Disclaimer: We are using the opencast-docker images: admin, worker and presentation
Note: This value will be written to all generated mediapackages and thus cannot be changed easily for already processed media. At least not without an extra amount of work involving modifications to the database. That is why you should think about this setting carefully.
This naturally is not only relevant to domain changes but also to schema/ protocol or port changes, including upgrading from HTTP to HTTPS after media packages have been processed.
Your site visitor's privacy. While ISPs and public HotSpot operators and those who sniff unencrypted WiFi traffic might be able to see your visitors connecting to your site, they can't see, which video is watched when HTTPS is enabled. Think of a lecture about the human rights situation in China and a visitor from there watching the video. Or someone wanting to gain access, stealing your user's session cookies or credentials.
This is the "easy" part. Either install a proxy, or in opencast/etc/
,
use the org.ops4j.pax.web.cfg
file for configuration:
# ...
# Whether Opencast itself should handle HTTPS traffic.
# Even if you set this to 'false',you can still use an HTTP proxy to handle SSL.
org.osgi.service.http.secure.enabled=true
# The secure server port to use if running Opencast with HTTPS (as opposed to
# a proxy handling HTTPS).
# Note that we use the docker proxy for the port-mapping from 8843 from within
# the container to 443 at the host
# Don't run Opencast with root privileges, which is a security issue
org.osgi.service.http.port.secure=8443
# Path to the keystore file.
# Use the Java `keytool` to generate this file.
# Example:
# keytool -genkey -keyalg RSA -validity 365 -alias serverkey \
# -keypass password -storepass password -keystore keystore.jks
org.ops4j.pax.web.ssl.keystore=<path_to_keystore>
# Password used for keystore integrity check.
org.ops4j.pax.web.ssl.password=<the_keystore_password>
# Password used for keystore.
org.ops4j.pax.web.ssl.keypassword=<the_key_password>
What you need, is the TLS private key and the certificate including the whole chain between the root certificate, all intermediates and the certificate itself.
If you only have the key and the certificate, I recommend certificatechain.io or cert-chain-resolver. The latter can be used as follows:
# Obtain the chain for cert.pem and save it at opencast.chain.pem.tmp
# The -s command switch includes the root certificate; this is not
# mandatory and might add some overhead
cert-chain-resolver -s -o "opencast.chain.pem.tmp" "cert.pem"
# Verify the certificate using the chain
openssl verify -crl_download -crl_check -untrusted "opencast.chain.pem.tmp" "cert.pem"
If the private key (assumed to be key.pem
) is encrypted
(password protected), issue the following command. Note that there
are safer ways supplying the key's password to OpenSSL.
openssl pkcs12 \
-export \
-inkey "key.pem" \
-passin "pass:<the_keys_password>" \
-in "opencast.chain.pem.tmp" \
-name "serverkey" \
-out "opencast.p12" \
-passout "pass:<the_keystore_password>"
In case the private key is not protected by password:
openssl pkcs12 \
-export \
-inkey "key.pem" \
-in "opencast.chain.pem.tmp" \
-name "serverkey" \
-out "opencast.p12" \
-passout "pass:<the_keystore_password>"
keytool \
-importkeystore \
-srckeystore "opencast.p12" \
-srcstoretype "pkcs12" \
-srcstorepass "<the_keystore_password>" \
-destkeystore "keystore.jks" \
-storepass "<the_keystore_password>"
# print out details about the JKS built
keytool \
-keystore "keystore.jks" \
-list \
-destalias serverkey \
-storepass "<the_keystore_password>"
After reading that, you may find this shell script useful.
- Backup your database, and the solr and adminui indices.
- Tell your other Opencast systems to use HTTPS for each other, or at least for the system delivering the videos to the visitors and creating the search indices.
- Put all your nodes into maintenance mode, or, at least do not process any videos.
- Update the media packages:
find . -type f -name "*.xml" -exec \ sed -i 's/http\:\/\/presentation\.opencast\.example\.com\:80/https:\/\/presentation.opencast.example.com/g' {} +
- Update 2 database tables:
UPDATE opencast.mh_archive_episode
SET mediapackage_xml =
REPLACE( mediapackage_xml,
'http://presentation.opencast.example.com:80',
'https://presentation.opencast.example.com')
WHERE INSTR( mediapackage_xml,
'http://presentation.opencast.example.com:80') > 0;
UPDATE opencast.mh_search
SET mediapackage_xml =
REPLACE( mediapackage_xml,
'http://presentation.opencast.example.com:80',
'https://presentation.opencast.example.com')
WHERE INSTR( mediapackage_xml,
'http://presentation.opencast.example.com:80') > 0;
- Rebuild the AdminUI (lucene?) indices. Visit your REST API and push the button: https://admin.opencast.example.com/docs.html?path=/admin-ng/index
- Move the old Solr search indices away. There might be a directory
named
solr-indexes/search
but its configuration really depends onorg.opencastproject.solr.dir
, or if set incustom.properties
,org.opencastproject.search.solr.dir
- Rebuild the Solr indices. For this to work, make sure to have a service serving mediapackages running (e.g. a presentation node). Start another node, whose task is to re-index episodes (e.g. a second presentation). Ensure the JVM of the indexing service has sufficient virtual memory.
This document is licensed CC-0. I am the author.