Additional Feature Configuration

Geo Location

Geo-location is configured in two objects:

DN objects in a switch
Resource Groups for MCP and Recording Servers.

You can assign a geo-location tag for each DN (of type Trunk DN, Route Point DN, Extension DN, and Trunk Group DN). The geo-location option is configured in the TServer section of these places.

To assign a geo-location tag for a Resource Group (for MCP and Recording Server separately), use the Resource Group Wizard and set the geo-location as part of the Wizard process.

Usage

Geo-location is selected for each call depending on the usage model.

SIP Server selects the geo-location with the following order of preference for inbound calls:

Geo-location configured in the extensions of RequestRouteCall.
Geo-location configured in the Routing Point DN.
Geo-location configured in the inbound Trunk DN.
Geo-location configured in the DN where the recording is enabled.

For outbound calls, the following order of preference is used:

Geo-location configured in the extensions of RequestRouteCall.
Geo-location configured in the Routing Point DN.
Geo-location configured in the Agent DN.
Geo-location configured in the outbound Trunk DN if recording is enabled.

Full-time Recording

When a DN is configured to be recorded, the geo-location is set at the DN. When more than one DN involved in the call has the geo-location set (for example, both the inbound Trunk DN and the Routing Point DN have the geo-location parameter set), then SIP Server selects the geo-location based on the order of preference listed above.

Selective Recording from a Routing Strategy

If record=source is set in the RequestRoutecall extensions, the geo-location of the inbound Trunk DN of the call is selected (if it is configured). If record=destination is set in the RequestRoutecall extensions, the geo-location of the agent (Extension DN) is selected.

Dynamic Recording

When dynamic recording is initiated by the T-lib RequestPrivateService function, the geo-location is selected based on the recorded DN in the call. Specifically:

If RequestPrivateService is requested with AttrExtensions as record = source, the geo-location configured for thisDN is selected. record=source is the default value if the extension is not defined.
If RequestPrivateService is requested with AttrExtensions as record = destination, the geo-location configured for otherDN is selected.

Audio Tones

The following section outlines the general configuration for audio tones.

Media Server

The following table describes the options required for audio tones when using Media Server:

Section Name	Parameter Name	Description
Conference	record_recorddnhearstone	Specifies whether the RecordDN (Party A) hears the repeating tone.
Conference	record_otherdnhearstone	Specifies whether the OtherDN (Party B) hears the repeating tone.

Media Server allows you to configure whether the recording also gets the audio tone. When the audio tone is injected into the call, Media Server distinguishes between what the participant hears and what the participant says. The above two configuration parameters affect what the participant hears.

Section Name Parameter Name Description

Conference

record_chan2source

Specifies the recorded media that represents the first participant (Record DN) in the recording session.

recorddnsays
otherdnhears

If the Other DN is configured to receive consent and you want the consent to be recorded, set the value to otherdnhears.

Conference

record_otherdnhearstone

Specifies the recorded media that represents the second participant (Other DN) in the recording session.

otherdnsays
recorddnhears

If the Record DN is configured to receive consent and you want the consent to be recorded, set the value to recorddnhears.

Encrypting and Provisioning Certificates

Before you can encrypt certificates for voice and screen recordings, you must generate the following keys and certificates:

A certificate for the Certificate Authority (CA) in .pem format.
A recording certificate (also known as public key) in .pem X.509 RSA format.
A recording private key in .pem format.

Important

It is your responsibility to store your private keys and certificates, including the expired ones.

You should also backup your keystore, keystore password, certificates and private keys in a secure location offsite to protect against site level disasters. When Genesys Interaction Recording encryption is enabled, loss of the keystore and private key would result in loss of recording files.

