What You Need
Before starting to configure your secure connections with TLS, you need to have done the the following:
- Generated certificates, with associated private and public keys, and CRLs. For simple TLS, only server certificates are required; for mutual TLS, server and client certificates are required.
- Made certificates available in keystores.
- Installed the Genesys Security Pack, if you are using *.nix platforms with the Genesys common library.
Each of these requirements are described below.
TLS Certificates
TLS certificates must be generated and installed appropriately on any host that runs Genesys applications that utilize TLS secure connections. A certificate is generated and signed using a certification authority (CA) entity, which is able and authorized to issue certificates signed with its own name.
Important
Genesys strongly recommends that you use the same CA to generate all the certificates for your contact center environment.
The actual process of certificate generation in a specific environment is highly dependent on the security policies of your IT organization and tools used, and can, therefore, be different from the process described in this chapter. Genesys recommends that you consult with your network administrator before generating certificates for secure data exchange between Genesys components.
Certificates can be purchased from well-known certificate authorities, such as VeriSign.
Certificates can be generated and self-signed on Linux using the OpenSSL tool, assisted by scripts distributed with the Genesys Security Pack.
Windows Certificate Service can be used to generate and sign certificates. You may self-sign your certificates or you can have Windows Certificate Service in your organization be a part of chain of trusted authorities already.
Generated and signed certificates must also be installed to be used by Genesys components. This procedure differs depending on the host operating system on which the certificates are installed.
Tip
TLS certificates can be stored and used in a number of different formats. Different TLS implementations use different certificate formats.
Self-signed certificates, generated using OpenSSL and Genesys Security Pack can be used across all supported Genesys implementations. For certificates, obtained from other sources you have to confirm format is compatible with your target platform(s).
Recommended Certificate Properties
When retrieving or generating a certificate, the following properties are recommended to ensure the connections using this certificate are as secure as possible:
[+] Show properties
- How is it signed by Issuer (CA)?
- RSA2048+ Public Key (Encryption) Algorithm
- SHA2 (SHA256+) Signature Hash Algorithm
- When does it expire?
- It is critical to have a certificate rotated or replaced before it expires.
- Who is it for — Subject and SubjectAltName (SAN)
- Subject CN field (Common Name) of the DN (Distinguished Name).
- Most often, it is the host machine’s domain.
- SAN overrides Subject's CN field to allow for list of valid names; recommend that you set both.
- What is it for?
- KeyUsage, ExtendedKeyUsage
- Authentication of Server, Client, or both.
- Certificates that will be used by Genesys server applications must contain these extended attributes: serverAuth, clientAuth, and emailProtection.
- Certificates that will be used by Genesys GUI applications must contain these extended attributes: clientAuth and emailProtection.
Genesys also recommends that you set emailProtection on server certificates.
The following figure displays an example of a partial certificate, showing some of these recommended properties.
A sample TLS security certificate
Generating Certificates using OpenSSL and Genesys Security Pack
The OpenSSL toolkit can be used to set up a CA infrastructure and issue self-signed certificates. Use this method if certificates are to be utilized in a mixed environment, including Windows and Linux hosts, along with Java PSDK-based components.
Scripts distributed with Genesys Security Pack simplify CA creation and certificate generation. These scripts use the SHA-256 message digest algorithm by default, but allow fallback to SHA-1 if required. Genesys recommends that you do not use SHA-1.
Prerequisites
To generate certificates, you need an OpenSSL command line tool installed on the system. Obtain the most recent valid binary distribution from the
OpenSSL official website.
To utilize Genesys Security Pack scripts, you need a set of standard GNU console utilities, including bash, awk and touch.
