Encrypting and Provisioning Certificates

2048 bit RSA (or higher; please align encryption strength requirements with your IT Security)
x509 certificate
PEM format
The certificate must be signed by a trusted third-party CA, self signed or signed by your own private CA
If using a third-party CA, the certificate signing request provided to the third-party CA must contain the Subject Name, Serial Number, Subject DN, and Issuer DN. You might be contacted by the third-party CA who might ask for additional information
The certificate validity period of the certificate determines when the next certificate needs to be generated for renewal

The following OpenSSL command to generate certificate signing request and private key is an example:

openssl req -nodes -newkey rsa:2048 -keyout private_key.pem -out cert.req -days <validity period>

The system prompts for DN fields to be filled in. Please fill in all of them. See the table below for the details.

DN Field	Explanation	Example
Common Name	Name of your Recording Solution	Interaction Recording
Organization	The exact legal name of your organization. Do not abbreviate your organization name.	Monster & Sons, Inc.
Organization Unit	Section of the organization.	Robot Repairs
City or Locality	The city where your organization is legally located.	Pleasant Hill
State or Province	Full state or province where your organization is legally located.	California
Country	The two-letter ISO abbreviation for your country.	US

The files will have the following:

private_key.pem— the private key that is used to decrypt the recordings. It must be kept safe and should not be shared.
cert.req— the certificate signing request for the third-party CA that signs the request and provides the public key certificate to be used to encrypt the recordings.

Chained Certificates

Genesys recommends that the recording certificate that you want to use for Genesys Interaction Recording encryption be signed by a single trusted third-party CA.

Important

Chained certificates are certificates where the trusted third-party CA is used to sign the intermediate CA certificate, and the intermediate CA certificate is then used to sign the user certificate.

To set up a chained certificate:

You can either upload the user certificate using the Tenant Genesys Administrator Extension.
or
Have Genesys configure the certificate through Genesys Administrator Extension, or configure the certificate manually by adding the public key of the user certificate in the IVR profile. In the gvp.recording-certificates section set the certificate-1 parameter to the entire certificate:
-------BEGIN CERTIFICATE----------
and finished with the line:
-------END CERTIFICATE----------------
Important
The Linux end-of-line characters must also be copied as part of the public key.
Obtain the CA file and place it in the MCP's local directory—for example, /genesys/mcp/certificates/<tenant name>/<ca-file>. Note that the CA file given here should be the bundle of all the intermediate CA's and the root CA in specific order—for example, cat crt_inter3.pem crt_inter2.pem crt_inter1.pem root_ca.pem > ca.pem. When you create a bundle from separate certificates, take note that these certificates might sometimes have additional information that should not be in the final bundle file. If this is the case, the above command (cat) will not work, and the information should be copied using an editor that opens the file using the Unix end of line. The information that should be taken starts from:
-------BEGIN CERTIFICATE----------
and finished with the line:
-------END CERTIFICATE----------------
Configure the CA file path in IVR profile. In the gvp.service-parameters section, set the recordingclient.gvp.config.mpc.mediamgr.CA_file parameter to /genesys/mcp/certificates/<tenant name>/<ca-file>

For Call Recordings

A Recording Certificate binds a public encryption key to a particular recorded message identity.

Important

When configuring encryption, backup of the private key is your responsibility. If the private key becomes lost or corrupt, any recording encrypted using that key will become unusable.
If screen recording is also used in the deployment, it is required that a screen recording certificate is also provisioned. Otherwise the Recording Muxer Script will not be able to mux the call recording and screen recording together, if the call recording is encrypted but the screen recording is not encrypted.

The following steps describe how to configure encryption for voice recordings:

Prerequisites

A certificate for the Certificate Authority (CA) in .pem format—for example, ca_cert.pem.
A recording certificate (also known as public key) in .pem format—for example, 02_gir_cert.pem.
A recording private key in .pem format—for example, 02_gir_priv_key.pem.

On the machine where the Recording Crypto Server is installed, place the Certificate Authority (ca_cert.pem) in the <Recording Crypto Server Install Directory>\RCS directory.
Edit the rcs.properties file:
1. Change the value of the cacertstorepath parameter to ca_cert.pem.
2. Set the value of the cacertstorepassword parameter to the valid password.
Restart the Recording Crypto Server.
Using Recording Plug-in for GAX, edit all your Media Control Platforms (MCP):
- On the Options tab of each MCP application object, in the mpc section, set the mediamgr.CA_file parameter to the location of the Certificate Authority file (for example, c:\keystore\ca_cert.pem).
Restart all the MCP instances.

For an example of a certificate, see Sample Certificate and Key File Generation. You are now ready to upload and deploy your certificates to complete the encryption process.

[+] Show how to upload a Certificate

[+] Show how to deploy a Certificate

To deploy a new certificate:

Log in to Genesys Administrator Extension, and navigate to Configuration > Configuration Manager > Voice Platform Profiles.
From the Voice Platform Profiles screen, click on the recording that you want to add the certificate to.
Select Recording.
Click Add.
From the Select Certificate screen, select the certificate you want to add to the IVR Profile, and click Add.

