Enable SSL for Zoom Web Clients & Web APIs

Leave a Comment / By /
Zoom MAM Server and Preview Server support communication using TLS/SSL. Typically, Zoom users access these servers through the following:
 
– Browsers, to view the Web Management console or to open Zoom Web Client Apps 
– Desktop Asset Browser, Zoom Client Proxy, Zoom Preview Server, to execute Web APIs
 
The steps to set up SSL support for Web Apps are as below. Please refer to the article here for enabling SSL support for desktop apps:
 
  1. Import a valid SSL certificate

    It is strongly recommended to use a certificate signed by a trusted Certification Authority (CA). The certificate needs to be imported into a Java Key Store (JKS file).

    Use OpenSSL, for example, on a Linux server:

    openssl pkcs12 -export -chain -CAfile gd_bundle-g2-g1.crt -in 8f27f367f76229a2.crt -inkey demo.evolphin.com.key
                    -out demo.evolphin.com.jks -name <alias of your domain> -passout pass:<password>

    Import a root or intermediate CA certificate to an existing Java keystore using Java keytool:

    keytool -import -trustcacerts -alias root -file Thawte.crt -keystore demo.evolphin.com.jks

    Import a signed primary certificate to an existing Java keystore using Java keytool:

    keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore demo.evolphin.com.jks

    The above commands are just for illustration, please consult the standard Java documentation on importing your certificate format into a JKS.

  2. Configure Zoom to use the generated SSL certificate in your Java Key Store (JKS) file

    Add the following properties to wrapper.conf & preview-server.conf located under <ZoomInstallDir>/conf (Linux) or <ZoomInstallDir>\DAM\conf (Windows) directory.

    -Dzoom.ssl.keystore.path=conf/demo.evolphin.com.jks  # this is relative to the zoom install directory
    -Dzoom.ssl.keystore.pass=<password>

    The first property specifies the path of your Java key store file, and the second supplies the password used while generating the private key used to encrypt the certificate. You can use the same SSL certificate for both Zoom MAM Server and Preview Server or generate separate ones.

  3. Verify the imported certificate:

    Run this command and verify the results in result.txt

    keytool -list -v -keystore demo.evolphin.com.jks > result.txt

  4. Stop all the Zoom services. Enable SSL through the server.xml in <zoomInstallDir>/conf modifying the sections highlighted below.
  5. Curator-Zoom Server connection will still be on the non-SSL port. Ensure that server.xml has the following settings.

  6. Zoom-Preview Server SSL connection:

  7. Web APIs and Zoom MAM Server SSL connection:

  8. Save the changes made in server.xml.
  9. Start the Zoom Server, Curator/Solr Server, and Preview Server services.
  10. Block non-SSL ports (8443, 8873) and open the SSL ports (9443, 8973) in the firewall. Also, make sure 8983 is open. Save changes and restart the firewall service.

    Example: sudo iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 8443 -j REJECT

  11. Try connecting to the Web Management Console through a browser using “https://zm-server:9443/”. If your SSL certificate is self-signed, then you will be prompted with a security alert. Accept and proceed with the connection. 
 

Leave a Comment