Revision as of 21:33, August 26, 2016 by MFreviewers (talk | contribs) (Generating Certificates using OpenSSL and Genesys Security Pack)
Jump to: navigation, search

What You Need

Before starting to configure your secure connections with TLS, you need to have done the the following:

  • Generated certificates, with associated private and public keys, and CRLs. For simple TLS, only server certificates are required; for mutual TLS, server and client certificates are required.
  • Made certificates available in keystores.
  • Installed the Genesys Security Pack, if you are using *.nix platforms with the Genesys common library.


Each of these requirements are described below.

TLS Certificates

TLS certificates must be generated and installed appropriately on any host that runs Genesys applications that utilize TLS secure connections. A certificate is generated and signed using a certification authority (CA) entity, which is able and authorized to issue certificates signed with its own name.

Important
Genesys strongly recommends that you use the same CA to generate all the certificates for your contact center environment.

The actual process of certificate generation in a specific environment is highly dependent on the security policies of your IT organization and tools used, and can, therefore, be different from the process described in this chapter. Genesys recommends that you consult with your network administrator before generating certificates for secure data exchange between Genesys components. Certificates can be purchased from well-known certificate authorities, such as VeriSign. Certificates can be generated and self-signed on Linux using the OpenSSL tool, assisted by scripts distributed with the Genesys Security Pack. Windows Certificate Service can be used to generate and sign certificates. You may self-sign your certificates or you can have Windows Certificate Service in your organization be a part of chain of trusted authorities already. Generated and signed certificates must also be installed to be used by Genesys components. This procedure differs depending on the host operating system on which the certificates are installed.

Tip
TLS certificates can be stored and used in a number of different formats. Different TLS implementations use different certificate formats. Self-signed certificates, generated using OpenSSL and Genesys Security Pack can be used across all supported Genesys implementations. For certificates, obtained from other sources you have to confirm format is compatible with your target platform(s).


Recommended Certificate Properties

When retrieving or generating a certificate, the following properties are recommended to ensure the connections using this certificate are as secure as possible:

[+] Show properties

Generating Certificates using OpenSSL and Genesys Security Pack

The OpenSSL toolkit can be used to set up a CA infrastructure and issue self-signed certificates. Use this method if certificates are to be utilized in a mixed environment, including Windows and Linux hosts, along with Java PSDK-based components.

Scripts distributed with Genesys Security Pack simplify CA creation and certificate generation. These scripts use the SHA-256 message digest algorithm by default, but allow fallback to SHA-1 if required. Genesys recommends that you do not use SHA-1.

Prerequisites

To generate certificates, you need an OpenSSL command line tool installed on the system. Obtain the most recent valid binary distribution from the OpenSSL official website. To utilize Genesys Security Pack scripts, you need a set of standard GNU console utilities, including bash, awk and touch.

Generation Process

1. Create a CA directory in which CA files—scripts, configuration files, and generated certificates—will be stored.
2. Copy the create_ca.sh and create_cert.sh scripts from the installation package to the CA directory that you just created. Make sure that these scripts have executable permissions.
3. Run the create_ca.sh script from the bash shell by specifying the proper parameters (described in the table below) in the following command line:
create_ca.sh [-keySz KEY_SIZE] [-dgst DIGEST_ALGORITHM] [-time VALID_TIME] -CN COMMON_NAME [-E EMAIL] [-OU ORG_UNIT] [-O ORGANIZATION] [-L LOCALITY] [-S STATE] [-C COUNTRY]

The parameters are described in the following table:

[+] Show table


For example:

create_ca.sh -CN “Basic Certification Authority” -E “youremail@yourdomain.com” -OU “Department” -O “Genesys Telecommunication Labs” -L “Daly City” -S CA -C US
4. Generate certificates as required. To generate a certificate for a particular host computer:

Go to the CA directory in which the CA files are stored. 

Run the create_cert.sh script from the bash shell by specifying the parameters (see the following table) in the following command line:


create_cert.sh [-keySz KEY_SIZE] [-dgst DIGEST_ALGORITHM] [-time VALID_TIME] -host HOST_NAME -CN COMMON_NAME [-E EMAIL] [-OU ORG_UNIT] [-O ORGANIZATION] [-L LOCALITY] [-S STATE] [-C COUNTRY]

The parameters are described in the following table:

[+] Show table


For example:

create_cert.sh -host myHOST.domain1.domain2.com -CN myWorkstation
5. If you are installing certificates on any Java-based PSDK applications, such as Universal Contact Server, convert the private key file to PKCS #8 format. Use the following command: 
convert_priv_key.sh -in INPUTFILE -out OUTFILE [-informat pfx|pkcs8|pkcs12|rsa] [-outformat pkcs8|rsa] [-encrypt]
Parameter Description
INPUTFILE Input private key filename.
OUTFILE Output private key filename.
-informat (Optional) Input private key format. For .pem private key files, use rsa Default is rsa.
-outformat (Optional) Output private key format. For PSDK, use pkcs8. Default is pkcs8.
-encrypt (Optional) Use password encryption for the resulting private key file. Password will be requested interactively.
ORG_UNIT (Optional) The name of the organization unit.
Comments or questions about this documentation? Contact us for support!