I am having some challenges getting WSE and WSE Manger to serve only over SSL. We are an enterprise environment where this is mandated. I’ve imported our own certificates, in JKS format, made sure they are readable and correct. Enabled StreamLock. Modified the tomcat.properties file. Modified the startmgr.sh file. By default WSE Manger serves on 8088, but even after making the above config changes, it still renders, kind of. AKA it renders but you can not authenticate? Is this functioning as intended? Also, I am having issues getting SSL working on our other two implementations. Are there documented steps provided by Wowza that detail how to implement SSL across the board? For streaming we can force this via our ELB and/or F5, but I dont feel like we are doing it 100% correct. I dont fully understand how in the Host Ports section in WSE Manager, the out of the box ports are 1935 and 8086, when the Manger serves over 8088 out of the box, and then suggested to serve via 8090 once SSL enabled? Thanks in advance!
I can help you @Rich Sokol and it gets confusing for sure. Let me gather the info and be right back.
@Rich Sokol Your Manager UI port should be accessed over port 8088 for HTTP.
But with SSL and HTTPS connections, in order to secure your Manager UI port 8088, do make sure that you have a valid SSL keystore, and that you use the following guide:
https://www.wowza.com/docs/how-to-connect-to-wowza-streaming-engine-manager-over-https
The above document shares these very important steps:
To enable HTTPS connections to Wowza Streaming Engine Manager (version 4.7.3 and later), enable the following SSL parameters:
- httpsPort
- httpsKeyStore
- httpsKeyStorePassword
Keep in mind we are referencing two things here: the Engine side and the Manager side.
On the Engine side, you need to set VHost ports that stream over ssl, which would be port 443 if you wants default ssl port.
On the Manager side, you need to set the ssl streaming port, so you can then access the manager via:
https://:8090/enginemanager
Once you have the port and the manager configured over ssl, sometimes an issue is that the REST API is not set over ssl. So, when you login to the manager, you will see a +Server button at the bottom, it points to the engine api url (since manager is using the api)
This is what it is set to by default :
When you access the manager ui over https, browsers restrict any page elements to also be over https, which means, that Engine url should also be an HTTPS url
You can configure REST api to go over https. You just have to change the following in your Server.xml, under the RESTInterface section:
<SSLConfig>
<Enable>true</Enable>
<KeyStorePath>your.jks</KeyStorePath>
<KeyStorePassword>password</KeyStorePassword>
<KeyStoreType>JKS</KeyStoreType>
<SSLProtocol>TLS</SSLProtocol>
<Algorithm>SunX509</Algorithm>
<CipherSuites></CipherSuites>
<Protocols></Protocols>
</SSLConfig>
Thank you @Rose Power-Wowza Community Manager we have made all of those configuration changes previously. We have the implementation streaming via SSL with the JKS we created, therefore we believe there are no issues with that. We are not able to get WSE Manager to serve via SSL, it is serving over port 8090 without issue. We altered both the tomcat.properties and startmgr.sh files with the required information to no avail. We even added the SSL info for the REST API to see if that made a difference. We need a new angle to resolve. Thanks in advance.
Hi @Rich Sokol. Ok, well I have spoken with tech support and they would like you to submit a support a ticket so they can take a closer look and run tests if necessary.
Sometimes the only way for them to know is to have full access to your config and logs and try to replicate. Thank you and I’ll follow the ticket progress.
So it was a multipart solution. We had to configure the JKS file for the server, which we had already done as well as make changes in the tomcat.properties (WSE\manager\conf) file where you change the port to 8090 and add the references to the JKS file. That was the key. Does that help?