Generation Process
| 1. Create a CA directory in which CA files—scripts, configuration files, and generated certificates—will be stored.
|
| 2. Copy the create_ca.sh and create_cert.sh scripts from the installation package to the CA directory that you just created. Make sure that these scripts have executable permissions.
|
3. Run the create_ca.sh script from the bash shell by specifying the proper parameters (described in the table below) in the following command line:
create_ca.sh [-keySz KEY_SIZE] [-dgst DIGEST_ALGORITHM] [-time VALID_TIME] -CN COMMON_NAME [-E EMAIL] [-OU ORG_UNIT] [-O ORGANIZATION] [-L LOCALITY] [-S STATE] [-C COUNTRY]
The parameters are described in the following table:
[+] Show table
| Parameter
|
Description
|
| KEY_SIZE
|
(Optional) The size, in bits, of the CA private key. The default value is 2048 bits.
|
| DIGEST_ALGORITHM
|
(Optional) Digest algorithm to use on certificate generation. The default value is sha256. Valid values are:
sha1 (not recommended), sha224, sha256 (default), sha384, and sha512.
|
| VALID_TIME
|
(Optional) The amount of time, in days, that the CA is valid. The default value is 365 days.
|
| COMMON_NAME
|
(Mandatory) The name of the CA.
|
| EMAIL
|
(Optional) The e-mail address of the person who is responsible for this CA.
|
| ORG_UNIT
|
(Optional) The name of the organization unit that is responsible for this CA.
|
| ORGANIZATION
|
(Optional) The name of the organization that is responsible for this CA.
|
| LOCALITY
|
(Optional) The name of the city.
|
| STATE
|
(Optional) The name of the state or region.
|
| COUNTRY
|
(Optional) The two-letter abbreviation for the country.
|
For example:
create_ca.sh -CN “Basic Certification Authority” -E “youremail@yourdomain.com” -OU “Department” -O “Genesys Telecommunication Labs” -L “Daly City” -S CA -C US
|
| 4. Generate certificates as required. To generate a certificate for a particular host computer:
Go to the CA directory in which the CA files are stored.
Run the create_cert.sh script from the bash shell by specifying the parameters (see the following table) in the following command line:
create_cert.sh [-keySz KEY_SIZE] [-dgst DIGEST_ALGORITHM] [-time VALID_TIME] -host HOST_NAME -CN COMMON_NAME [-E EMAIL] [-OU ORG_UNIT] [-O ORGANIZATION] [-L LOCALITY] [-S STATE] [-C COUNTRY]
The parameters are described in the following table:
[+] Show table
| Parameter
|
Description
|
| KEY_SIZE
|
(Optional) The size, in bits, of the host private key. The default value is 2048 bits.
|
| DIGEST_ALGORITHM
|
(Optional) Digest algorithm to use on certificate generation. The default value is sha256. Valid values are:
sha1 (not recommended), sha224, sha256 (default), sha384, and sha512.
|
| VALID_TIME
|
(Optional) The amount of time, in days, that the certificate is valid. The default value is 100 days.
|
| HOST_NAME
|
(Mandatory) The full name of the DNS host.
|
| COMMON_NAME
|
(Mandatory) The name of the host.
|
| ORG_UNIT
|
(Optional) The name of the organization unit.
|
| ORGANIZATION
|
(Optional) The name of the organization.
|
| LOCALITY
|
(Optional) The name of the city.
|
| STATE
|
(Optional) The name of the state or region.
|
| COUNTRY
|
(Optional) The two-letter abbreviation for the country.
|
For example:
create_cert.sh -host myHOST.domain1.domain2.com -CN myWorkstation
|
5. If you are installing certificates on any Java-based PSDK applications, such as Universal Contact Server, convert the private key file to PKCS #8 format. Use the following command:
convert_priv_key.sh -in INPUTFILE -out OUTFILE [-informat pfx|pkcs8|pkcs12|rsa] [-outformat pkcs8|rsa] [-encrypt]
| Parameter
|
Description
|
| INPUTFILE
|
Input private key filename.
|
| OUTFILE
|
Output private key filename.
|
| -informat
|
(Optional) Input private key format. For .pem private key files, use rsa Default is rsa.
|
| -outformat
|
(Optional) Output private key format. For PSDK, use pkcs8. Default is pkcs8.
|
| -encrypt
|
(Optional) Use password encryption for the resulting private key file. Password will be requested interactively.
|
| ORG_UNIT
|
(Optional) The name of the organization unit.
|
Certificate Authority Files
After successful script execution, the following data structure is created:
- ca_conf—This directory contains the following files:
- ca_cert.pem—The CA self-signed certificate file for UNIX (or any other implementation where pkcs#8 format is required).
