2022-11-24 12:28:00
SSL/TLS.
SSL and TLS are protocols for secure data transmission over an IP network. When a connection is established via the SSL/TLS protocol, through the use of authentication and encryption, a secure data transmission channel is formed for application protocols of network applications, in particular for streaming protocols: HTTP (Apple HLS, MPEG DASH) , RTP, RTMP.
Why you need to use SSL/TLS in Wowza Streaming Engine.
In addition to the main function - protecting the transmitted information, the use of SSL / TLS with the Wowza Streaming Engine media server can be mandatory, even when the information itself is not secret. The fact is that an HTML5 video player to view Apple HLS/MPEG-DASH streams and hosted on a website protected by SSL/TLS will not be able to play a video stream from a media server without support for an SSL/TLS connection. Appropriate security checks are performed by all browsers. Also, the WebRTC technology used to create interactive applications and minimize video transmission delay cannot work without SSL / TLS.
Types of SSL/TLS certificates in Wowza Streaming Engine.
Wowza Streaming En gine supports several methods to work with SSL certificates. First of all, Wowza offers to get a free StreamLock SSL certificate. To use such a certificate, the Wowza server may not even have a domain name, since StreamLock is also DNS hosting with your server registered in the streamlock.net domain. Such a certificate is issued instantly and installed on the server is very simple, you only need to copy the resulting file and write a couple of configuration lines. But there is also a significant limitation, the StreamLock certificate will only work while the Wowza Maintenance and Support Agreement (Wowza M&S) is active.
While it is not necessary to use a StreamLock certificate. You can use an SSL certificate issued by any Internet provider, paid or free. It is convenient to use wildcard SSL certificate or SAN SSL certificate to install the same certificate on the web server and on the Wowza Streaming Engine server. The procedure for preparing and configuring your own SSL certificate will require a little more effort than the Wowza StreamLock certificate.
Preparing your own SSL certificate for installation in Wowza Streaming Engine.
The complexity of setting up your own certificate lies in the fact that you cannot install the .crt / .pem file received from the provider with an SSL certificate in X.509 format on Wowza as-is. Wowza, like other Java applications, supports SSL certificates stored in a .jks file. The X.509 certificate will need to be converted to PKCS12 format (.pfx file) and imported into a .jks file. In addition to a personal SSL certificate and key, to generate a .pfx file, you will need a .ca-bundle file containing the root and intermediate certificates of the certification authority. Sometimes the provider sends ready-made .ca-bundles, but if the root and intermediate certificates were obtained separately, then you can create the .ca-bundle yourself, in a text editor, by copying the contents of these files and placing the intermediate certificate first, and the root certificate second.
On Windows machine [your domain].key should be duplicated with a new name [your domain].ca-bundle.key and two commands should be executed next (Win+R):
cmd /C certutil -mergepfx [your domain].crt,[your domain].ca-bundle.crt [your domain].pfx
cmd /C "[Wowza Streaming Engine installation path]\jre\bin\keytool" -importkeystore -deststorepass [your pass] -destkeystore [your domain].jks -srckeystore [your domain].pfx -srcstoretype PKCS12
For the Linux platform, you need to run two commands:
openssl pkcs12 -export -chain -CAfile [your domain].ca-bundle -in [your domain].crt -inkey [your domain].key -name [your domain] -out [your domain].pfx
/usr/local/WowzaStreamingEngine/java/bin/keytool -importkeystore -deststorepass [your pass] -destkeystore [your domain].jks -srckeystore [your domain].pfx -srcstoretype PKCS12
The .jks obtained in this way should be written to /usr/local/WowzaStreamingEngine /conf/VHost.xml , specifying the path to the file, its name and password:
<SSLConfig>
<KeyStorePath>[path][your domain].jks</KeyStorePathv
<KeyStorePassword>[your pass]</KeyStorePassword>
<KeyStoreType>JKS</KeyStoreType>
<SSLProtocol>TLS</SSLProtocol>
<Algorithm>SunX509</Algorithm>
<CipherSuites></CipherSuites>
<Protocols></Protocols>
</SSLConfig>
If there are several domains and several SSL certificates, respectively, you can configure them for use on one TCP port. The SSL configuration block in VHost.xml is modified as follows:
<SSLConfig>
<DomainToKeyStoreMapPath>${com.wowza.wms.context.VHostConfigHome}/conf/DomainToKeyStoreMap.txt</DomainToKeyStoreMapPath>
<SSLProtocol>TLS</SSLProtocol>
<Algorithm>SunX509</Algorithm>
<CipherSuites></CipherSuites>
<Protocols></Protocols>
</SSLConfig>
In the [Wowza Streaming Engine installation path]/conf directory, you need to create a file DomainToKeyStoreMap.txt and add all SSL certificates in it:
[your server FQDN1]={"keyStorePath":"[path][your domain1.jks]", "keyStorePassword":"[your pass1]", "keyStoreType":"JKS"}
[your server FQDN2]={"keyStorePath":"[path][your domain2.jks]", "keyStorePassword":"[your pass2]", "keyStoreType":"JKS"}