Appendix A: Administrating AirFlow
This Appendix describes granting user access to AirFlow, the requirements for remote access in AirFlow, and how to rebrand AirFlow to match your corporate identity. These procedures should be performed by network administrators only. See the following topics:
• "Administration Tasks" on page 55
• "Remote Access" on page 58
• "Branding" on page 60
• "Troubleshooting for Administrators" on page 62
Administration Tasks
See the following topics:
• "AirFlow Service" on page 55
• "Controlling User Access" on page 55
• "Host Names" on page 56
• "SSL Certificates" on page 56
AirFlow Service
To check the AirFlow service is running:
TASK
1. Start Flow Control (Administrator-level access required) and click on the Network
tab.
2. Scroll down the list of servers and look for AirFlow. The server status displays as
‘Running’ or ‘Stopped’.
3. Click the button to start or stop the server as required.
Controlling User Access
Access to AirFlow’s features are granted on a User by User basis in Flow Control. The permissions relevant to AirFlow that can be set in Flow control are as follows:
• Login to AirFlow
• Create Projects (also applies the setting in Flow Browse)
• Download media files
See the Flow Administrator’s Guide, Chapter 2, for instructions on how to use Flow Control to change user access in AirFlow.
TP-00264-05 55
Appendix A: Administrating AirFlow
Host Names
You may also configure your facility's DNS settings to reference AirFlow by domain name rather than IP address, allowing users to connect to AirFlow using an easy to remember name. To do this, you must allocate AirFlow a unique and complete host name, for example:
airflow.mydomain.com.
Mapping AirFlow to a directory off a domain name such as:
mydomain.com/Airflow
will not work.
SSL Certificates
To improve security and avoid browser warnings, EditShare recommends you obtain a trusted SSL certificate and install it on the AirFlow server.
You should beware of the following issues:
• Use SHA-2 certificates only (SHA-256 or stronger). DO NOT use SHA-1 certificates. Serious vulnerabilities have been found in the SHA-1 algorithm, and web browsers will start issuing security warnings for these certificates soon.
• Certificates usually need to be renewed every 1-3 years.
• The private key file should be kept safe and not shared with anybody.
You will need two files from the Certification Authority (CA):
• Encryption key
• Certificate file
Some CA companies offer SSL certificates free of charge. The certificate should be assigned to a DNS hostname of the public server running AirFlow (for example, airflow.mydomain.com). This is also known as the Common Name (CN). Certification Authorities do not accept IP Addresses for CNs.
Refer to the Certificate Authority’s documentation before purchasing and installing certificates.
See the following topics:
• "Installing SSL Certificates" on page 57
• "Intermediate (Chain) Certificates" on page 58
56 TP-00264-05
Administration Tasks
Installing SSL Certificates
To install your SSL certificate:
TASK
1. On the EditShare server running AirFlow, navigate to the folder
/etc/flow/{companyname} (where {companyname} is the name of your company or organization).
If the folder does exist, create it using the mkdir command.
2. Upload the certificate and the private key files to the
/etc/flow/{companyname} folder.
3. Open the file /etc/flow/FlowGatewayServer.conf with a text editor such as
vi. If the file does not exist, create it. Add the following contents:
[ssl] key=/etc/flow/{companyname}/certificate.key cert=/etc/flow/{companyname}/certificate.crt disable_http_server=true
4. Save the file.
5. Choose a time when user activity is low:
a) Inform users that the Flow server is about to be restarted, and that they
should save their work and log out.
b) Make sure that there are no ingest or transcode jobs in progress. Check the
jobs running in Flow Automation.
6. Restart the Flow Server. Either:
• In Flow Control, select the Network tab, click Stop Server. When the server has stopped, click Start Server.
• In the EditShare Manager, start the Control Panel and click on ‘Stop Flow Daemon’. When the server has stopped, click on ‘Start Flow Daemon’.
7. Verify the certificate installed correctly. Navigate to the AirFlow login page (for
example https://airflow.mydomain.com:8005) and confirm that:
a) A green or blue padlock icon displays in the browser's address bar.
