When using the exacqVision Mobile app with the release of exacqVision Server 24.09 or higher, the exacqVision Mobile app will connect directly to the exacqVision Server service rather than require the intermediary exacqVision Web Service.
By default the service will listen for incoming mobile app connections on port 8443. This may be manually changed by the system administrator to accommodate network needs when needed.
<br>
Product
exacqVision Server, version 24.09 and above
exacqVision Mobile, version 24.09 and above
<br>
Steps
Log into the system running the exacqVision Server instance with administrative privileges.<br><br>
After logging into your Illustra camera for the first time, accepting the End User License Agreement, and creating a Host ID, you will be asked to select a security mode.
Enhanced is selected by default. As the message indicates, Enhanced will automatically select several advanced security options, such as enabling additional authentication needs, like forcing the creation of a non-default username, and requiring HTTPS. Regardless of the selection chosen on initial setup, individual settings can always be changed later by navigating to Security Status, under the Security menu.
Selecting ‘Enhanced’ Security performs the following:
Requires authentication to the RTSP video stream
Changes Authentication from Basic to Digest
Disables HTTP, requiring HTTPS connections for the camera GUI and Video
Disables uPnP, which hides the device from device discovery.
Security settings, as automatically selected by Enhanced Mode. Individual settings may still be changed manually.
Changing any of the security settings only requires you to click the Edit link beside the listed option. Some settings offer the ability to change port numbers and some offer additional setting fields to configure.
Notice that Onvif Discovery may be individually disabled on this page as well. Clicking the Edit link for Onvif Discovery redirects to the Remote Access options page. This permits you to disable Onvif Discovery, or require Onvif User Authentication.
The Users configuration page permits additional user accounts to be created, in which a user role is assigned. Enabling Onvif User Authentication directs the camera to only accept commands from authenticated users.
For Instructions on exacqVision Enterprise Manager version 22.03 or older see Knowledge Base Article #12724
The following document details how to enable HTTPS connections to exacqVision Enterprise System Manager from update 22.06 and later.
For a trusted certificate, it is recommended that you purchase a third-party intermediate certificate from one of many online providers. If you are using a third-party certificate you may skip ahead to the section titled, “Obtaining a Third-Party Certificate”.
These steps will detail how to create a self-signed certificate, but be aware that web browsers will warn users that the certificate is untrusted if you are using a self-signed certificate or one from a private/internal certificate authority.
CREATING A SELF-SIGNED SSL CERTIFICATE
Windows
1) Click on the Windows Start button and type ‘CMD’. Right-click on the CMD icon and choose ‘Run as Administrator’.
2) Set the environmental variable that will be used by OpenSSL later by typing:
set OPENSSL_CONF=C:\Program Files\exacqVision\EnterpriseManager\apache\conf\openssl.cnf
Press Enter.
3) Change your working directory by typing:
cd "C:\Program Files\exacqVision\EnterpriseManager\apache\bin\"
You will be prompted to enter a PEM pass phrase. Enter anything you like but you will need to re-enter this in the following steps.
PEM pass phrase:
5) You will be prompted with several questions for the certificate, answer these according to your needs. COMMON NAME should be the IP address or FQDN that users will access to reach the ESM web site (ex. www.domain.com or esmserver.domain.com).
You will be prompted with a series of questions. – Use data specific to your site. – Items can be left blank with the exception of Common Name – Common Name (e.g. server FQDN or YOUR name) should be the IP address of EM Server
Verify the md5 hashes match, if they DO NOT then see the troubleshooting section below before proceeding.
Step 3 Edit Apache Configuration
cd /usr/local/exacq/esm/apache/conf/extra
sudo gedit httpd-ssl.conf
Make the following changes, save the file and then close gedit.
Step 4 Restart the enterprise-webservice
sudo service enterprise-webservice stop
sudo service enterprise-webservice start
<br>
OBTAINING A THIRD-PARTY CERTIFICATE
If you are planning to acquire a third-party certificate from a trusted provider, you may need to provide them with a Certificate Signing Request (CSR) file.