Generating the Certificates and Keys

This certificate must meet the following requirements:

2048 bit RSA (or higher; please align encryption strength requirements with your IT Security)
x509 certificate
PEM format
The certificate must be signed by a trusted third-party CA, self signed or signed by your own private CA
If using a third-party CA, the certificate signing request provided to the third-party CA must contain the Subject Name, Serial Number, Subject DN, and Issuer DN. You might be contacted by the third-party CA who might ask for additional information
The certificate validity period of the certificate determines when the next certificate needs to be generated for renewal

The following OpenSSL command to generate certificate signing request and private key is an example:

openssl req -nodes -newkey rsa:2048 -keyout private_key.pem -out cert.req -days <validity period>

The system prompts for DN fields to be filled in. Please fill in all of them. See the table below for the details.

DN Field	Explanation	Example
Common Name	Name of your Recording Solution	Interaction Recording
Organization	The exact legal name of your organization. Do not abbreviate your organization name.	Monster & Sons, Inc.
Organization Unit	Section of the organization.	Robot Repairs
City or Locality	The city where your organization is legally located.	Pleasant Hill
State or Province	Full state or province where your organization is legally located.	California
Country	The two-letter ISO abbreviation for your country.	US

The files will have the following:

private_key.pem— the private key that is used to decrypt the recordings. It must be kept safe and should not be shared.
cert.req— the certificate signing request for the third-party CA that signs the request and provides the public key certificate to be used to encrypt the recordings.

Chained Certificates

Genesys recommends that the recording certificate that you want to use for Genesys Interaction Recording encryption be signed by a single trusted third-party CA.

Important

Chained certificates are certificates where the trusted third-party CA is used to sign the intermediate CA certificate, and the intermediate CA certificate is then used to sign the user certificate.

To set up a chained certificate:

You can either have the customer upload the user certificate using the Tenant Genesys Administrator Extension.
or
Have Genesys configure the certificate through Genesys Administrator Extension, or configure the certificate manually by adding the public key of the user certificate in the IVR profile. In the gvp.recording-certificates section set the certificate-1 parameter to the entire certificate: -------BEGIN CERTIFICATE----------
and finished with the line:
-------END CERTIFICATE----------------
Important
The Linux end-of-line characters must also be copied as part of the public key.
Obtain the CA file from the customer and place it in the MCP's local directory—for example, /genesys/mcp/certificates/<tenant name>/<ca-file>. Note that the CA file given here should be the bundle of all the intermediate CA's and the root CA in specific order—for example, cat crt_inter3.pem crt_inter2.pem crt_inter1.pem root_ca.pem > ca.pem. When you create a bundle from separate certificates, take note that these certificates might sometimes have additional information that should not be in the final bundle file. If this is the case, the above command (cat) will not work, and the information should be copied using an editor that opens the file using the Unix end of line. The information that should be taken starts from:
-------BEGIN CERTIFICATE----------
and finished with the line:
-------END CERTIFICATE----------------
Configure the CA file path in IVR profile. In the gvp.service-parameters section, set the recordingclient.gvp.config.mpc.mediamgr.CA_file parameter to /genesys/mcp/certificates/<tenant name>/<ca-file>

For Call Recordings

A Recording Certificate binds a public encryption key to a particular recorded message identity.

Important

When configuring encryption, backup of the private key is your responsibility. If the private key becomes lost or corrupt, any recording encrypted using that key will become unusable.

The following steps describe how to configure encryption for voice recordings:

Prerequisites

A certificate for the Certificate Authority (CA) in .pem format—for example, ca_cert.pem.
A recording certificate (also known as public key) in .pem format—for example, 02_gir_cert.pem.
A recording private key in .pem format—for example, 02_gir_priv_key.pem.

On the machine where the Recording Crypto Server is installed, place the Certificate Authority (ca_cert.pem) in the <Recording Crypto Server Install Directory>\RCS directory.
Edit the rcs.properties file:
1. Change the value of the cacertstorepath parameter to ca_cert.pem.
2. Set the value of the cacertstorepassword parameter to the valid password.
Restart the Recording Crypto Server.
Using Recording Plug-in for Genesys Administration Extension, edit all your Media Control Platforms (MCP):
- On the Options tab of each MCP application object, in the mcp/tt> section, set the mediamgr.CA_file parameter to the location of the Certificate Authority file (for example, c:\keystore\ca_cert.pem).
Restart all the MCP instances.

