Download Report

Self-Signed Certificate for
Avid MediaCentral Single Server
As noted during the installation process, you gave the MCS server a name (e.g. mcs- 1) via the RHEL
Network Configuration menu. However, the self-signed certificate created by Jetty was automatically
generated prior to that stage, and contains a variation of “localhost” in the “issued to” field. As a result,
most browsers will flag an SSL certificate name mismatch. This will happen even after you tell the
browser to trust the self-signed certificate.
To eliminate the “name mismatch” error, you must first generate a new certificate, containing the
correct MCS server name. Once generated, you eliminate the “untrusted” warning by configuring the
browsers to trust the self-signed certificate.
In this step, you take advantage of the following MediaCentral feature. If the avid-interplay-central
service starts up and discovers there is no keystore, it creates one, automatically populating it with a
self-signed certificate (The keystore is the file where Jetty stores SSL certificates and the public-private
key pairs used during the encryption process). Since the MCS server is now named, the new certificate
automatically picks up the new name (e.g. mcs-1 or mcs-1.mydomain.com).
Note 1: Jetty picks up the name from the DNS Search Path entry in the server’s Linux resolve.conf
file. This value was set by you in “Configuring the Hostname and Static Network Route” - refer to
the MediaCentral Installation and Configuration Guide.
Note 2: Once you generate the new certificate and install the certificate in the Trusted Certificate
Store, users may need to enter the Fully Qualified Domain Name (FQDN) into the browser
address bar, to avoid name-mismatch warnings.
Note 3: This procedure in this section only applies to a single-server installation. If you have set
up a cluster, refer to the instructions in the “Generating a Self-Signed Certificate for an Avid
MediaCentral Server Cluster” document.
To generate a new self-signed certificate for a single server:
1. Log in to the MCS server as root and navigate to the directory containing the Jetty keystore:
cd /opt/avid/etc/avid/avid-interplay-central/ssl
2. Verify the status of the avid-interplay-central service:
service avid-interplay-central status
The system responds that Avid MediaCentral is running.
3. Stop the service:
service avid-interplay-central stop
The system responds that Avid MediaCentral has been stopped.
4. Delete the Jetty keystore (which contains the current self-signed SSL certificate):
rm –rf jetty.keystore
5. Start the avid-interplay-central service (which also restarts the Jetty web server):
service avid-interplay-central start
The system responds that the Avid MediaCentral process has been started. The new keystore
and SSL certificate are created automatically by Jetty.
6. Verify the new Jetty keystore has been created:
ls –l
The system lists the contents of the directory, including the following file:
jetty.keystore
Now that you have eliminated potential name-mismatch browser SSL warnings, you must configure each
browser to trust the certificate. This is done by installing the certificate into the OS-level Trusted Root
Certification Authorities store.
Proceed to one of the following chapters:
Configuring Google Chrome (Windows)
Configuring Safari (Mac OS)
Configuring Google Chrome (Windows)
Trusting a self-signed certificate in Google Chrome is a two-step process. First, you export the certificate
from the browser. Next, you import the certificate into the Trusted Root Certification Authorities store.
Both these procedures are performed via Chrome menus.
To export the certificate from the browser:
1. Launch Google Chrome and enter the URL of the MCS server or cluster in the address bar.
http://<FQDN>, where <FQDN> is the Fully Qualified Domain Name of the MCS server cluster
http://<hostname>, where <hostname> is the short name of the MCS server cluster
What you enter in the address bar depends on the name you used to generate the self-signed
certificate.
Note: You are automatically redirected to the secure (SSL) connection.
2. Click on the “Advanced” link to expand this dialog.
3. Click the “Proceed to hostname (unsafe)” link to access the MediaCentral login.
4. Click on the padlock icon in the Chrome address bar.
Details pertaining to the warning appear in a pop-up.
5. Click on the Certificate Information link.
A dialog pertaining to the SSL certificate appears.
6. In the Certificate dialog, click on the Details tab, then the Copy to File… button.
This starts the Certificate Export wizard.
7. Follow the prompts in the wizard to export the certificate from the browser, saving it in a
convenient temporary location, such as the local desktop.
Once you have exported the certificate, you can use the browser to add it to the Trusted Root
Certification Authorities store, as described below.
To add the certificate to the trusted certificates store:
1. Click on Google Chrome Customize icon on right edge of the address bar and choose Settings.
The Chrome Settings page appears.
2. Click on the “Show advanced settings” link.
The page expands to show more settings.
3. Click on the Manage Certificates button in the HTTPS/SSL category.
A Certificates dialog appears showing certificates arranged by category.
4. In the Certificates dialog, click the Import… button.
The Windows Certificate Import Wizard appears.
5. Click Next to continue.
6. In the File to Import dialog, click the Browse button to locate your certificate, and click Next >.
7. In the dialog that appears, select “Place all certificates in the following store”.
8. Browse to the “Trusted Root Certification Authorities” store and click OK to select the store.
9. The storage location you selected appears in the wizard.
Note: Be sure to place the certificate into the Trusted Root Certification Authorities store.
10. Click Next, then Finish.
A final security warning dialog appears, asking you to confirm installation of the certificate.
11. Click Yes.
A confirmation dialog appears indicting success.
12. Restart Chrome and enter the FQDN of the MCS server or cluster in the address bar.
The browser loads MediaCentral without issuing certificate warnings.
Configuring Safari (Mac OS)
In Mac OS, you must add the self-signed certificate to the Mac OS system keychain. This is easily done
via the Safari browser itself.
To add a certificate to the trusted certificates store:
1. Launch Safari and enter the URL of the MCS server or cluster in the address bar.
http://<FQDN> where <FQDN> is the Fully Qualified Domain Name of the MCS server or
cluster.
http://<FQDN>, where <FQDN> is the Fully Qualified Domain Name of the MCS server cluster
http://<hostname>, where <hostname> is the short name of the MCS server cluster
What you enter in the address bar depends on the name you used to generate the self-signed
certificate.
Note that you are automatically redirected to the secure (SSL) connection.
A warning appears indicating a problem with the SSL certificate.
2. Click the Show Certificate button to display details about the certificate.
3. Put a checkmark in the “Always trust” checkbox and click Continue.
4. Enter the Administrator password and click OK.
The self-signed certificate is added to the Mac OS system keychain and the browser continues to
the log-in page without further complaint.
5. To view the certificate, use the Mac OS Keychain Access utility.