Enter all the fields click on the ‘Submit’ button to download the ZIP file. Inside this ZIP file is the CSR file and RSA key to give to your certificate provider.
If you purchased a chained certificate, be sure to download the appropriate intermediate bundle.
Once you have downloaded the files from your provider:
Rename the .crt file to ‘server.crt’.
Rename the .key file to ‘server.key’.
If you have a chained certificate, rename the chain file to ‘server-ca.crt’.
Place the renamed files from your Certificate Authority (CA) into the following directory:
When purchasing an SSL certificate, many providers offer an Intermediate Bundle, or additional certificates that must be present to link your certificate to a root certification authority. Usually the provider will have documentation on how to accomplish this with Apache, but it is a good idea to ask them before or during the purchasing process. Exacq is not responsible for making your certificates capable of working with Apache.
It is possible to combine all the intermediate certificates that a provider may give you into one file. Consult your provider for more information.
<br>
ENABLING SSL FOR HTTPS CONNECTIONS
Be sure that you have followed the steps above to place the certificate files necessary for either a third-party certificate or a self-signed certificate into the correct directory before continuing with the following steps.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
3) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of this line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of this line if there is one.
Save the file.
4) Still using Notepad, open the file titled ‘httpd-ssl.conf’ located in C:\Program Files\exacqVision\EnterpriseManager\apache\conf\extra
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window.
5) Restart the solrApache or exacqVision Enterprise Manager Apache in Windows services (services.msc).
Linux
1) Open a Terminal prompt.
2) Change your working directory by typing:
cd /usr/local/exacq/esm/apache/conf
Press Enter.
3) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
In the Terminal, type:
sudo gedit httpd.conf
Press Enter.
4) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of the line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of the line if there is one.
Save the file and close the ‘gedit’ editor window to return to the Terminal prompt.
5) In the Terminal, type:
sudo gedit extra/httpd-ssl.conf
Press Enter.
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window to return to the Terminal prompt.
6) Restart the service in the Terminal by typing:
sudo service ESMWebservice restart
<br>
FORCED REDIRECT FROM HTTP TO HTTPS
If you want to force users who try to access the site on port 80, using HTTP, to use the secure HTTPS connection you will need to enable a redirection.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
Remove the pound (#) signs in front of these two lines.
Save the file.
4) Restart the solrApache or exacqVision Enterprise Manager Apache service in Windows services (services.msc).
Linux
1) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
Remove the pound (#) signs in front of these two lines.
Save the file and close the ‘gedit’ window to return to the Terminal prompt.
3) Restart the service in Terminal by typing:
sudo service ESMWebservice restart or sudo service enterprise-webservice restart
<br>
TROUBLESHOOTING
1) Some versions of Internet Explorer do not easily work with services running locally or may display pages incorrectly. If this happens, try clearing the browser’s cache by pressing CTRL-F5 on the keyboard. If the problem is persistent try installing another web browser, such as Chrome.
2) If the solrApache service fails to start after configuring it for SSL:
[Wed Mar 04 09:08:54.512004 2017] [ssl:emerg] [pid 19116] AH02565: Certificate and private key www.example.com:443:0 from server.crt and server.key do not match AH00016: Configuration Failed
c) If you see this log entry, complete the following steps:
1) Change your working directory to the location of openssl.exe
Windows (CMD) – cd C:\Program Files\exacqVision\EnterpriseManager\apache\bin
3) Compare the resulting values output after running each of the preceding commands. Each resulting string should be identical. If the values do not match, confer with the certificate authority that issued the certificate.
IMPORTANT For Instructions on current versions of exacqVision Enterprise Manager versions 22.06 or higher see Knowledge Base Article #12804
This document details how to enable HTTPS connections to exacqVision Enterprise System Manager on versions 22.03 or lower.
For a trusted certificate, it is recommended that you purchase a third-party intermediate certificate from one of many online providers. If you are using a third-party certificate you may skip ahead to the section titled, “Obtaining a Third-Party Certificate”.
