Platform Configuration

After you have finished installing the core components, you must implement some changes in the settings.

Configure TURN in Collaboration Application Server Settings

1. In the Collaboration Application Server, edit the following file:
   /opt/zenon/public_html/WEB-INF/infotypes_saypage.xml
2. Add the following to the <keyvalues> section, in order to allow the service to use your TURN server(s):

   <stun_turn>{"username": "mcu", "password": "mcupasswd", "uris": ["turn:ip-of-turnserver:14049", "turn:ip-of-turnserver:443?transport=tcp", "turn:ip-of-turnserver-2:14049", "turn:ip-of-turnserver-2:443?transport=tcp"]}</stun_turn>

In the above example, we assume two TURN servers are being used and each running both TCP and UDP listeners.

Update SSL Keystore for New Certificate

There are lots of different ways to set up SSL on a server; you may need to consult your network specialist on this step. The steps below are particular to .crt and .cer file extensions.

The file heller.keystore is installed (under /opt/zenon/zenonserver) with a default SSL key. In order to change it to a new domain certificate, follow these steps.

The keystore file can contain only one valid certificate at a time, so you must replace it with the new key. It's assumed that you have a .crt certificate from an authority like Verisign or GoDaddy.

Steps:

• cat www.yourdomain.crt gd_bundle.crt > yourdomain-chain.txt
• Now create a pkcs12 type key using:

openssl pkcs12 -export -inkey yourdomain.key -in yourdomain-chain.txt -out yourdomain.pkcs12

• Then we use java keytool to import the new key into the heller.keystore file making sure we replace the existing key as follows:

                                                                                               
/usr/share/jdk1.7.0_07/bin/keytool -importkeystore -srckeystore yourdomain.pkcs12 -srcstoretype PKCS12 -destkeystore /opt/zenon/zenonserver/heller.keystore

• If you are prompted for a password, use changeit in all instances.

Notes:

• The full certificate chain must be installed into the keystore when we cat to create yourdomain.txt.
• You can test the newly installed certificate using https://www.geocerts.com/ssl_checker which will show you the full chain and also print out the certificates that are missing in the chain.

If a .cer file is used (usually in der format), it can be converted to pem format, and then used to create a pkcs12 certificate as below:

openssl x509 -in rb.der -inform der -outform pem -out yourdomain.pem  
openssl pkcs12 -export -inkey rb.key -in rb.pem -out yourdomain.pkcs12

Configure Cross Origin Resource Sharing (CORS) in the AS

• For a GVG platform that has the client application installed on the same machine as the platform, the cross-origin filter in /opt/zenon/public_html/WEB-INF/default_pub.xml should have an empty value for the allowedOrigins parameter, instead of the current default value of '*'. This way, a request from any other origin will be failed by the browser with a CORS error.

• When the application/SDK is installed on separate Web Server(s), the allowedOrigins parameter should contain the HTTP Origin URLs of the systems hosting the application/SDK, delimited by a comma. Example value: https://appsvr.foo.com,https://sdksvr.foo.com

Configure Filter Against Cross-Site Scripting (XSS) in the AS

• Add the following filter in /opt/zenon/public_html/WEB-INF/default_pub.xml, just before the cross-origin filter:

    <filter>
        <filter-name>xss-filter</filter-name>
        <filter-class>com.saypage.xss.SecurityFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>xss-filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Notes:

• This XSS filter is applied to query strings/request parameters, request headers, and cookies.

• When this filter catches an XSS issue, instead of a 4XX response, it will return 200 OK with an error message that says FAIL Insecure Request.

• The file /opt/zenon/sys/content_filter.properties contains some relevant parameters and actions that can be changed. Many of the elements that are considered a security threat are already configured in this file.

• Make sure the configuration <DoXssValidation>true</DoXssValidation> is set in the following files under <keyvalues> section:
  • /opt/zenon/public_html/WEB-INF/infotypes_saypage.xml
  • /opt/zenon/public_html/WEB-INF/infotypes_zenon.xml

Configure External MCU

Genesys Video Gateway supports deploying the AS and the Collaboration MCU(s) on different machines for scalability. To do this:

1. On the machine where the AS will be running, install the Common, NS, and the AS package.
2. On the machine where the Collaboration MCU will be running, install the Common, NS and the Collaboration MCU package.
3. Install the certificate on each of the server(s), like this:

   /usr/share/jdk1.7.0_07/bin/keytool -importkeystore -srckeystore 1A_<hostname>_cert.pkcs12 -srcstoretype PKCS12 -destkeystore /opt/zenon/zenonserver/heller.keystore

   where 1A_<hostname>_cert.pkcs12 is the certificate in PKCS12 format.