For an example of a certificate, see Sample Certificate and Key File Generation. You are now ready to upload and deploy your certificates to complete the encryption process.

[+] Show how to upload a Certificate

To upload a new certificate: Log in to Genesys Administrator Extension, and navigate to Configuration > Recording Crypto Server > Certificates. On the Recording Certificates panel, click Upload. On the Upload Certificate panel, in the Certificate File section, click Choose File. Select the appropriate file. This file must contain an X.509 RSA certificate in PEM format. The Subject Name, Serial Number, Subject DN, and Issuer DN fields automatically populate. In the Key File section, click Choose File. Select the appropriate file. The file must contain an RSA private key in PEM format. The encoding can be in either Openssl RSA private key or PKCS8 format. The Key Details field automatically populates. If the private key file is encrypted, enter the Private Key Password. Click Save. Important If you Upload and/or delete recording certificates in one Genesys Administrator Extension session, these changes are not reflected in another Genesys Administrator Extension session. You must log out and login again to the second Genesys Administrator Extension session. If Recording Cyrpto Server (RCS) is restarted when a Genesys Administrator Extension user is logged in, the next Genesys Administrator Extension operation involving RCS fails because the RCS session saved by the Recording Plug-in for Genesys Administrator Extension does not exist. RCS will return a 401 "RCS is not available" error. The agent must log out, and log in again when receiving the 401 "RCS is not available" error.

[+] Show how to deploy a Certificate

To deploy a new certificate: Log in to Genesys Administrator Extension, and navigate to Configuration > Configuration Manager > Voice Platform Profiles. From the Voice Platform Profiles screen, click on the recording that you want to add the certificate to. Select Recording. Click Add. From the Select Certificate screen, select the certificate you want to add to the IVR Profile, and click Add. Enter the appropriate values for the following parameters: Parameter Name Description Syntax and Examples Recording Destination Section Storage Destination The path to the first recording destination. http://testing.com SpeechMiner Destination The path to the SpeechMiner recording destination. S3:bucket_test Storage HTTP Authorization Header The authentication for the first destination of the recorder. This field is visible only if the Storage Destination is either HTTP or HTTPS. The format is username:password, where username and password are the web server credentials. Storage AWS Access Key ID Specifies the Amazon Web Services (AWS) Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the Storage Destination field is set to S3 (Amazon Cloud). Storage AWS Secret Access Key Specifies the AWS Secret Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the Storage Destination field is set to S3 (Amazon Cloud). Recording Processor URI The authentication for the first destination of the recorder. This field is visible only if the SpeechMiner Destination is either HTTP or HTTPS. The format is username:password, where username and password are the web server credentials. SpeechMiner HTTP Authorization Header Specifies the Amazon Web Services (AWS) Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the SpeechMiner Destination field is set to S3 (Amazon Cloud). SpeechMiner Interaction Receiver Specifies the URL that points to the SpeechMiner service responsible for accepting metadata from the Recording Processor script for this profile. SpeechMiner Interaction Receiver Authorization Header Specifies the authorization information required to connect to the SpeechMiner serviced used by the Recording Processor Script. The format is username:password, where the username and password are the web server credentials. Additonal Recording Parameters Section Recording Storage MIME Type The audio file type used for the storage recording. You can choose either audio/wav or audio/mp3. Recording Alert Tone Source The URI of the audio tone. http://example.com/tone.wav Recording File Name Template Section File Name Template The template for generating MSML recording file name. When this field is left blank the default value is $id$. Note: Using too many parameters could exceed the 260 characters limit for a Windows file name. Select any combination from the following: ID ($id$)—The unique identifier of the template. SIP Server Application Name ($sipsAppName$) —The SIP Server application name in which the recording is started. ANI ($ani$)—The ANI information of the call in which the recording is started. DNIS ($dnis$) —The DNIS information of the call in which the recording is started. Date Time ($dateTime$) —The date and time of the call in which the recording is started. The date and time is sent in ISO format with UTC time. The ISO format is YYYY-MM-DDTHH:MM:SSZ. Call UUID ($callUuid$) —The call UUID of the call in which the recording is started. Connection ID ($connID$) —The TLib Connection ID of the call in which the recording is started. Agent ID ($agentID$) —The agent ID of the DN of the call in which the recording is started. If the recording has not started because the DN or Agent ID has not logged in, this parameter will not be present. MCP Date Time ($MCPDateTime$) —The local date and time of the call in which the recording is started. The local time follows the MCP instance where the recording is taking place. $id$_$sipsAppName$_$callUuid$_$ani$_$connId$_$dnis$_ $agentId$_$dateTime$_$MCPDateTime$ Click Save.

