ID: 6741

Print Friendly, PDF & Email

Enable SSL for Desktop Zoom Applications

Towards fortifying Zoom further against security vulnerabilities, from Zoom 7.0 onward we support SSL for desktop Zoom applications such as Visual Asset Browser. This is in addition to the already available SSL support on Zoom Preview Server and Zoom Web Admin Server.

 

From Zoom 7.1 onwards, additional security measures have been added to the way SSL is set up. Now, during an SSL handshake, hostname check is also performed. There is no change in the commercial SSL setup due to this modification.

However, additional setup is needed for self-signed certificates. You have two options here:

  • Either, you need to create a new self-signed certificate that has all needed hostnames defined in it. Click here to see an example of creating a new self-signed certificate to accommodate these changes.
  • Or, you could bypass the hostname check altogether. This method is described in the Certificate Setup below.

 

Stop services for Zoom in the order Curator, Preview, Zoom and HADR services before continuing. Restart services for HADR, Zoom, Preview and Curator services in that order after completing the steps mentioned below.

 

To enable SSL in Zoom desktop apps, do the following for each of the Zoom Server and Zoom Preview Server. Ignore the HADR peer section if HADR is not in use. If you have already enabled Zoom SSL support for Web Apps, some of the settings below may already be in effect.

On each Zoom Server

  1. On the Zoom Server, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).
  2. Open server.xml and update the following tags:
    1. Under <networkspec>, set <securePortEnabled> tag as true
    2. Under <networkspec>, set <securePort> tag as 9880
      Sample Server.xml

       

    3. Under <webserverspec>, set <useSslForDesktopClient> tag as true
    4. Under <webserverspec><sslPort>check tag is 9443
    5. Under <webserverspec>, set <ssl> tag as true
      Sample Server.xml
    6. If LDAP server is not in use then skip this step. If LDAP server is in use, then under <ldapspec>, set <authspec><ldapspec>, set <useSsl> tag as true
      If any of the tags specified above are not found, please add the tag under that relevant section.
  3. Save changes to the server.xml file.

 

On Zoom Preview Server

  1. On the Zoom Preview Server, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).
  2. Open server.xml and update the following tags:
    1. Under <reviewserverspec><ServerConnection>, set <sslPort> tag as 8973
    2. Under <reviewserverspec><ServerConnection>, set <enableSsl> tag as true
    3. Under <reviewserverspec>, set <proxySslPort>  tag as 8874
    4. Under <reviewserverspec>, set <useSslForDesktopClient> tag as true
  3. Save changes to the server.xml file.
  4. Now, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).
  5. Open preview-server.xml and update the tag <ZoomServerHostPort> to use https (eg. <ZoomServerHostPort>https://[ZoomServerIP]:9880</ZoomServerHostPort>). Save changes.

 

On each Zoom HADR Peer

  1. On each Zoom HADR Peer, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).
  2. Open server.xml and update the following tags:
    1. Under <hadrspec><hadrGroup><peer><networkSpec>, set <securePortEnabled> tag as true
    2. Under <hadrspec> <networkSpec>, set <securePort> tag as 9880
    3. Under <hadrspec><hadrGroup><peer><networkSpec>, set <hadrPortSecured> tag as true
    4. Under <hadrspec><hadrGroup><peer><networkSpec>, set <fileTransferProtocol> tag as https
      Sample Server.xml
  3. Save changes to the server.xml file.
  4. Again, on each Zoom HADR Peer, navigate to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).
  5. Open filetransfer-spec.xml and update the following tags:
    1. Set <sslPort> tag as 8874
    2. Set <ssl> tag as true
  6. Save changes to filetransfer-spec.xml file.

 

Before setting up the SSL certificates on servers, stop services for Zoom in the order Curator, Preview, Zoom and HADR services. Restart services in the reverse order after the server side setup is complete. Similarly, stop the Zoom Client Proxy processes on the client machine before setting up the SSL certificates (only for self-signed certificate). Stop watchdog.exe and then zmclientproxy.exe in that order. After the certificates are set up, start watchdog.exe and then zmclientproxy.exe in that order.
For any serious deployment consider setting up commercial certificates signed by valid certificate authorities this will ensure you do not have to setup certificates on each client workstation.

