Secure Transport Configuration
This section describes how to configure the Transport Layer Security (TLS) for the Genesys Interaction Recording solution.
Server-Side Configuration
The following components must configure secure transports for HTTP.
Configuring TLS for Interaction Recording Web Services (Web Services)
- Enable SSL on Jetty by configuring the SSL section of the application.yaml file as follows:
- enableSsl: true
- ssl:
- port: 443
- securePort: 8443
- keyStorePath: keystore
- keyStorePassword: OBF:1g3p1kqt1xtl19q51ni31nlv19q91xtx1ku11fzt
- keyManagerPassword: OBF:1g3p1kqt1xtl19q51ni31nlv19q91xtx1ku11fzt
- trustStorePath: keystore
- trustStorePassword: OBF:1g3p1kqt1xtl19q51ni31nlv19q91xtx1ku11fzt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
To create a self-signed certificate for non-production purposes:
- Run the following in GWS_HOME/etc:
keytool -genkey -keyalg RSA -keystore keystore -alias jetty - When prompted for keystore password, enter the default: storepwd
For more information about configuring SSL, see Configure SSL.
To change the certificate:
- Remove the existing certificate using the following command:
keytool -keystore keystore -delete -alias jetty - Acquire the certificate and private key in a X509 PEM file (for example, jetty.crt)
- Load the certificate using the following command:
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
- Restart Interaction Recording Web Services (Web Services).
To change the keystore password:
- Execute the following command:
keytool -keystore keystore -storepasswd - Encode the new password using the following command:
java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password <your password here>
BEGIN HIDDEN TEXT BEGIN HIDDEN TEXT BEGIN HIDDEN TEXT Iteration 15 New Content source: https://intranet.genesys.com/display/RP/TLS+Support+for+Back-end+Connections?show-miniview 19 MAY 2017--NEW CONTENT FOR ITERATION 15 IS STILL UNDER DEVELOPMENT
Connections
As a server, RPS supports TLS, and receives the following inbound connections:
- From Media Control Platform
NEW CONTENT ENDS, but more will come for Iteration 15 END HIDDEN TEXT END HIDDEN TEXT END HIDDEN TEXT -->
Configuring TLS for Recording Processor Script
- Configure HTTPS on the primary recording server. For more information, see the "Configure SSL" section of Configuring Recording Processor Script.
- For Windows, make sure the pyOpenSSL is installed. pyOpenSSL is already be installed on RHEL6.
- Create a self-signed certificate and private key for the Recording Processor host. For example, on ubuntu run: openssl req -new -x509 -days 1024 -nodes -out cert228.pem -keyout cert228key.pem
- In the rp_server section of the Recording Processor's configuration file, set the following parameters:
- ssl_certificate—Point to the certificate PEM file. For example, ssl_certificate=cert228.pem.
- ssl_private_key—To point to the private key file. For example, cert228.pem.
- Send the self-signed certificate PEM file to any MCP client that needs to validate the certificate during the SSL handshake. See the "Enable Secure Communication" section of the GVP 8.5 User's Guide.
- Restart Recording Processor.
- Configure HTTPS on the backup recording server by following the same instructions as above using a new certificate and private key.
Configuring TLS for Recording Crypto Server
Configuring TLS for the WebDAV Server
To configure TLS for Apache httpd on RHEL6:
- On the WebDAV server, run the following command to install SSL:
yum install mod_ssl - The certificate/key pair is automatically generated:
- Certificate—/etc/pki/tls/certs/localhost.crt
- Key—/etc/pki/tls/private/localhost.key
- To use your own certificate/key pair, either update the files automatically generated (as above), or edit the /etc/httpd/conf.d/ssl.conf file and modify the the following lines:
- SSLCertificateFile /etc/pki/tls/certs/localhost.crt
- SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
- Restart httpd (service httpd restart). SSL is enabled on the default HTTPS port 443.
Configuring TLS for the Interaction Receiver and SpeechMiner UI Server
Configuring TLS for the HTTP Apache Load Balancer
Follow the instructions for Configuring TLS for the WebDAV Server, and add the additional steps:
To enable https for the proxy, edit the /etc/httpd/conf.d/ssl.conf file and add the following option:
SSLProxyEngine on
Direct the load balancer to the proper https locations. For example:
<Proxy balancer://htcc> BalancerMember https://host3:8080 route=HTCC1 BalancerMember https://host4:8080 route=HTCC2 BalancerMember https://host5:8080 route=HTCC3 ProxySet stickysession=ROUTEID </Proxy>
Client-Side Configuration
Configuring TLS for the Media Control Platform (MCP)
To add a Certificate Authority (CA):
- Place the CA file on the MCP.
- Using Genesys Administrator or Genesys Administrator Extension, in the fm section set the ssl_ca_info option to the location of the CA file.
- Restart MCP.
To add client-side authentication:
- Place the certificate file (PEM format) on the MCP.
- Using Genesys Administrator or Genesys Administrator Extension, in the fm section set the ssl_cert optiont to the location of the certification file.
- Restart MCP.
For more information about the MCP options, see the Voice Platform Media Control Platform Configuration Options.
Configuring TLS for the IVR Profile
Using Genesys Administrator Extension, navigate to the Recording tab of the IVR Profile. Update the following addresses with the HTTPS locations:
- Storage Destination
- Recording Processor URI
- SpeechMiner Interaction Receiver
- PpeechMiner Destination for Analytics only
Configuring TLS for the Recording Processor Script
The Recording Processor Script creates three client connections, to:
- Interaction Recording Web Services (Web Services)
- SpeechMiner Interaction Receiver
- Backup Recording Processor Script
For details on configuring each connection, refer to the appropriate section at the Configure SSL link on the page Deploying Recording Processor Script.
NEW ITERATION 15 CONTENT BEGINS
Connections
As a client, RWS makes the following outbound connections:
- To SIP Server (supports TLS; see below)
- To Interaction Server (supports TLS; see below)
- To Configuration Server (supports TLS; see below)
- To SpeechMiner Interaction Receiver (does not support TLS; see below)
- To Cassandra (supports TLS; see below)
- To Elasticsearch (does not support TLS; see below)
- To Amazon S3 (supports TLS)
- To WebDAV (supports TLS; see below)
NEW CONTENT ENDS, but more will come for Iteration 15
Adding the Server Certificate to Interaction Recording Web Services (Web Services) KeyStore
To add a Server Certificate to Interaction Recording Web Services (or Web Services if you're using version 8.5.210.02 or earlier) keystore, copy apache.crt to the Interaction Recording Web Services (Web Services) machine. To do this, run the following command:
scp /etc/apache2/ssl/apache.crt ubuntu@10.10.15.89:~/
To install WebDAV Server certificate to the Interaction Recording Web Services (Web Services) JVM, run the following command:
cd $JAVA_HOME/jre/lib/security ../../bin/keytool -import -alias webdav -file ~/apache.crt -keystore cacerts
To turn off SNIExtension, you must update /etc/default/jetty. To do this, run the following command (Where ... stands for any other other java options):
JAVA_OPTIONS="... -Djsse.enableSNIExtension=false"
Once this is done, you must restart jetty for the changes to take effect. To do this, run the following command:
sudo service jetty restart
NEW ITERATION 15 CONTENT BEGINS
Connections
As a client, RCS makes the following outbound connections:
- To Interaction Recording Web Services (supports TLS; see below)
- To Configuration Server (supports TLS; see below)
- To Message Server (supports TLS; see below)
- To SpeechMiner Interaction Receiver (supports TLS; see below)
NEW CONTENT ENDS, but more will come for Iteration 15