For Screen RecordingsAssigning Certificates

To assign a new certificate:

Using Genesys Administrator Extension, in the header, go to Administration > Screen Recording Certificates. On the Screen Recording Certificates panel, click Add. From the Select Certificate window, perform one of the following actions: Select the check box next to the appropriate certificate, and click Add. Click Cancel to discard any changes. Perform one of the following actions: Click the Save button to accept the changes. Click the Cancel button to discard the changes.Setting up the Decryption ProxyConfigure the Recording Crypto Server (RCS) locations that Interaction Recording Web Services (or Web Services if you're using version 8.5.210.02 or earlier) uses for encrypted screen recordings: For a single location: Using a text editor, create the create_single_location file using the following command: { "name":"decrypt-uri-prefix", "location": "/", "value": "<rcs uri>/rcs" } Important Replace <rcs uri> with the appropriate value. Execute the following command: curl -u ops:ops -X POST -d @create_single_location http://<Web Services Server>:8080/api/v2/ops /contact-centers/<contact center ID (in hex format)>/settings/screen-recording --header "Content-Type: application/json"; echo For multiple locations: Using a text editor, create the create_first_location file using the following command: { "name":"decrypt-uri-prefix", "location": "<node_location>", "value": "<rcs uri>/rcs" } Execute the following command: curl -u ops:ops -X POST -d @create_first_location http://<Web Services Server>:8080/api/v2/ops /contact-centers/<contact center ID (in hex format)>/settings/screen-recording --header "Content-Type: application/json"; echo Important Replace <node_location> with the appropriate value. The values for the <node_location> are similar to the nodePath settings in the Interaction Recording Web Services (Web Services) application.yaml file (if you are using Web Services and Application version 8.5.201.09 or earlier refer to the nodePath setting in the server-settings.yaml file instead), but allow a hierarchical representation. For example, an Interaction Recording Web Services (Web Services) node uses a decrypt-uri-prefix setting with a location of "/US" if the nodePath set to "/US/AK" or "/US/HI". Repeat steps a and b for each location required.

For more information on the properties of these settings group, see Web Services Settings Groups.

Important If you upload and/or delete recording certificates in one Genesys Administrator Extension session, these changes are not reflected in another Genesys Administrator Extension session. You must log out and login again to the second Genesys Administrator Extension session.Enable Call Recording

Call recording can be enabled through three methods:

Full-time recording or Total recording—A specific DN is configured to enable recording for all calls for the specific DN. Selective Recording—Record a party in the call is determined at a route point and the recording starts as soon as the call is established. Dynamic Recording—Start/stop/pause/resume a recording call can be requested by an agent at any time after the call is established using Interaction Workspace.

Once a recording has started, there are two conditions where the recording stops:

When the party being recorded leaves the call, or when the customer drops the call. For example, when the recording applies to the agent in the call and the call is transferred to a second agent. The recording is stopped when the agent leaves the call. Note that the second agent can have recording enabled and the same call gets recorded with a second call recording segment. When dynamic recording control requests the recording to be stopped.