 

With a commercial certificate

Copy the certificate file to the conf folder in Zoom Install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf) for each server machine.

Now, save the password provided with the SSL certificate in each of the Zoom modules as follows:

The number used at the end of the java parameter may be different in your file. Do not change this number. Only look for the property name. In the eg., wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>, look for the property name, Dzoom.ssl.keystore.pass.

 

Zoom Server

  1. From the conf folder, open filewrapper.conf
  2. Set these two properties:

    wrapper.java.additional.12=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.13=-Dzoom.ssl.keystore.pass=<actual password>

  3. Save and close the file.

 

Preview Server

  1. From the conf folder, open file preview-server.conf
  2. Set these two properties:

    wrapper.java.additional.12=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.13=-Dzoom.ssl.keystore.pass=<actual password>

  3. Save and close the file.

 

Curator Server

  1. From the conf folder, open file curator-server.conf
  2. Set these two properties:

    wrapper.java.additional.12=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.13=-Dzoom.ssl.keystore.pass=<actual password>

  3. Save and close the file.

 

File Transfer Server (HADR)

  1. From the conf folder, open file hadr-filetransfer.conf
  2. Set these two properties for the location:

    wrapper.java.additional.12=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.13=-Dzoom.ssl.keystore.pass=<actual password>

    Set these properties for each HADR peer.
  3. Save and close the file.

 

Client Systems

No setup needed.

 

 

With a self-signed certificate (not recommended)

For each server in your Zoom setup (Zoom MAM Server, Preview Server, all HADR peers, Ingest Server, Transcoders etc.), set up the following on each machine:

  1. Copy the certificate file to the conf folder in Zoom install directory (For Windows – [ZoomInstallDir]\conf and for Linux – [ZoomInstallDir]/conf).
  2. The certificate information also needs to be set up in the zoom.properties file for each of these machines:
    1. From the user folder (../users/$user/.zm/) open zoom.properties (make sure the hidden files are visible to view the .zm folder).
    2. Set these two properties:

      ZOOM_SSL_TRUSTSTORE_PATH=<SSL Certificate file's absolute location>

      ZOOM_SSL_TRUSTSTORE_PASSWORD=<actual password>

    3. Save and close the file.

 

Now, save the location of the certificate file and its keystore password for each of the Zoom machines as shown below:

Zoom Server

  1. From the conf folder, open file wrapper.conf
  2. Set these two properties:

    wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

  3. Save and close the file.

 

Preview Server

  1. From the conf folder, open file preview-server.conf
  2. Set these two properties:

    wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

  3. Save and close the file.

 

Curator Server

  1. From the conf folder, open file curator-server.conf
  2. Set these two properties:

    wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

  3. Save and close the file.

 

File Transfer Server (HADR)

  1. From the conf folder, open file hadr-filetransfer.conf
  2. Set these two properties:

    wrapper.java.additional.11=-Dzoom.ssl.keystore.path=<SSL Certificate file location relative to the Zoom Install directory>

    wrapper.java.additional.12=-Dzoom.ssl.keystore.pass=<actual password>

    Set these properties for each HADR peer.
  3. Save and close the file.

 

Client Systems

The certificate information needs to be set up in the zoom.properties file for each client machine in your Zoom setup.

  1. From the user folder (../users/$user/.zm/), open zoom.properties (make sure the hidden files are visible to view the .zm folder).
  2. Set these two properties:

    ZOOM_SSL_TRUSTSTORE_PATH=<SSL Certificate file's absolute location>

    ZOOM_SSL_TRUSTSTORE_PASSWORD=<actual password>

  3. For Zoom 7.1 onwards, if you are not setting up a new SSL certificate with hostnames, then add a new property:

    DISABLE_SECURE_HOSTNAME_VERIFIER=true

    From Zoom 7.1 onwards, it is recommended to generate a new self-signed certificate that also has hostname definitions. You do not need to follow step 3 in this case.

    If you want to proceed without hostname definitions, then you would need to skip hostname check on each Zoom Client. This is done in step 3 above.

  4. Save and close the file.