Enter the appropriate values for the following parameters:

Parameter Name	Description	Syntax and Examples
Recording Destination Section
Storage Destination	The path to the first recording destination.	`http://testing.com`
SpeechMiner Destination	The path to the SpeechMiner recording destination.	`S3:bucket_test`
Storage HTTP Authorization Header	The authentication for the first destination of the recorder. This field is visible only if the Storage Destination is either `HTTP` or `HTTPS`.	The format is `username:password`, where username and password are the web server credentials.
Storage AWS Access Key ID	Specifies the Amazon Web Services (AWS) Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the Storage Destination field is set to S3 (Amazon Cloud).
Storage AWS Secret Access Key	Specifies the AWS Secret Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the Storage Destination field is set to S3 (Amazon Cloud).
Recording Processor URI	The authentication for the first destination of the recorder. This field is visible only if the SpeechMiner Destination is either `HTTP` or `HTTPS`.	The format is `username:password`, where username and password are the web server credentials.
SpeechMiner HTTP Authorization Header	Specifies the Amazon Web Services (AWS) Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the SpeechMiner Destination field is set to S3 (Amazon Cloud).
SpeechMiner Interaction Receiver	Specifies the URL that points to the SpeechMiner service responsible for accepting metadata from the Recording Processor script for this profile.
SpeechMiner Interaction Receiver Authorization Header	Specifies the authorization information required to connect to the SpeechMiner serviced used by the Recording Processor Script.	The format is `username:password`, where the username and password are the web server credentials.
Additonal Recording Parameters Section
Recording Storage MIME Type	The audio file type used for the storage recording.	You can choose either `audio/wav` or `audio/mp3`.
Recording Alert Tone Source	The URI of the audio tone.	`http://example.com/tone.wav`
Recording File Name Template Section
File Name Template	The template for generating MSML recording file name. When this field is left blank the default value is $id$. Note: Using too many parameters could exceed the 260 characters limit for a Windows file name. Select any combination from the following: ID ($id$)—The unique identifier of the template. SIP Server Application Name ($sipsAppName$) —The SIP Server application name in which the recording is started. ANI ($ani$)—The ANI information of the call in which the recording is started. DNIS ($dnis$) —The DNIS information of the call in which the recording is started. Date Time ($dateTime$) —The date and time of the call in which the recording is started. The date and time is sent in ISO format with UTC time. The ISO format is `YYYY-MM-DDTHH:MM:SSZ`. Call UUID ($callUuid$) —The call UUID of the call in which the recording is started. Connection ID ($connID$) —The TLib Connection ID of the call in which the recording is started. Agent ID ($agentID$) —The agent ID of the DN of the call in which the recording is started. If the recording has not started because the DN or Agent ID has not logged in, this parameter will not be present. MPC Date Time ($MPCDateTime$) —The local date and time of the call in which the recording is started. The local time follows the MCP instance where the recording is taking place.	`$id$_$sipsAppName$_$callUuid$_$ani$_$connId$_$dnis$_` `$agentId$_$dateTime$_$MPCDateTime$`

Click Save.

For Screen Recordings

Assigning Certificates

To assign a new certificate:

Using Genesys Administrator Extension, in the header, go to Administration > Screen Recording Certificates.
On the Screen Recording Certificates panel, click Add.
From the Select Certificate window, perform one of the following actions:
- Select the check box next to the appropriate certificate, and click Add.
- Click Cancel to discard any changes.
Perform one of the following actions:
- Click the Save button to accept the changes.
- Click the Cancel button to discard the changes.

Setting up the Decryption Proxy

Configure the Recording Crypto Server (RCS) locations that Interaction Recording Web Services (or Web Services if you're using version 8.5.210.02 or earlier) uses for encrypted screen recordings:
- For a single location:
  1. Using a text editor, create the create_single_location file using the following command:
```
{
    "name":"decrypt-uri-prefix",
    "location": "/",
    "value": "<rcs uri>/rcs"
} 
```
    Important
    Replace <rcs uri> with the appropriate value.
  2. Execute the following command:
```
curl -u ops:ops -X POST -d @create_single_location http://<Web Services Server>:8080/api/v2/ops
/contact-centers/<contact center ID (in hex format)>/settings/screen-recording
 --header "Content-Type: application/json"; echo
```
- For multiple locations:
  1. Using a text editor, create the create_first_location file using the following command:
```
{
    "name":"decrypt-uri-prefix",
    "location": "<node_location>",
    "value": "<rcs uri>/rcs"
} 
```
  2. Execute the following command:
```
curl -u ops:ops -X POST -d @create_first_location http://<Web Services Server>:8080/api/v2/ops
/contact-centers/<contact center ID (in hex format)>/settings/screen-recording 
--header "Content-Type: application/json"; echo
```
    Important
    Replace <node_location> with the appropriate value. The values for the <node_location> are similar to the nodePath settings in the Interaction Recording Web Services (Web Services) application.yaml file (if you are using Web Services and Application version 8.5.201.09 or earlier refer to the nodePath setting in the server-settings.yaml file instead), but allow a hierarchical representation. For example, an Interaction Recording Web Services (Web Services) node uses a decrypt-uri-prefix setting with a location of "/US" if the nodePath set to "/US/AK" or "/US/HI".
  3. Repeat steps a and b for each location required.

For more information on the properties of these settings group, see Interaction Recording Web Services Settings Groups.

Important

If you upload and/or delete recording certificates in one Genesys Administrator Extension session, these changes are not reflected in another Genesys Administrator Extension session. You must log out and login again to the second Genesys Administrator Extension session.

Encrypting and Provisioning Certificates

Contents

Generating the Certificates and Keys

Chained Certificates

For Call Recordings

Prerequisites

For Screen Recordings

Assigning Certificates

Setting up the Decryption Proxy

Contact

Genesys

Customer Care

Legal