ID: 4251

Enable SSL for Zoom Web/Vab

Description

 
Zoom’s Web-Admin Server and Preview Server now supports communication using SSL. Typically Zoom users access this server through the following:
- Browsers, to view the web-admin console or to open Visual Asset Browser (Web VAB). 
- Desktop Visual Asset Browser, Zoom Client Proxy, Zoom Preview Server, to execute certain operations through jsp’s.
 
Given here are the steps to setup SSL support:
 
1. Generation of SSL certificate
An ssl certificate can be generated using keytool or openssl. Here is a sample command using keytool:
—————– SSL certificate generation using keytool—————-
$ keytool -genkey -alias zoom-webmin-key -keyalg RSA -keystore webmin.jks -keysize 2048 -validity 6000
Enter keystore password:  13r0ul~al~a
Re-enter new password: 13r0ul~al~a
What is your first and last name?
  [Unknown]:  zm-server
What is the name of your organizational unit?
  [Unknown]:  Product Development
What is the name of your organization?
  [Unknown]:  Evolphin
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=zm-server, OU=Product Development, O=Evolphin, L=Unknown, ST=Unknown, C=US correct?
  [no]:  yes
 
Enter key password for <zoom-webmin-key>
        (RETURN if same as keystore password):
——————————————————————
 
Note that the entry you supply for “first and last name” will actually identify the host for which this ssl certificate is going to be used. So if you are deploying the zoom server in a machine with host name “myzoomserver“, then you should supply that here and access the webmin server as “https://myzoomserver:8443″ from your browser. You could also specify an IP address here. 
 
2. Configuring Zoom to use the generated SSL certificate, by adding the following properties to wrapper.conf & preview-server.conf located under <ZoomInstallDir>/conf (Linux) or <ZoomInstallDir>\dam\conf (windows) directory.
For zoom to know which SSL certificate to use, it needs the following two parameters to be set:
-Dzoom.ssl.keystore.path=conf/webmin.jks # this is with respect to root dir set in properties
-Dzoom.ssl.keystore.pass=13r0ul~al~a
The first property gives the path of the keystore file, and the second supplies the password used while generating this key. 
 
These three properties must be added as well to wrapper.conf & preview-server.conf: 
 
wrapper.java.additional.20=-Djavax.net.ssl.keyStore=conf/webmin.jks
wrapper.java.additional.21=-Djavax.net.ssl.keyStorePassword=13r0ul~al~a
wrapper.java.additional.22=-Djavax.net.ssl.trustStore=conf/webmin.jks
 
Number 20, 21, 22 might be different for you. If numbers are different then increment the number from the last mentioned value. Lines starting with # are comments in conf files,  You can ignore their numbers.
You can use the same ssl certificate for both Web-Admin Server and Preview Server or generate separate.
 
It is strongly recommended that you keep the keystore file in zoom’s DAM/conf folder. 
 
3. Stop the Zoom Server service. Enable SSL through the server.xml in <zoomInstallDir>/conf modifying the sections highlighted below:
 
Screen Shot 2017-04-06 at 10.18.13
Screen Shot 2017-04-06 at 10.08.07
Screen Shot 2017-04-06 at 10.06.31
 
4. Save the changes made in server.xml
 
5. Start the Zoom Server and Preview Server services
 
6. Block non-SSL ports (8443, 8873, 8983) and open the SSL ports (9443, 8973, 8984). Save changes and restart the firewall service.
 
Example: sudo iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 8443 -j REJECT
 
7. Try connecting to the Web Management Console through a browser using “https://zm-server:9443/”. If your SSL certificate is self-signed, then you will be prompted with a security alert. Accept and proceed with the connection.