- ca_cert.pfx—The CA self-signed certificate file for Windows or Java (any other implementation where pkcs#12 format is required).
Important You must copy ca_cert.pem and ca_cert.pfx to each computer that will host Genesys components that might require secure data exchange, even if client certificates are not required.
- ca_priv_key.pem—The CA private key.
This file is used to sign all certificates that this CA issues. This file must be read-only, and it must be readable only by the CA administrator account.
- ca.db—The internal CA database used by the OpenSSL toolkit.
- serial.num—The internal CA file that contains the serial number of the next generated certificate. The serial number is a unique identifier of the certificate that the CA issues.
- ca.conf—The internal CA configuration file.
- repository—This directory contains the files that this CA generates.
Host Certificate Files
After successful script execution, the following files are created in the repository directory:
- <serial_#>_<host_name>_cert.pem—The host certificate for UNIX.
- <serial_#>.pem—The auxiliary file for certificate generation for UNIX.
- <serial_#>_<host_name>_priv_key.pem—The host private key for UNIX.
- <serial_#>_<host_name>_cert.pfx—The PKCS (Public-Key Cryptography Standards) #12 file format, including the private key and certificate for Windows.
where:
- <serial_#> is the serial number of the generated certificate. This number is unique for all certificates that this CA generates.
- <host_name> is the name of your host computer, which is the first part of the full DNS host name.
Generating Certificates Using Windows Certificate Services
This section describes how to create certificates using Windows Certificate Services. If necessary, you can also obtain a certificate from a remote machine. Use these certificates if you intend to run all of your applications on Windows. If you intend to run one or more applications that might require secure connections on UNIX, Genesys strongly recommends that you use OpenSSL to create your certificates.
Make sure that certificate templates are properly configured for server and GUI applications to satisfy requirements for necessary certificate attributes, discussed above.
Important The examples provided in this section assume that Windows Certificate Services have been installed and configured. For information about how to install and configure Windows Certificate Services, see the appropriate Windows documentation. Generating Certificates
To generate certificates with Windows Certificate Services, do the following:
1. Generate a certificate on a computer that is running the Windows Server operating system, and that has Windows Certificate Services installed and configured.
[+] Show Steps.
- Open a web browser, and enter the following URL:
http://<server-name>/certsrv
where <server-name> is the server that runs the Windows Server operating system, and on which Windows Certificate Services is installed and configured.
- On the Microsoft Certificate Services Welcome page, click Request a certificate.
- On the Request a Certificate page, click Advanced certificate request.
- On the Advanced Certificate Request page, click Create and submit a request to this CA.
- On the subsequent Advanced Certificate Request page, enter the following information:
- In the Certificate Template section, select an appropriate certificate template—for example, MutualTLS2.
- Enter the full Name of the DNS host as a Fully Qualified Domain Name.
- In the Key Options section:
- Select Create new key set.
- In the Key Size text box, specify the size of the key.
- Select either Automatic key container name or User specified key container name, as appropriate.
- Select Mark key as exportable.
- Click Submit.
After you submit the certificate request, the confirmation page appears, followed by the Certificate Issued page.
- On the Certificate Issued page, click Install this certificate.
- After you accept the system warning prompts that appear, the Certificate Installed page appears.
|
2. If you did not install the certificate in Step 1, retrieve and install it.
[+] Show Steps
- On the Microsoft Certificate Services Home page, click View the status of a pending certificate request.
- Select the appropriate request from the list.
If the certificate request is approved, the Certificate Issued page appears.
- Click Install this certificate to install the certificate.
|
| 3. Configure Microsoft Management Console (MMC). You can use MMC to manage certificates on a Windows platform. See Configuring MMC for Certificate Management.
|
| 4. Install the certificate and private key on the computer that hosts Genesys applications. If this computer is different from the one on which you generated the certificate, you must first export the certificate and its private key.
|
|
