Table Of Contents
Configuring Desktop Server for HTTPS
About Configuring Desktop Server for HTTPS
Configuring HTTPS for Cisco Unified Videoconferencing Manager
Configuring a Desktop Server
Configuring Windows Firewall
Configuring Desktop Server for HTTPS
•
About Configuring Desktop Server for HTTPS
•Configuring HTTPS for Cisco Unified Videoconferencing Manager
•Configuring a Desktop Server
•Configuring Windows Firewall
About Configuring Desktop Server for HTTPS
Information provided in this appendix suits deployments in which Desktop Server and the Resource Manager component of the Cisco Unified Videoconferencing Manager are installed on the same server. This appendix is also relevant to the configuration of HTTPS on the Cisco Unified Videoconferencing Manager components for multiple-server installations.
If it is required that only HTTPS be used to access web pages, use "Configuring Windows Firewall" section.
Configuring HTTPS for Cisco Unified Videoconferencing Manager
Procedures in this section describe how to configure Cisco Unified Videoconferencing Manager for HTTPS access on an arbitrary port opened on the firewall. After the configuration is complete, use the following URL to access to Cisco Unified Videoconferencing Manager: https://<server>:<port>/cuvcmrm.
Note If Cisco Unified Videoconferencing Manager and Desktop Server are installed on separate servers, the standard HTTPS port number 443 might be used. In this case the URL to access Cisco Unified Videoconferencing Manager does not require the port designation. For example, https://<server>/cuvcmrm.
To perform procedures described in this section you need a keytool—a java tool that is installed using either a JRE (Java Runtime Environment) or JDK (Java Development Kit). Two methods of creating a new certificate for Cisco Unified Videoconferencing Manager are described:
•Sending a certificate request to a Certificate Authority (CA)
•Generating a self-signed certificate
Before You Begin
•Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately.
Procedure
Step 1 Generate a keystore file:
a. Open a Command Prompt on the Cisco Unified Videoconferencing Manager Server.
b. Enter the command:
set path="<installDir>\cuvcmrm\jre\bin"
where <installDir> represents the actual installation path.
c. Enter the command:
MKDIR C:\certificate
d. Enter the command:
CD C:\certificate
e. Enter the following command:
keytool -genkey -keyalg RSA
-dname "cn=product,ou=users,ou=US,DC=Company,DC=com"
-alias product -keypass passwd -keystore product.keystore
-storepass passwd
Note Do not press ENTER until the entire command is entered. Use a space before each hyphen.
Step 2 Generate a self-signed certificate:
a. Enter the following command:
keytool -selfcert -alias product -keypass passwd
-keystore product.keystore -storepass passwd
b. Continue with Step 6.
-or-
Step 3 Generate the certificate-signing request:
a. Enter the command:
keytool -certreq -v -alias product -file product.csr -keypass passwd -keystore icm.keystore -storepass passwd
b. Submit the content of the product.csr file to a CA for signing.
Step 4 After the signed certificate is returned by the CA, import this certificate into the keystore.
a. Verify that all relevant files are located in the folder you created while generating a keystore file. For example, c:\certificate.
b. Set the path for the keytool utility.
c. Enter the command:
keytool -import -alias CARoot -file <rootCertFromCA>.cer -keystore product.keystore -storepass passwd
Step 5 Import the certificate response from the CA by entering the command:
keytool -import -trustcacerts -alias product
-file <signedCertFromCA>.cer -keystore product.keystore
-storepass passwd
Step 6 Install the certificate:
a. Stop the service "Cisco Unified Videoconferencing Manager".
b. Using Microsoft Notepad or Microsoft Wordpad applications, open this file: <installDir>\cuvcmrm\jboss\server\default\deploy\jbossweb-tomcat55.sar\server.xml,
where <installDir> represents the actual installation path.
c. Locate the section in which the connectors are defined.
d. Modify the following SSL/TLS connector parameters as described below. The necessary changes are marked in bold.
<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->
<Connector port="8444" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="C://certificate/product.keystore"
keystorePass="passwd" sslProtocol = "TLS" />
<!-- -->
Note To disable non-SSL connections (HTTP) to Cisco Unified Videoconferencing Manager on port 8080, configure Microsoft Windows Firewall to block this port from external access.
e. Disable the default connector on port 8443 by placing "<!--" at the beginning of the connector definition and "-->" at the end. The necessary changes are marked in bold.
<!--
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/CUVCMRMservice.keystore"
keystorePass="<company>"
truststoreFile="${jboss.server.home.dir}/conf/CUVCMRMservice.keystore"
truststorePass="<company>"
sslProtocol = "TLS" />
-->
Step 7 Save the file and close Microsoft Notepad or Microsoft Wordpad.