These steps will detail how to create a self-signed certificate, but be aware that web browsers will warn users that the certificate is untrusted if you are using a self-signed certificate or one from a private/internal certificate authority.
CREATING A SELF-SIGNED SSL CERTIFICATE
Windows
1) Click on the Windows Start button and type ‘CMD’. Right-click on the CMD icon and choose ‘Run as Administrator’.
2) Set the environmental variable that will be used by OpenSSL later by typing:
set OPENSSL_CONF=C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\openssl.cnf
Press Enter.
3) Change your working directory by typing:
cd "C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin"
You will be prompted to enter a PEM pass phrase. Enter anything you like but you will need to re-enter this in the following steps.
PEM pass phrase:
5) You will be prompted with several questions for the certificate, answer these according to your needs. COMMON NAME should be the IP address or FQDN that users will access to reach the ESM web site (ex. www.domain.com or esmserver.domain.com).
You will be prompted with a series of questions. – Use data specific to your site. – Items can be left blank with the exception of Common Name – Common Name (e.g. server FQDN or YOUR name) should be the IP address of EM Server
Verify the md5 hashes match, if they DO NOT then see the troubleshooting section below before proceeding.
Step 3 Edit Apache Configuration
cd /usr/local/exacq/esm/apache_solr/apache2/conf/extra
sudo gedit httpd-ssl.conf
Make the following changes, save the file and then close gedit.
Step 4 Restart the enterprise-webservice
sudo service enterprise-webservice stop
sudo service enterprise-webservice start
<br>
OBTAINING A THIRD-PARTY CERTIFICATE
If you are planning to acquire a third-party certificate from a trusted provider, you may need to provide them with a Certificate Signing Request (CSR) file.
Enter all the fields click on the ‘Submit’ button to download the ZIP file. Inside this ZIP file is the CSR file and RSA key to give to your certificate provider.
If you purchased a chained certificate, be sure to download the appropriate intermediate bundle.
Once you have downloaded the files from your provider:
Rename the .crt file to ‘server.crt’.
Rename the .key file to ‘server.key’.
If you have a chained certificate, rename the chain file to ‘server-ca.crt’.
Place the renamed files from your Certificate Authority (CA) into the following directory:
When purchasing an SSL certificate, many providers offer an Intermediate Bundle, or additional certificates that must be present to link your certificate to a root certification authority. Usually the provider will have documentation on how to accomplish this with Apache, but it is a good idea to ask them before or during the purchasing process. Exacq is not responsible for making your certificates capable of working with Apache.
It is possible to combine all the intermediate certificates that a provider may give you into one file. Consult your provider for more information.
<br>
ENABLING SSL FOR HTTPS CONNECTIONS
Be sure that you have followed the steps above to place the certificate files necessary for either a third-party certificate or a self-signed certificate into the correct directory before continuing with the following steps.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
3) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of this line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of this line if there is one.
Save the file.
4) Still using Notepad, open the file titled ‘httpd-ssl.conf’ located in C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window.
5) Restart the solrApache service in Windows services (services.msc).
Linux
1) Open a Terminal prompt.
2) Change your working directory by typing:
cd /usr/local/exacq/esm/apache_solr/apache2/conf
Press Enter.
3) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
In the Terminal, type:
sudo gedit httpd.conf
Press Enter.
4) Find the following line:
LoadModule ssl_module modules/mod_ssl.so
Remove any pound (#) sign in front of the line if there is one.
Now, find the following line:
Include conf/extra/httpd-ssl.conf
Remove any pound (#) sign in front of the line if there is one.
Save the file and close the ‘gedit’ editor window to return to the Terminal prompt.
5) In the Terminal, type:
sudo gedit extra/httpd-ssl.conf
Press Enter.
Find the following line:
ServerName www.example.com:443
Change the ‘www.example.com’ portion of this line to ‘localhost’.
Save the file and close the window to return to the Terminal prompt.