ImportantIf using Workspace Desktop Edition for the agent desktop, the agent can hide the status of the recording. This functionality can be enabled through Workspace role configuration. For more information, see the Setting Up Agents on the System in the Workspace Desktop Editon documentation.

Additional Feature Configuration

Contents

Geo Location

Usage

Full-time Recording

Selective Recording from a Routing Strategy

Dynamic Recording

Audio Tones

Media Server

Encrypting and Provisioning Certificates

Generating the Certificates and Keys

Chained Certificates

For Call Recordings

Prerequisites

For Screen Recordings

Assigning Certificates

Setting up the Decryption Proxy

Enable Call Recording

Contact

Genesys

Customer Care

Legal

Parameter Name	Description	Syntax and Examples
Recording Destination Section
Storage Destination	The path to the first recording destination.	`http://testing.com`
SpeechMiner Destination	The path to the SpeechMiner recording destination.	`S3:bucket_test`
Storage HTTP Authorization Header	The authentication for the first destination of the recorder. This field is visible only if the Storage Destination is either `HTTP` or `HTTPS`.	The format is `username:password`, where username and password are the web server credentials.
Storage AWS Access Key ID	Specifies the Amazon Web Services (AWS) Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the Storage Destination field is set to S3 (Amazon Cloud).
Storage AWS Secret Access Key	Specifies the AWS Secret Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the Storage Destination field is set to S3 (Amazon Cloud).
Recording Processor URI	The authentication for the first destination of the recorder. This field is visible only if the SpeechMiner Destination is either `HTTP` or `HTTPS`.	The format is `username:password`, where username and password are the web server credentials.
SpeechMiner HTTP Authorization Header	Specifies the Amazon Web Services (AWS) Access Key ID used for building the authorization header to allow access to the Amazon S3 cloud. Note: This field is required if the SpeechMiner Destination field is set to S3 (Amazon Cloud).
SpeechMiner Interaction Receiver	Specifies the URL that points to the SpeechMiner service responsible for accepting metadata from the Recording Processor script for this profile.
SpeechMiner Interaction Receiver Authorization Header	Specifies the authorization information required to connect to the SpeechMiner serviced used by the Recording Processor Script.	The format is `username:password`, where the username and password are the web server credentials.
Additonal Recording Parameters Section
Recording Storage MIME Type	The audio file type used for the storage recording.	You can choose either `audio/wav` or `audio/mp3`.
Recording Alert Tone Source	The URI of the audio tone.	`http://example.com/tone.wav`
Recording File Name Template Section
File Name Template	The template for generating MSML recording file name. When this field is left blank the default value is $id$. Note: Using too many parameters could exceed the 260 characters limit for a Windows file name. Select any combination from the following: ID ($id$)—The unique identifier of the template. SIP Server Application Name ($sipsAppName$) —The SIP Server application name in which the recording is started. ANI ($ani$)—The ANI information of the call in which the recording is started. DNIS ($dnis$) —The DNIS information of the call in which the recording is started. Date Time ($dateTime$) —The date and time of the call in which the recording is started. The date and time is sent in ISO format with UTC time. The ISO format is `YYYY-MM-DDTHH:MM:SSZ`. Call UUID ($callUuid$) —The call UUID of the call in which the recording is started. Connection ID ($connID$) —The TLib Connection ID of the call in which the recording is started. Agent ID ($agentID$) —The agent ID of the DN of the call in which the recording is started. If the recording has not started because the DN or Agent ID has not logged in, this parameter will not be present. MCP Date Time ($MCPDateTime$) —The local date and time of the call in which the recording is started. The local time follows the MCP instance where the recording is taking place.	`$id$_$sipsAppName$_$callUuid$_$ani$_$connId$_$dnis$_` `$agentId$_$dateTime$_$MCPDateTime$`