Revision as of 21:18, March 16, 2018 by Mhachey (talk | contribs) (Update with the copy of version: draft)
Jump to: navigation, search

Securing connections on WFM servers

The Transport Layer Security (TLS) configuration for WFM servers (except WFM Web and Daemon) adhere to the common guidelines in the Genesys Security Deployment Guide as they apply to deployment on Windows platforms. However, there are couple of limitations:

  • The certificate can only be assigned at the Host object level.
  • To enable mutual authentication on the WFM server, you must add the MutualAuth = true configuration option to the Application properties.
Important
WFM Web does not support mutual authentication and enabling it on other servers prevents WFM Web from connecting to them. See Using secure connections on WFM servers for detailed configuration information about securing WFM server connections.

WFM Web and Daemon

Neither WFM Web nor WFM Daemon adhere to the common guidelines in the Genesys Security Deployment Guide for TLS configuration. WFM Web uses PSDK libraries, which enable secure connections to Genesys Configuration Server. WFM Web also supports secure connections to other WFM servers.

To use secure connections, you must import certificates that use the Java Runtime Environment (JRE) trusted certificates store. Use the keytool utility that is provided by Java and described in Key and Certificate Management Tool.

Connections from/to: Description
WFM Web client to WFM Web server The WFM Web client runs in a browser which must be configured to use TLS.


For Internet Explorer, search the Microsoft support site for information configuring TLS and FIPS. Start with Microsoft Windows support for FIPS and then, search microsoft.com for similar articles for the version of Windows you are using.

Additionally, WFM Web for Supervisors requires Java configuration to import and accept server certificates.

WFM Web and Daemon to WFM Web server, report engine WFM Web server runs in a servlet container. Therefore, the secure connection options must be configured in the appropriate servlet container.


When using Tomcat, the secure connections connector must be configured in TOMCAT_HOME\cong\server.xml. For more information, see SSL/TLS Configuration HOW-TO.

Note that native Genesys servers work with certificates as described in Genesys Security Deployment Guide. WFM Web and Daemon are Java-based servers and handle certificates according to the rules set out by Java. It basically means that certificates must be imported into Java's certificate keystore.

WFM Web and Daemon to other WFM servers WFM Server, WFM Builder, and WFM Data Aggregator must be configured to work in secured mode. When that is done, Web and Daemon automatically detect the settings and use secure connections. Some additional development is required to ensure WFM servers recognizes the secure connections settings.


Note that server certificates must be imported into Java's certificate keystore for secure connections to be successful.

To implementation secure connections, the CXF toolkit must be configured to work with SSL connections. For more information about CXF tool, see Apache CXF, Using SSL with XFIre/CXF, and Programming SSL for Jetty-based CXF services

WFM Web to Genesys Management Framework components To successfully implement secure connections to Genesys Management Framework components (Configuration Server, Message Server, Local Control Agent, and other configuration and management components), WFM Web and Daemon must be switched to use Genesys Platform SDK libraries that support this functionality. This switch affects all interactions with above mentioned Genesys servers and must be thoroughly tested.


Note that server certificates must be imported into Java's certificate keystore for secure connections to be successful. Also, since PSDK supports only Genesys Configuration Server 7.2 and higher, this also applies to WFM Web and Daemon. Consequently, third-party server applications are not supported.

Securing connections to Genesys Configuration Server

Purpose: To enable secure connections to Genesys Configuration Server.

Start procedure

  1. Import the Genesys Configuration Server certificates for host and port (depending on configuration) that use JRE's trusted certificates store.
  2. Configure Configuration Server to run its listening port in Auto Detect mode.
  3. Turn on Configuration Server logging.
  4. Run WFM Daemon.
    WFM Daemon connects to Configuration Server and communication is established.
  5. Check the Configuration Server logs.
    The logs indicate that WFM Daemon connected successfully and the connection is elevated to secure status.

