Establishing a TLS Connection to Genesys Configuration Server
Performance Management Advisors supports an optional TLS connection to the Genesys Configuration Server. Both the Advisors Suite Server (the Platform server) and the Advisors Genesys Adapter (AGA) can establish individual TLS connections to the Configuration Server. CCAdv, WA, FA, and AA also have a secure connection to the Configuration Server if you enable a TLS connection on Advisors Platform.
If you plan to connect to the Configuration Server using TLS, you must first do the following:
- Create a TLS properties file, as explained in the TLS Properties File section below.
- Configure a secure port for Genesys Configuration Server. For more information, see Genesys Security Deployment Guide.
- Configure security certificates.
- Configure the security providers and issue security certificates. For more information, see Genesys Platform SDK Developer’s Guide.
- Assign a certificate to the Configuration Server host. For more information, see Genesys Security Deployment Guide.
You can use the same certificates for both AGA and Advisors Platform if you enable a TLS connection on both, because all the same components are involved in the subsequent interactions across the TLS connection.
To configure a TLS connection to the Configuration Server, you can select the option to do so on the installation screen when you deploy Advisors Platform and AGA, or you can enable TLS post-deployment using the properties files. If you have a backup Genesys Configuration Server and you enable a TLS connection to the primary Configuration Server when deploying AGA, AGA also connects to the backup Configuration Server using TLS.
If a TLS connection to Configuration Server cannot be established when you start the installed instance of Advisors Platform or AGA, error messages are logged in the log file. You can correct the TLS properties supplied during installation in the relevant property file post-installation.
The Advisors Platform properties file, <PLATFORM_INSTALL>/conf/GenesysConfig.properties, has the following TLS-related properties:
- genesys.configServer.tlsproperties.file
- genesys.configServer.tls.port
- genesys.configServer.tls.enabled
- genesys_connector.configServer.tls.enabled
- genesys_connector.configServer.tls.port
- genesys_connector.configServer.tlsproperties.file
Configure the port mode on the Configuration Server.
- Although there are three port modes for TLS configuration, only the upgrade port mode is supported for an Advisors TLS connection to Genesys Configuration Server.
Supported TLS Providers
Advisors support the following security providers:
- PEM
- MSCAPI
- PKCS#11
The TLS properties file is not supplied with Advisors; it is unique to your enterprise.
The TLS configuration required to support each provider varies slightly, but each can be configured uniquely in a properties file. You can save the TLS properties file using any filename you choose.
The TLS properties file uses a simple key value pair format. On each line of the file, a key is followed by an equal sign (=), which is followed by a value for the key. For example:
provider=PEM
certificate=C:/advisors/security/conf/client1-cert.pem
certificate-key=C:/advisors/security/conf/client1-key.pem
trusted-ca=C:/advisors/security/conf/ca.pem
tls-crl=C:/advisors/security/conf/crl.pem
tls-mutual=0
In the preceding example, the provider key has a value of PEM, identifying the security provider type. For this particular provider, additional security parameters (keys) must be supplied, and which are included in the example. You must copy the certificate files to a folder on the local hard drive.
The TLS properties file path you enter during installation (or in the Advisors Platform or AGA properties file post-installation) points to those security files.
For information about supported TLS properties, see the relevant section in the Genesys Platform SDK Developer’s Guide.
When Advisors Platform or AGA attempt to establish the TLS connection to Configuration Server, progress is written in the log file. You can ignore a warning message in the log file that indicates that there is no TLS configuration for Advisors found in the Configuration Server. Advisors is not an application configured in Configuration Server, therefore it returns an empty configuration and relies on the TLS configuration supplied by the connection properties.
For information about troubleshooting issues with TLS connections, see Genesys Security Deployment Guide.