` `cmd8=https-forward-host on` Note By default there are six commands in the [additional server commands] section. If the section has been previously modified, the number of commands might be different. Be sure to increment the command numbers sequentially. Step 7 Save the file. Step 8 Close the application you used for editing the file. Step 9 Start the service "Cisco Unified Videoconferencing Desktop- Conference Server.7.7.100.". Step 10 Start the service "Cisco Unified Videoconferencing Desktop - Apache Tomcat". Configuring Windows Firewall Use the procedure described in this section to disable non-SSL access to Desktop Server and to enable secure connections to Desktop Server. Note If you install the Resource Manager component of the Cisco Unified Videoconferencing Manager on a separate server, you must modify Windows Firewall on both servers. Before You Begin •Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately. Procedure Step 1 Open Windows Firewall by clicking Start > Control Panel > Windows Firewall. Step 2 Click On to turn on firewall protection. Step 3 Click the Exceptions tab. Step 4 Click the Add Port button. Step 5 Enter iVIEW Suite conn. from SDResource Manager connections from Desktop in the Name field. Step 6 Enter 8080 in the Port number field. Step 7 Verify that the TCP option is selected. Step 8 Click Change scope. Step 9 Click Custom list. Step 10 Enter "127.0.0.1,<D IP address>" in the field, where <D IP address> represents the actual address of the Desktop Server. For example, "127.0.0.1,192.168.112.9". Step 11 Click OK. Step 12 Click OK. Step 13 Click the Advanced tab. Step 14 In the Network Connection Settings area, choose Local Area Connection, and then click Settings. Step 15 Click Secure Web Server (HTTPS) to enable access to Desktop Server. Step 16 Click Add. Step 17 Define service settings: a. In the Description field, enter Secure Cisco Unified Videoconferencing Manager. b. In the Name or server address field, enter the name of the server. c. In the External port number and Internal port number fields, enter 8444. d. Verify that TCP is chosen. e. Click OK to enable secure access to Cisco Unified Videoconferencing Manager. Step 18 Click OK. Step 19 Click OK.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.