End Procedure

Securing connections to WFM servers

Purpose: To enable secure connections from WFM Web and WFM Daemon to WFM servers.

Tip
In this procedure, WFM <server> refers to WFM Server, WFM Builder, or WFM Data Aggregator.

Start procedure

  1. Import the certificates for the WFM <server> host and port that use JRE's trusted certificates store.
  2. Configure the WFM <server> to run its listening port in Secure mode.
  3. Run WFM Daemon.
    WFM Web and WFM Daemon connect to the WFM <server> and communication is established. (There is no connection from WFM Daemon to WFM Server.)
  4. Check the WFM <server> logs for returned references to its services using HTTPS.
    Alternatively, use a network sniffing utility to ensure that traffic between Web and WFM <server> is scrambled.

End Procedure

FIPS support

To enable Federal Information Processing Standard (FIPS) support for Java-based WFM Web and Daemon, Java version 6 or higher is required. See the following resources:

Securing connections on Java for WFM Web and Daemon to other servers

WFM Web and Daemon Java applications use several different components to connect to other WFM and Genesys servers. All of them use the same Java services for Secure Socket Layer (SSL) connections. Therefore, SSL is configured the same way for all components. For WFM components, Genesys recommends you configure SSL on the application or JRE level. There are several ways to do this, some of which are discussed below.

Important
Before setting up secured connections, ensure that all applications/components work with unsecured connections. Do not configure secure connections unless the components work as expected with unsecured connections.

Using Microsoft Cryptography Provider

When using Microsoft Cryptography Provider, Java applications use the same native Windows cryptography as the WFM servers. Using this configuration is advantageous, as some of the steps can be done in the same way as they would be done for other WFM servers, such as WFM Builder, WFM Server, and WFM Data Aggregator, but this configuration works only on Windows, and only with Java 6 32-bit version. (It might work if you are running Java 32-bit on Windows 64-bit platforms, but does not work if you are using Java 64-bit.)

Enabling security using Microsoft Cryptography Provider

Purpose: To enable security on WFM servers using Microsoft Cryptography Provider

Start procedure

  1. Configure Genesys Configuration Server, WFM Server, and any other WFM servers involved in the test with secure connections.
    This configuration requires you to install certificates on hosts that run these servers.
  2. Attempt to run WFM Java applications and connect to secure WFM Server. The attempt should fail.
  3. Install certificates on hosts running WFM Java applications. Specify the following Java JRE options for WFM Java applications:
    • -Djavax.net.ssl.keyStoreProvider=SunMSCAPI
    • -Djavax.net.ssl.keyStoreType=WINDOWS-MY
    • -Djavax.net.ssl.trustStoreProvider=SunMSCAPI
    • -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
    These options take effect, depending on how the appropriate application runs. For example
    • Configure WFM Web to run the TOMCAT_HOME\bin\tomcatw.exe utility . Click the Java tab and paste the above strings into Java Options. Remember to add Enter after last line. The options take effect after the Tomcat service restarts.
    • For WFM Daemon service, launch regedit and find the HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\WFMDaemon\Parameters\Java key. Then, find Options and add the above strings. You must enter each option on a new line and add Enter after the last option. The options take effect after the Daemon service is restarted.
    The Java applications now successfully connect to WFM Server and work as expected.

End procedure

The advantage of using this configuration, at least theoretically, is that you can set the Microsoft Cryptography provider so that it is FIPS-compliant, which covers the requirements for FIPS support.

Using JRE Security Provider

This configuration method uses the native Java Security Provider, which works on Java version 5 and later (32- and 64-bit) and on supported operating systems. However, the configuration has more steps. You will make extensive use of the keytool.exe located in the JAVA_HOME\bin directory and use Java 6 SDK (not JRE) in the following steps:

Enabling security using JRE Security Provider

Purpose: To enable security on WFM servers using JRE Security Provider.