6) Restart the service in the Terminal by typing:
sudo service ESMWebservice restart
<br>
FORCED REDIRECT FROM HTTP TO HTTPS
If you want to force users who try to access the site on port 80, using HTTP, to use the secure HTTPS connection you will need to enable a redirection.
Windows
1) Click on the Windows Start menu and find the Windows Notepad program. Right-click on this and choose to ‘Run as Administrator’. If you do not run Notepad as an administrator you will be unable to save your changes.
2) With Notepad open, click on the ‘File’ menu and choose ‘Open’ or press CTRL-O on the keyboard.
In the Open browser, change the drop-down menu for File Type from ‘Text Documents (*.txt)’ to ‘All Files (*.*)’.
Use the Open browser to open the C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf directory and highlight the file titled ‘httpd.conf’ then click ‘Open’.
Remove the pound (#) signs in front of these two lines.
Save the file.
4) Restart the solrApache service in Windows services (services.msc).
Linux
1) You may use any editor you feel comfortable with, such as vi or nano, but if your are more inclined to using a graphical interface you may use a program called ‘gedit’ to make the following changes.
Remove the pound (#) signs in front of these two lines.
Save the file and close the ‘gedit’ window to return to the Terminal prompt.
3) Restart the service in Terminal by typing:
sudo service ESMWebservice restart or sudo service enterprise-webservice restart
<br>
TROUBLESHOOTING
1) Some versions of Internet Explorer do not easily work with services running locally or may display pages incorrectly. If this happens, try clearing the browser’s cache by pressing CTRL-F5 on the keyboard. If the problem is persistent try installing another web browser, such as Chrome.
2) If the solrApache service fails to start after configuring it for SSL:
[Wed Mar 04 09:08:54.512004 2017] [ssl:emerg] [pid 19116] AH02565: Certificate and private key www.example.com:443:0 from server.crt and server.key do not match AH00016: Configuration Failed
c) If you see this log entry, complete the following steps:
1) Change your working directory to the location of openssl.exe
Windows (CMD) – cd C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin
3) Compare the resulting values output after running each of the preceding commands. Each resulting string should be identical. If the values do not match, confer with the certificate authority that issued the certificate.
Axis Cameras running Firmware 9.0 and above fail to connect and stream video when configured to use a hostname instead of IP address and the protocol in the exacqVision Client has been set to HTTPS Required.
Product
Axis Firmware 9.0 and above
exacqVision Server 22.06
Steps to Reproduce
Make sure the camera has a self-signed certificate and that the network and the server are set up accordingly. This would require a DNS pointer to be created.<br><br>
Log into the camera’s web interface and navigate to certificate section.<br><br>
Choose the appropriate certificate action. <br><br>
Navigate to the HTTP/HTTPS menu.<br><br>
Verify the Allow access through option is set to ‘HTTP and HTTPS’.
In the exacqVision Client:
Go to Add IP Cameras.
In the Hostname/IP Address field, enter the hostname of the camera instead of the camera’s IP address.
In the Protocol drop down box, select ‘HTTPS Required’.
<br>
Expected Results
The camera should connect and stream video.
<br>
Actual Results
The camera fails to connect.
The Status shows “Device not Streaming” and the Troubleshooting Steps are “Device not streaming. The device is connected but video hasn’t been received in the last 10 seconds.”
Solution
Within the Add IP Cameras page of the client:
Disable the camera.<br><br>
Append #transport=tcp to the hostname already listed.
Example: “axis-b8a44f307314” would become “axis-b8a44f307314#transport=tcp”<br><br>
HTTP to HTTPS redirect implementation is broken and always supplies and internal IP address for the redirect, leading to any and all redirect from outside of the local network to fail.
Product
exacqVision Web Server 22.03
Steps to Reproduce
Configure HTTPS on the web service, either external or ACME
A green icon indicates a secure (HTTPS) connection is being used for either or both the configuration connection to the device and/or the video stream.
Product
exacqVision Client
Solution
The green lock and gear icons are used as a visual indicators of the connection protocol being used by the camera. They can be found on the Cameras configuration page, the Add IP Cameras page and the Camera Recordings page.
