Intelligent Media Server v6

Page tree

You are viewing documentation for IMS v6. If you are using Chorus, please switch to: https://www.thirdlight.com/docs/display/CDD/

SSL is the security system used to encrypt and authenticate web browser requests made via the HTTPS protocol. This is a large topic in its own right and users are advised to seek qualified assistance if unfamiliar with the deployment of SSL certificates.

Customers hosting their IMS system on the Third Light network will receive Third Light's SSL Certificate Management Service at no extra charge.

For customers that host their own server, we can purchase the certificate on your behalf and take care of initial setup and future renewals for an additional charge. Please contact [email protected] for more information. The information below is aimed at self-hosted customers who do not use Third Light's certificate management service.

The Configuration > System Administration > SSL page is used to configure self-signed certificates, update or renew existing certificates and apply commercially signed certificates. The following features are used in conjunction with the SSL option provided during the installation of IMS from the CD-ROM boot image.


Enable HTTPS

If you have the IMS Premium Edition please ask [email protected] to perform the command line steps for you.

You can enable HTTPS after having installed IMS if required. This option is provided by executing dpkg-reconfigure ims6 at the command line as root.

  1. Enter the hostname of your server at the "IMS Secure Server name" product, eg. secure.domainname.com. This must exist in your DNS servers.
  2. Answer 'yes' to the question "Force clients to connect over https?".
  3. For all other questions, just press <return> to keep the previously chosen value.

These options will reconfigure your IMS server to use HTTPS, and to redirect all attempts to use HTTP to the secure site on port 443 instead.

Standard SSL Configuration

Activate SSL features on your server as follows.

  1. Select Configuration > System Administration > SSL from the main menu
  2. Click the Create a new certificate request option generate a Certificate Request form. Complete the form to include the relevant details for your organisation. Note that the Common Name (CN) is the address of your server, usually in the form secure.domainname.com. Take care to enter the correct ISO country code and do not select the option to self-sign the request.
  3. Click Create certificate request. Your IMS server will display the certificate request, also known as a Certificate Signing Request (CSR). Cut and paste this text to your clipboard and use it in the next step.
  4. Obtain a Signed copy of the certificate from a Certification Authority (Verisign, Thawte, GeoTrust and InstantSSL or other). If asked for server architecture, use Apache 2.2 (OpenSSL) which will use PEM format. If this will only take a short while don't close the popup and go to the next step. (Otherwise, click Cancel to close the popup window. The request is saved under the Certificate Name you entered and listed together with any others at the bottom of the SSL page, so you can return and open it again by clicking Replace certificate).
  5. At the end of your order your CA will give you a signed certificate as a text file. The text file will begin with the string BEGIN CERTIFICATE. This is a file in 'PEM' format.
  6. In the popup window, click the Replace Certificate button. A new popup window opens in editable format - paste in the content of the text file from the string BEGIN CERTIFICATE and click Replace Certificate (again). Provided the certificate is valid and there are no mismatches in the data in your certificate, this completes the installation of the SSL certificate.
  7. If you have not already done so, use dpkg-reconfigure ims6 at the command line as root to change the name your server responds to so that it matches the value you entered for the CN at step 2. Press return for any screen that does not relate to the site's URL as this will retain the existing values.
  8. Click the Activate button corresponding to the certificate you wish to use.

Renew an existing SSL Certificate

  1. Select Configuration > System Administration > SSL from the main menu
  2. Locate the certificate indicated as Active (toward the bottom of the page)
  3. Click the corresponding Replace Certificate button. The initial screen displays the Certificate Signing Request (CSR). Copy and paste the CSR to your clipboard. Click Cancel to close the popup window.
  4. Send the CSR text from your clipboard to your certificate authority or paste into appropriate form on their website and they will issue you with a new certificate. If they ask you which webserver you use, please choose 'Apache'
  5. Return to the SSL page, click the Replace Certificate button beside the Active certificate to open the Certificate Request popup. Click the Next button to skip the CSR screen that has already been used.
  6.  Paste-in the new Certificate text and under that an intermediate certificate if required.
  7. Click Replace Certificate for the final time to save the new certificate.


SSL page - click to enlarge


Certificate Request Form - click to enlarge

Certificate popup - click to enlarge

Advanced SSL Configuration

The following instructions are for advanced users and should not normally be required.

Updating the Secure Site URL

The secure site URL of your site must match the certificate name (CN) exactly. If required, use dpkg-reconfigure ims6 at the command line as root to adjust the secure site URL of your IMS server. Whatever hostname is used, it must also function in the DNS servers for the domain.

Intermediate Certification Authority Files

After adding a certificate you may see a warning about an incomplete certificate chain. A browser will display this message if it does not recognise all the certs in the hierarchy of trust.

To resolve this, extra intermediate certificates need to be installed and these can be obtained from your Certificate Authority. Please note that CA's may not always provide you with intermediate certificates when they issue your other certs and you may need to retrieve them separately from your CA's web site.

To add an intermediate certificate (obtained from your Certificate Authority), concatenate the intermediate certificate to the site certificate:

  1. Go to the Configuration > System Administration > SSL page
  2. Click 'Replace certificate' and a screen referring to creating a CSR will be displayed. You do can skip that stage and just click 'Next'.

  3. A text box similar to the below will then appear allowing to to paste in the two portions:


    Try to avoid introducing extra newline characters when copying and pasting text

  4. Save and an 'Activate' button will appear which you can then click to finish the process.


Creating A Self-Signed Certificate

Self-Signed Certificates should be used for internal testing purposes only.

When using self-signed certificates, IMS will display a warning message in most browsers which must be acknowledged before the site will load. This is overcome by using a signed certificate, either commercially available or using your own internal certification authority. If using an internal certification authority, add a trusted certificate to IMS.

To create a self-signed certificate (providing encryption but not authentication):

  1. Select Configuration > System Administration > SSL from the main menu
  2. Click the Create a new certificate request option generate a Certificate Request form.
  3. Complete the form and select the box labelled Self-sign the request to sign the certificate.
  4. Click Create certificate Request. This closes the form.
  5. On the SSL page, click the Activate button corresponding to the certificate.

Extracting the contents of pfx files

If you are importing certificates that have been created in a pfx format it will be necessary to unpack their contents before importing into IMS.

pfx is a container format used my Microsoft's IIS webserver but the IMS system uses the Apache webserver and requires certificates in pem format.

The contents of pfx files can be extract by using a tool such as OpenSSL. OpenSSL is installed on the IMS server but implementations for Windows also exist: http://www.openssl.org/community/binaries.html

To export the private key from the pfx file:

openssl pkcs12 -in win_cert.pfx -nocerts -out key.pem

To export the certificate from the pfx file:

openssl pkcs12 -in win_cert.pfx -clcerts -nokeys -out cert.pem

Remove the key password:

openssl rsa -in key.pem -out key_with_no_pw.key
  • No labels