Start procedure

  1. Configure Genesys Configuration Server, WFM Server, and any other WFM servers involved in the test as secured.
    This configuration requires you to install certificates on hosts that run these servers.
  2. Attempt to run WFM Java applications and connect to secure WFM Server. The attempt should fail.
  3. Obtain the certificates used to secure WFM Server and other servers.
    In this procedure, we assume the certificates file extension is of type .p12, but it might not be.
  4. Using following command, convert the certificate format to one that is used by Java applications:
    keytool.exe -importkeystore -srckeystore inputkeystore.p12 -srcstoretype pkcs12 -srcstorepass password -destkeystore outputkeystore.jks -deststoretype jks
    Where
    • inputkeystore.p12—Is the original file with certificates
    • password—Is the password provided for original file
    • outputkeystore.jks—Is the output file containing certificates in Java format
  5. Check that you have successfully converted certificates using following command:
    keytool.exe -list -keystore outputkeystore.jks -v
  6. Export the certificate file that will be imported to target Java and run on WFM applications:
    keytool.exe -exportcert -keystore outputkeystore.jks -alias alias -file certificate
    Where
    • certificate—Is the name of file that will contain exported certificate, can be anything
    • alias—Is he name of certificate in Java's certificate storage. It can be determined by looking at the output of command from step #3.
  7. Check that the exported certificate is ok:
    keytool.exe -printcert -file certificate -v
  8. Now that you have the certificate, import it to Java and run in on the WFM applications:
    keytool.exe -import -alias alias -file certificate -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storetype jks -storepass changeit -v
    Where
    • %JAVA_HOME%—Is the variable that points to the Java installation root. You can substituted this with the actual path to the installation root.
  9. Check that the certificate was successfully imported and is present:
    keytool.exe -list -alias alias -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storetype jks -storepass changeit -v
  10. If you need to remove the imported certificate, use following command:
    keytool.exe -delete -alias alias -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -storetype jks -storepass changeit -v
  11. After performing steps #4 to #9, restart the WFM Java application.
    Ensure it connects successfully to WFM Server or other servers and works as expected using secured connections.

Securing Tomcat and Web

Securing Tomcat is fairly simple. The details are provided in SSL/TLS Configuration HOW-TO.

Enabling security for Tomcat and Web

Purpose: To enable security for Tomcat and WFM Web.

Start procedure

  1. Obtain certificates from Genesys System Team for the host that will run secured Tomcat.
  2. Convert the certificate file format to .jks format. See step #4 in Using JRE Security Provider.
  3. Edit the file TOMCAT_HOME\conf\server.xml by uncommenting the section for secure connector and updated it to:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="path/to/my/keystore.jks" keystorePass="genesys"
    clientAuth="false" sslProtocol="TLS" />
  4. Import the certificates for hosts running other WFM servers into the Java servlet that runs Tomcat.
    See the description above. If you do not complete this step, WFM Web cannot connect to other WFM servers.
  5. Restart Tomcat and and connect to port 8443 (instead of usual 8080), specifying HTTPS.
  6. If a browser message about a bad host name displays, enter the Fully Qualified Domain Name (FQDN).
    Make sure it is the same one for which the certificate was issued.
  7. Log in as an agent.
    Ensure everything is working as expected.
  8. Log in as a supervisor.
  9. Import the first certificate, used to secure Tomcat, in Java that runs the applet.
    It's likely different from the one that runs Tomcat.
  10. Follow steps above.
    If the applet comes up, but is gray and the console log contains SSL errors, the certificate is not correctly imported.

End procedure

Important
To connect to secured WFM Web, HTTPS and the secured port must be specified in the URL. This also applies while configuring Web to run as a report server.

After the procedure is completed, Daemon will connect successfully to Web using secured connections. Note that you must import the certificate for secured WFM Web to the Java that runs Daemon, in addition to the certificates for other WFM and Genesys servers.

Comments or questions about this documentation? Contact us for support!