Step 8 Start the " Cisco Unified Videoconferencing Manager" service.
Configuring a Desktop Server
It is not possible to configure Desktop web access to accept an SSL connection on the standard 443 port because that port is already used to accept tunnelled connections from the Desktop Client. This procedure explains how to configure Desktop Server to forward HTTPS requests to its web server.
Before You Begin
•Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately.
Procedure
Step 1 After Desktop Server is installed, stop the service "Cisco Unified Videoconferencing Desktop - Apache Tomcat".
Step 2 Stop the service "Cisco Unified Videoconferencing Desktop- Conference Server.7.7.100."
Step 3 Modify the server.xml file:
a. Using Microsoft Notepad or Microsoft Wordpad, open the following file:
<installDir>\tomcat\conf\server.xml,
where <installDir> represents the actual installation directory.
b. Locate the section in which the connectors are defined.
c. Add the following non-SSL connector:
<!-- Define a non-SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
proxyPort="443" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="false"
clientAuth="false" />
Note To disable non-SSL connections (HTTP) to Desktop Server, comment the connector on port 80 by surrounding it with "<!--" and "-->", as shown in the example below.
Example of disabled connector on port 80:
<!--
<Connector port="80" maxHttpHeaderSize="8192"
maxThreads="130" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443"
acceptCount="300"
connectionTimeout="20000" disableUploadTimeout="true" />
-->
Step 4 Save the file.
Step 5 Close the application you used for editing the file.
Step 6 Modify the ctmx.ini file:
a. Using Microsoft Notepad or Microsoft Wordpad, open the following file:
<installDir>\tomcat\webapps\cuvm\WEB-INF\data\ctmx.ini,
where <installDir> represents the actual installation directory.
b. Locate the section [icmcontrol].
c. Modify the line as shown below. The necessary changes are marked in bold:
virtualroomurl=https://<address>:8444/icm/handovervirtualroom
Note If you install the Resource Manager of the Cisco Unified Videoconferencing Manager on a separate server and configure the Resource Manager port as port 443, the port number above must be 443 or can be omitted.
d. Locate the section "[additional server commands]" and add the following lines at the end of the section.
cmd7=https-forward-host 127.0.0.1:8443
cmd8=https-forward-host on
Note By default there are six commands in the [additional server commands] section. If the section has been previously modified, the number of commands might be different. Be sure to increment the command numbers sequentially.
Step 7 Save the file.
Step 8 Close the application you used for editing the file.
Step 9 Start the service "Cisco Unified Videoconferencing Desktop- Conference Server.7.7.100.".
Step 10 Start the service "Cisco Unified Videoconferencing Desktop - Apache Tomcat".
Step 11 Change URL in Invitations section of the Desktop Server Administration web interface:
a. Log into the Desktop Server Administration web interface.
b. Click Settings on the sidebar.
c. Click Invitations tab
d. Modify all URLs in the Desktop Access section to use https instead of http.
Note By default, there are two URLs present in this section.
Configuring Windows Firewall
Use the procedure described in this section to disable non-SSL access to Desktop Server and to enable secure connections to Desktop Server.
Note If you install the Resource Manager component of the Cisco Unified Videoconferencing Manager on a separate server, you must modify Windows Firewall on both servers.
Before You Begin
•Procedures mention the Desktop Server default installation location. If you used a customized location during Desktop Server installation, modify paths in procedures appropriately.
Procedure
Step 1 Open Windows Firewall by clicking Start > Control Panel > Windows Firewall.
Step 2 Click On to turn on firewall protection.
Step 3 Click the Exceptions tab.
Step 4 Click the Add Port button.
Step 5 Enter "Cisco Unified Videoconferencing Manager connection from Desktop Server" in the Name field.
Step 6 Enter 8080 in the Port number field.
Step 7 Verify that the TCP option is selected.
Step 8 Click Change scope.
Step 9 Click Custom list.
Step 10 Enter "127.0.0.1,<D IP address>" in the field, where <D IP address> represents the actual address of the Desktop Server. For example, "127.0.0.1,192.168.112.9".
Step 11 Click OK.
Step 12 Click OK.
Step 13 Click the Advanced tab.
Step 14 Select Local Area Connection in the Network Connection Settings area, and then click Settings.
Step 15 Click Secure Web Server (HTTPS) to enable access to Desktop Server.
Step 16 Click Add.
Step 17 Define service settings:
a. Enter Secure Cisco Unified Videoconferencing Manager in the Description field.
b. Enter the name of the server in the Name or server address field.
c. Enter 8444 in the External port number and Internal port number fields.
d. Verify that TCP is selected.
e. Click OK to enable secure access to Cisco Unified Videoconferencing Manager.
Step 18 Click OK.
Step 19 Click OK.