Blue = Standard certificate, Green = Extended Validation.
b) No browser security warnings display.
TP-00264-05 57
Appendix A: Administrating AirFlow
Intermediate (Chain) Certificates
Your Certificate Authority may provide intermediate certificates which are required to provide a link, or ‘chain’, between the End User Certificate (issued by your Certificate Authority) and the Root Certificate in users’ web browsers.
Customers running their own PKI infrastructure are advised to link both 'cert' and 'chain' to a certificate full-chain (bundled server, any intermediate, and root CA certificates). The order of the certificates in full-chain bundle is relevant and the server certificate must be included as first.
You can add Intermediate Certificates after making the following change to the /etc/flow/FlowGatewayServer.conf configuration file:
TASK
1. Open the file /etc/flow/FlowGatewayServer.conf with as described in
"Installing SSL Certificates" on page 57.
2. Add the following line under the [SSL] header:
chain=/etc/flow/{companyname}/ssl/chain.crt
where {companyname} is the name of your of company or organization.
3. Save the file.
Certificate chains can be verified by doing one of the following:
• Navigate to https://ssllabs.com
• At the command line prompt, type: openssl s_client -connect SERVER_HOST:PORT -showcerts
Confirm that Verify return code 0 (ok) displays at the end of the response.
Remote Access
The Airflow Gateway server provides the interface between the internal Flow database communication protocol and the AirFlow web clients. It accesses proxy files and clip metadata directly from the Flow Database and presents this information to the AirFlow web clients in a dynamic web page.
AirFlow connects to your local area network just as any other Flow server does, receiving Flow broadcasts over any single LAN interface and communicating with the Flow Database. It listens on port 8005 over all interfaces for HTTPS connections from AirFlow clients. Therefore, within the local network, users will always be able to access the AirFlow web interface at https://{server_name}:8005 where {server_name} is the host name of the Airflow gateway server.
Additionally, in order to access Airflow from the internet, the Network Administrator must also configure the router/firewall device to forward a port from the facility's public IP (WAN) address to port 8005 of the AirFlow server.
Therefore, the AirFlow server can be configured in one of two network topologies:
• "Single Homed Server in Unified Network" on page 59
• "Dual Homed Server in Isolated Network" on page 59
58 TP-00264-05
Remote Access
Single Homed Server in Unified Network
In situations where a facility's Flow/editing network also has access to the internet router/firewall, the Airflow gateway should be configured with a single IP address and network connection. That one interface will be used for both local Flow broadcast traffic as well as Airflow HTTPS traffic. If internet access is desired for AirFlow clients, the network administrator should forward a port from the router/firewall to port 8005 on the single configured IP address on the AirFlow server.
EditShare Storage
Flow Database
AirFlow Clients
Dual Homed Server in Isolated Network
In situations where the Flow editing network is isolated from the internet and / or larger corporate network, the Airflow server may be dual-homed. One connection on the AirFlow server should be configured on the editing network for communication with the Flow Database server. The second network connection on the AirFlow server should be configured to have access to the facility's router / firewall. The network administrator should forward a port from the router / firewall to port 8005 on the AirFlow gateway, using the IP address of the second connection.
EditShare Storage
Flow Database
Intranet Router /
Firewall Internet (WAN)
AirFlow Gateway
Flow / NLE Clients
AirFlow Clients AirFlow Clients
For security reasons, the AirFlow server must NEVER be fully exposed to the internet by giving it a public IP address, or placing it in a Demilitarized Zone (DMZ).
Always protect the AirFlow server behind an appropriate router and firewall, forwarding only the necessary single port for AirFlow HTTPS access.
AirFlow Clients
† Isolated editing -only network
(no internet access )
Internet (WAN)
Flow / NLE Clients
Isolated
ETH # X AirFlow
ETH # Y
Router / Network †
Gateway
Firewall
AirFlow Clients
AirFlow Clients
TP-00264-05 59
Comments
0 comments
Please sign in to leave a comment.