ID: 6741

Print Friendly, PDF & Email

Enable SSL for Desktop Zoom Applications

Towards fortifying Zoom further against security vulnerabilities, from Zoom 7.0 onward we support SSL for desktop Zoom applications such as Visual Asset Browser. This is in addition to the already available SSL support on Zoom Preview Server and Zoom Web Admin Server.

Stop services for Zoom in the order Curator, Preview, Zoom and HADR services before continuing. Restart services in the order HADR, Zoom, Preview and Curator services in that order after updating the files mentioned below.

 

To enable SSL in Zoom desktop apps, do the following for each of the Zoom Server and Zoom Preview Server. Ignore the HADR peer section if HADR is not in use. if you already enabled Zoom SSL support Web Apps some of the settings below may already be in effect.

On each Zoom Server

On the Zoom Server, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).

Open server.xml and update the following tags:

  1. Under <networkspec>, set <securePortEnabled> tag as true
  2. Under <networkspec>, set <securePort> tag as 9880
    Sample Server.xml

     

  3. Under <webserverspec>, set <useSslForDesktopClient> tag as true
  4. Under <webserverspec><sslPort>check tag is 9443
  5. Under <webserverspec>, set <ssl> tag as true
    Sample Server.xml

     

  6. If LDAP server is not in use then skip this step. If LDAP server is in use, then under <ldapspec>, set <authspec><ldapspec>, set <useSsl> tag as true

     

If any of the tags specified above are not found, please add the tag under that relevant section.

 

Save changes to the server.xml file.

 

On Zoom Preview Server

On the Zoom Preview Server, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).

Open server.xml and update the following tags:

  1. Under <reviewserverspec><ServerConnection>, set <sslPort> tag as 8973
  2. Under <reviewserverspec><ServerConnection>, set <enableSsl> tag as true
  3. Under <reviewserverspec>, set <proxySslPort>  tag as 8874
  4. Under <reviewserverspec>, set <useSslForDesktopClient> tag as true

     

Save changes to the server.xml file.

 

Now, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).

Open preview-server.xml and update the tag <ZoomServerHostPort> to use https (eg. <ZoomServerHostPort>https://[ZoomServerIP]:9880</ZoomServerHostPort>). Save changes.

 

On each Zoom HADR Peer

On each Zoom HADR Peer, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).

Open server.xml and update the following tags:

  1. Under <hadrspec><hadrGroup><peer><networkSpec>, set <securePortEnabled> tag as true
  2. Under <hadrspec> <networkSpec>, set <securePort> tag as 9880
  3. Under <hadrspec><hadrGroup><peer><networkSpec>, set <hadrPortSecured> tag as true
  4. Under <hadrspec><hadrGroup><peer><networkSpec>, set <fileTransferProtocol> tag as https
    Sample Server.xml

     

Save changes to the server.xml file.

 

Again, on each Zoom HADR Peer, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).

Open filetransfer-spec.xml and update the following tags:

  1. Set <sslPort> tag as 8874
  2. Set <ssl> tag as true

Save changes to filetransfer-spec.xml file.

 

 

Before setting up the SSL certificates on servers, stop services for Zoom in the order Curator, Preview, Zoom and HADR services. Restart services in the reverse order after the server side setup is complete.
Similarly, stop the Zoom Client Proxy processes on the client machine before setting up the SSL certificates (only for self-signed certificate). Stop watchdog.exe and then zmclientproxy.exe in that order. After the certificates are setup, start watchdog.exe and then zmclientproxy.exe in that order.

 

With a commercial certificate

Copy the certificate file to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf) for each server machine.

Now, save the password provided with the SSL certificate in each of the Zoom modules as follows:

Zoom Server

  1. From the conf folder, open filewrapper.conf
  2. Set these two properties:

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

Preview Server

  1. From the conf folder, open file preview-server.conf
  2. Set these two properties

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

 

Curator Server

  1. From the conf folder, open file curator-server.conf
  2. Set these two properties

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

 

File Transfer Server (HADR)

  1. From the conf folder, open file hadr-filetransfer.conf
  2. Set these two properties for the location

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

Set these properties for each HADR peer.

 

Client Systems

No setup needed.

 

 

With a self-signed certificate

For each server, Zoom Server, Preview Server, HADR, Curator Server etc., setup the following on each machine:

Copy the certificate file to the conf folder in Zoom install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).

 

The certificate information also needs to be set up in the zoom properties file for server machine for Zoom.

  1. From the user folder (../users/$user/.zm/) open zoom.properties (make sure the hidden files are visible to view the .zm folder).
  2. Set these two properties

ZOOM_SSL_TRUSTSTORE_PATH=<SSL Certificate file's absolute location>

ZOOM_SSL_TRUSTSTORE_PASSWORD=<actual password>

 

Now, save the password provided with the SSL certificate in each of the Zoom modules as follows:

Zoom Server

  1. From the conf folder, open file wrapper.conf
  2. Set these two properties

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

 

Preview Server

  1. From the conf folder, open file preview-server.conf
  2. Set these two properties

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

 

Curator Server

  1. From the conf folder, open file curator-server.conf
  2. Set these two properties

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

 

File Transfer Server (HADR)

  1. From the conf folder, open file hadr-filetransfer.conf
  2. Set these two properties

wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

Set these properties for each HADR peer.

 

Client Systems

The certificate information also needs to be set up in the zoom properties file for each client machine with Zoom.

  1. From the user folder (../users/$user/.zm/), open zoom.properties (make sure the hidden files are visible to view the .zm folder).
  2. Set these two properties

ZOOM_SSL_TRUSTSTORE_PATH=<SSL Certificate file's absolute location>

ZOOM_SSL_TRUSTSTORE_PASSWORD=<actual password>