No Icon indicates standard connections are being used.
Green gear indicates that the device is secure, but the video stream is standard.
Green lock indicates that both the device and video stream are secure.
Currently password protect HTTPS certificates are not supported in exacq web service. They will fail to load when saved on the web service
Solution
As password protected HTTPS certificates not supported in the web service the customer can either request a non-password protect cert from the provided. If the password is known, we can also remove the password and create a non-password protected cert.
Illustra cameras may be showing a status of “Motion not Supported” or motion is not being detected.
As part of cyber security compliance Illustra camera firmware is now defaulting to ‘Enhanced’ vs ‘Standard’ security resulting in the camera sending out metadata over HTTPS instead of HTTP.
Resolution
Select one of the following options:
Update the Server version to 22.12.5 or higher. Exacq’s ability to accept metadata over HTTPS was enhanced in version 22.12.5. If your SSA does not permit you to update the ExacqVision Server version to 22.12.5 or higher, you will need to choose from the remaining options below.<br><br>
Factory default the camera and choose Standard instead of Enhanced security. See Article 14441 on the differences between Standard and Enhanced security modes.
Or if the camera is using Enhanced Security, then enable ‘Video over HTTP’ in the camera’s GUI
To change this setting, navigate to the Security page in the Illustra camera web interface.
Click the ‘Edit’ link beside ‘Video over HTTP’.
Place a check mark in the box adjacent to ‘Video over HTTP’.
Return to the ‘Add IP Cameras’ page in the ExacqVision Client.
Disable then re-enable the camera to pull the new camera settings.
In this example using Letsencrypt SSL certificates. The webservice is behind HAProxy and was not been able to successfully configure HAProxy to update Letsencrypt certificates over HTTP. Therefore, I manually updated the certificate. /etc/webservice/tls/server.crt _> /etc/letsencrypt/live/site.com/cert.pem
After updating the certificates, I linked the original to the new certificates in the Letencrypt folder: When I try to connect to the webservice, I get this error message sent an invalid response. ERR_SSL_PROTOCOL_ERROR’.
The destination of his symlink, not the symlink itself, needs to be readable by the nvrweb user. In this example the directory that the symlink did not have permissions to allow the link to work correctly.
The best way to be sure would be to run terminal command sudo -i to root and then run su nvrweb -s /bin/bash and try to view the files (e.g., cat the paths listed in the config file). This should give you an out put.
We also need to make sure nvrweb can read the cert files /etc/webservice/tls/server.crt and .key The output will show the certs.
nvrweb@sunstone:/root$ cd /etc/webservice nvrweb@sunstone:/etc/webservice$ cat tls/server.crt —–BEGIN CERTIFICATE—– Contents of cert will be displayed here. —–END CERTIFICATE—–
nvrweb@sunstone:/etc/webservice$ cat tls/server.key —–BEGIN PRIVATE KEY—– Contents of Cert will be displayed here —–END PRIVATE KEY—–
These certs were in the TLS directory and being linked to the Letsencrypt folder, which we found having permissions issues.
To check try the following: Try the same thing with su to nvrweb and see if nvrweb can access the certs in the let’s encrypt folder, before changes WS config. Important to note that it’s not just the permissions of the target file that matter, but all the directories in between. In this case the target file was fine but the directory was LetsEncrypt and that did not have permissions. Since we were pointing the link to another file, that file needs to be accessible to nvrweb.
ls -ld for each directory – /etc/letsencrypt, /etc/letsencrypt/live, /etc/letsencrypt/site.com
Without -d it will show the contents, if you want to look at the directory like /etc/letsencrypt it’s necessary to do ls -ld /etc/letsencrypt
The site.com directory is fine. We need to check the live or letsencrypt directories. letsencrypt live directory’s permissions are rwx—- which means only root can enter or read the directory.
In the above photo we can see that the Permission is denied for the letsencrypt/live folder.
Configuration this way in not the normal process and it is possible the next time I run letsencrypt again to update certs it might error due to perms or reset them. The process might need to be done each time.
<br><br>