   Enter changeit when prompted.

4. On the Collaboration MCU host, update the /opt/zenon/zenonserver/zs.properties file with the following:
   1. Make sure the line with cls.jetty.xml is commented, like this: #cls.jetty.xml=jetty-zenon.xml
   2. Make sure the line with cls.root.dir is commented, like this: #cls.root.dir=/opt/zenon/public_html
   3. Change login url with the public domain name (or hostname) of the application server host:

      #login url
      login.url.1=http://<AppServer_FQDN>/servlet/com.requestec.smg.servlets.Brora
      login.url.2=http://<AppServer_FQDN>/servlet/com.requestec.smg.servlets.Brora

      where <AppServer_FQDN> = FQDN

   4. Make sure the line with mcu.url is uncommented, like this:

      #To have ZS report CPU and MCU status to remoteCLS uncomment and set correctly
      mcu.url=localhost:2131

5. Update /opt/zenon/share/config/saypage/saypage_2130.cfg, and change CentralLoginServer with the FQDN of the AS host:

   CentralLoginServer=http://<AppServer_FQDN>/

6. Update /opt/zenon/share/config/zenon/zenon_2100.cfg, and change CentralLoginServer with the FQDN of the AS host:

   CentralLoginServer=http://<AppServer_FQDN>/

7. On the AS server:
   1. Add the rows that point to the new Collaboration MCU host(s) in the MySQL database’s vidi_service table, and delete existing rows that contain localhost or 127.0.0.1 entries, which would look like the following (replace IP 135.17.37.94 with the IP address of the Collaboration MCU host):

      mysql> select * from vidi_service;
      +---------+---------+-------------------+----------+----------+
      | name    | version | endpoint          | openfire | priority |
      +---------+---------+-------------------+----------+----------+
      | saypage |         | 135.17.37.94:2130 |          |        0 |
      | zenon   |         | 135.17.37.94:2100 |          |        0 |
      +---------+---------+-------------------+----------+----------+
      4 rows in set (0.00 sec)
      

      Note: If you get an error message that looks like this:

      ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '* from vidi_service' at line 1

      You can workaround this by first issuing SET SQL_SAFE_UPDATES=0; from the MySQL prompt.

      • Issue SET SQL_SAFE_UPDATES=0;
      • Issue delete from vidi_service;
      • Issue INSERT INTO vidi_service (name, endpoint, priority) VALUES ('zenon', '135.17.37.94:2100', 0);
      • Issue INSERT INTO vidi_service (name, endpoint, priority) VALUES ('saypage', '135.17.37.94:2130', 0);
   2. Update /opt/zenon/public_html/WEB-INF/infotypes_saypage.xml to include the new Collaboration MCU host’s IP, like this:

      <IP_Map_To_Public_135.17.37.94>[mcu-public-domain]</
      IP_Map_To_Public_135.17.37.94>

      (Where 135.17.37.94 is the public IP address of the Collaboration MCU host.) Remove the existing <IP_Map_To_Public_127.0.0.1>...</IP_Map_To_Public_127.0.0.1> if there is no Collaboration MCU installed on the Application Server machine.

   3. Also update /opt/zenon/public_html/WEB-INF/infotypes_saypage.xml to make sure the DoLastCpuUpdateCheck is set to true, like this:

      <DoLastCpuUpdateCheck>true</DoLastCpuUpdateCheck>

8. Restart the components by running the following commands:
   1. /opt/zenon/sh/monitor_zenon.sh &> /dev/null
   2. ps -elf | grep -i zs.prop
   3. kill the process from the above
   4. /opt/zenon/sh/reset_zenon_2100.sh &> /opt/zenon/logs/mcu_zenon.log
   5. /opt/zenon/sh/reset_saypage_2130.sh &> /opt/zenon/logs/mcu_saypage.log

Next Steps

• If you are using your own TURN server, you must perform a few configuration tasks.
• If you are using the Genesys Collaboration TURN server, you must install and configure it.