Vanity URL

In Kaltura it is possible to have custom URL's added to Kaltura MediaSpace (KMS) and Kaltura Application Framework (KAF). This article describes how this is done on the NORDUnet instance.

Deciding a name

The first step is obvious, decide what the service should be called. For KMS instances this is usually done be the institution entirely, and everything goes, as long as the institution owns the domain. Vanity URL's can look like this:

• video.nordu.net
• we.couldnt.find.a.good.name.for.our.new.service.com
• videoservice.nu

For KAF's there may be a little more to it, and that is to do with the security features of modern browsers. Since the default way of embedding videos into a 3rd party site (LMS, CMS etc) is using the IFRAME html technology. Some browsers will deny content that is embedded from a domain name that is not obviously related to the domain of the origin. So if the system that needs to embed content from Kaltura is called "lms.example.com" it is properly a really good idea to use something like "kaf.lms.example.com" as the vanity name for the KAF.

Certificate

In the cryptography that is used in HTTPS there is some concepts that you should know of,

• Certificate Authority - An issuer of certificates, ex: DigiCert, AlphaSSL,  etc.
• Public Key - Cryptographic key that can only be used for encrypting data.
• Private Key -Cryptographic key that can only be used for decrypting and signing data.
• Certificate - A certificate signed by a Certificate Authority, it contains the Public Key, and can freely be distributed as it contains no secret data. It is automatically send to the client every time the client connects to a server that uses the certificate.
• Signing Request - A request to the Certificate Authority about getting a specific certificate

The two things that is needed on the server side is the Certificate it self, and the Private Key. The certificate in conjunction with the Private Key is what proves to the outside world that the server is actually allowed to use the domain name in question.

For security reasons the Private Key is never supposed to leave the server that it is used on, for that reason the Private Key is generated together with the Signing Request by NORDUnet (the Private Key is required to generate the Signing Request).

After the Signing Request is received by the institution, they can then pass it on to their preferred Certificate Authority who will issue the actual certificate. This certificate can then be send back to NORDUnet for installation on the Kaltura servers.

For NORDUnet to issue a Signing Request, please give the following information:

Security and renewing of certificates

Kaltura on NORDUnet no longer supports insecure connections, and all vanity URLs will require a certificate!

Certificates that are issued by a Certificate Authority is generally only valid for 1, 2 or 5 years at a time. So at some point the need for replacing an old certificate will arise. The process of replacing is almost the same as a new installation, except that the generation of a Signing Request is not needed if the institution still have the original one.

NORDUnet will periodically check the expiration of certificates on Kaltura, but it is the responsibility of the institution that the certificates are up to date, and valid!

DNS Setup

For this to actually work the DNS setup need to be correct this is done by having your DNS administrator create a CNAME-record for the desired domain name, this should point to the name originally given to you by the Kaltura administrator. ex: 141.kaltura.nordu.net or 141-canvas-kaf.kaltura.nordu.net or something like that.

Specific instructions will be given when Signing Request is requested.

It is possible to use other options like proxy-servers, but these setups are not supported by NORDUnet. If they suddenly break or act up in unpredictable ways, we will not be able to offer any support.