Revision as of 18:57, May 19, 2017 by Sschlich (talk | contribs)
Jump to: navigation, search

Secure Transport Configuration

This section describes how to configure the Transport Layer Security (TLS) for the Genesys Interaction Recording solution.

Server-Side Configuration

The following components must configure secure transports for HTTP.

Configuring TLS for Interaction Recording Web Services (Web Services)

  1. Enable SSL on Jetty by configuring the SSL section of the application.yaml file as follows:
  • enableSsl: true
  • ssl:
  • port: 443
  • securePort: 8443
  • keyStorePath: keystore
  • keyStorePassword: OBF:1g3p1kqt1xtl19q51ni31nlv19q91xtx1ku11fzt
  • keyManagerPassword: OBF:1g3p1kqt1xtl19q51ni31nlv19q91xtx1ku11fzt
  • trustStorePath: keystore
  • trustStorePassword: OBF:1g3p1kqt1xtl19q51ni31nlv19q91xtx1ku11fzt
  • Acquire the certificate and private keys.
  • To load a certificate and private keys (jetty.crt), navigate to the GWS_HOME/etc directory and run the following commands:
    keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
  • When prompted for keystore password, enter the default: storepwd
  • Restart Interaction Recording Web Services (Web Services).


    • To create a self-signed certificate for non-production purposes:

    1. Run the following in GWS_HOME/etc:
      keytool -genkey -keyalg RSA -keystore keystore -alias jetty
    2. When prompted for keystore password, enter the default: storepwd

      3. For more information about configuring SSL, see Configure SSL.


    To change the certificate:

    1. Remove the existing certificate using the following command:
      keytool -keystore keystore -delete -alias jetty
    2. Acquire the certificate and private key in a X509 PEM file (for example, jetty.crt)
    3. Load the certificate using the following command:
      keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
    4. Restart Interaction Recording Web Services (Web Services).


    To change the keystore password:

    1. Execute the following command:
      keytool -keystore keystore -storepasswd
    2. Encode the new password using the following command:
      java -cp lib/jetty-http-xxx.jar:lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password <your password here>

    Configuring TLS for Recording Processor Script

    1. Configure HTTPS on the primary recording server. For more information, see the "Configure SSL" section of Configuring Recording Processor Script.
      1. For Windows, make sure the pyOpenSSL is installed. pyOpenSSL is already be installed on RHEL6.
      2. Create a self-signed certificate and private key for the Recording Processor host. For example, on ubuntu run: openssl req -new -x509 -days 1024 -nodes -out cert228.pem -keyout cert228key.pem
      3. In the rp_server section of the Recording Processor's configuration file, set the following parameters:
        • ssl_certificate—Point to the certificate PEM file. For example, ssl_certificate=cert228.pem.
        • ssl_private_key—To point to the private key file. For example, cert228.pem.
      4. Send the self-signed certificate PEM file to any MCP client that needs to validate the certificate during the SSL handshake. See the "Enable Secure Communication" section of the GVP 8.5 User's Guide.
      5. Restart Recording Processor.
    2. Configure HTTPS on the backup recording server by following the same instructions as above using a new certificate and private key.

    Configuring TLS for Recording Crypto Server

    See Configuring an HTTP Port.

    Configuring TLS for the WebDAV Server

    To configure TLS for Apache httpd on RHEL6:

    1. On the WebDAV server, run the following command to install SSL:
      yum install mod_ssl
    2. The certificate/key pair is automatically generated:
      • Certificate—/etc/pki/tls/certs/localhost.crt
      • Key—/etc/pki/tls/private/localhost.key
    3. To use your own certificate/key pair, either update the files automatically generated (as above), or edit the /etc/httpd/conf.d/ssl.conf file and modify the the following lines:
      • SSLCertificateFile /etc/pki/tls/certs/localhost.crt
      • SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    4. Restart httpd (service httpd restart). SSL is enabled on the default HTTPS port 443.
    Important
    If you're using a self-signed certificate and migrating from Web Services to Interaction Recording Web Services, you'll need to complete a few more steps. See Re-importing the Certificate for WebDAV for details.

    Configuring TLS for the Interaction Receiver and SpeechMiner UI Server

    See Enabling HTTPS for SpeechMiner.

    Configuring TLS for the HTTP Apache Load Balancer

    Follow the instructions for Configuring TLS for the WebDAV Server, and add the additional steps:

    To enable https for the proxy, edit the /etc/httpd/conf.d/ssl.conf file and add the following option:
    SSLProxyEngine on
    Direct the load balancer to the proper https locations. For example: 

    <Proxy balancer://htcc>
BalancerMember https://host3:8080 route=HTCC1
BalancerMember https://host4:8080 route=HTCC2
BalancerMember https://host5:8080 route=HTCC3
ProxySet stickysession=ROUTEID
</Proxy>

    Client-Side Configuration

    Configuring TLS for the Media Control Platform (MCP)

    To add a Certificate Authority (CA):

    1. Place the CA file on the MCP.
    2. Using Genesys Administrator or Genesys Administrator Extension, in the fm section set the ssl_ca_info option to the location of the CA file.
    3. Restart MCP.

    To add client-side authentication:

    1. Place the certificate file (PEM format) on the MCP.
    2. Using Genesys Administrator or Genesys Administrator Extension, in the fm section set the ssl_cert optiont to the location of the certification file.
    3. Restart MCP.

    For more information about the MCP options, see the Voice Platform Media Control Platform Configuration Options.

    Configuring TLS for the IVR Profile

    Using Genesys Administrator Extension, navigate to the Recording tab of the IVR Profile. Update the following addresses with the HTTPS locations:

    • Storage Destination
    • Recording Processor URI
    • SpeechMiner Interaction Receiver
    • PpeechMiner Destination for Analytics only

    Configuring TLS for the Recording Processor Script

    The Recording Processor Script creates three client connections, to:

    • Interaction Recording Web Services (Web Services)
    • SpeechMiner Interaction Receiver
    • Backup Recording Processor Script

    For details on configuring each connection, refer to the appropriate section at the Configure SSL link on the page Deploying Recording Processor Script.

    Adding the Server Certificate to Interaction Recording Web Services (Web Services) KeyStore

    To add a Server Certificate to Interaction Recording Web Services (or Web Services if you're using version 8.5.210.02 or earlier) keystore, copy apache.crt to the Interaction Recording Web Services (Web Services) machine. To do this, run the following command: 

    scp /etc/apache2/ssl/apache.crt ubuntu@10.10.15.89:~/

    To install WebDAV Server certificate to the Interaction Recording Web Services (Web Services) JVM, run the following command: 

    cd $JAVA_HOME/jre/lib/security
../../bin/keytool -import -alias webdav -file ~/apache.crt -keystore cacerts
    Important
    If you're using a self-signed certificate and migrating from Web Services to Interaction Recording Web Services, you'll need to complete a few more steps. See Re-importing the Certificate for WebDAV for details.

    To turn off SNIExtension, you must update /etc/default/jetty. To do this, run the following command (Where ... stands for any other other java options): 

    JAVA_OPTIONS="... -Djsse.enableSNIExtension=false"

    Once this is done, you must restart jetty for the changes to take effect. To do this, run the following command: 

    sudo service jetty restart

    Comments or questions about this documentation? Contact us for support!