Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Encryption support
Downloads: This chapterpdf (PDF - 343.0 KB) The complete bookPDF (PDF - 3.48 MB) | Feedback

Encryption support

Encryption support

This chapter describes the types of encryption used in the Unified ICM system. The concepts help you to understand how encryption is used in the Unified ICM/ Unified CCE environment.

User and agent passwords

Unified ICM/ Unified CCE systems are highly distributed applications composed of many node and server applications. Application user and contact center agent passwords are stored in the Logger databases as well as the Distributor databases as an RSA Data Security, Inc. MD5 Message-Digest Algorithm hash. When passed from one server node to another, such as from a Peripheral Gateway to a Router, or from a Distributor to a Router or a Logger, the passwords are passed as MD5 hashes as opposed to clear text.

Call variables and extended call variables

To protect data sent in call variables or expanded call context (ECC) variables, Unified ICM relies on IPsec and the deployment of IPsec policies between servers running Windows Server 2008 R2. In a Unified CCE environment, the establishment of an IPsec channel between the Cisco Unified Communications Manager (Unified CM) and the Peripheral Gateway is also supported. The recommended integrity algorithm is SHA-1 and the encryption algorithm is 3DES. The recommended Internet Key Exchange (IKE) security algorithm is a minimum of Diffie-Hellman Group 2 for a 1024-bit key or 2048-bit key if processing power allows it.

Related Information

Internet Script Editor and Agent Re-skilling

Unified ICM supports, as a default on Windows Server 2008 R2, the encryption of traffic for users accessing the Unified ICM Internet Script Editor, Web Setup, and Agent Re-skilling applications so that all user logins and optionally session traffic done from a remote machine are protected from snooping. The applications that implement the Transport Layer Security (TLS) v1.0 protocol using the Open SSL libraries are HTTP based.

The Agent Re-skilling and Internet Script Editor web applications will also be deployed and enabled for 128-bit SSL encryption in IIS 6.0 as a default so that all supervisor logins, user logins, and data exchanged is protected across the network.

For more information about enabling certain Cipher Suites in IIS, see the article KB 245030.

Related Information

CTI OS C++/COM toolkit

The CTI OS (C++/COM toolkit) and CAD agent desktops implement TLS v1.0 protocol using the OpenSSL libraries to protect data exchanged between the agent desktop to the CTI Object Server. A Cipher suite is used for authentication, key exchange, and stream encryption. The Cipher suite is as follows:

  • Key exchange: Diffie-Hellman
  • Authentication: RSA
  • Encryption: AES (128)
  • Message digest algorithm: SHA1

Refer to the CTI OS System Manager's Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted and Cisco CAD Installation Guide for more configuration details.

Cisco Contact Center SNMP management service

Unified ICM/ Unified CCE includes a Simple Network Management Protocol (SNMP v3) agent to support authentication and encryption (privacy) provided by SNMP Research International. The Cisco implementation exposes the configuration of the communication with a management station to be authenticated using the SHA-1 digest algorithms and for all SNMP messages to be encrypted using one of the following three protocols:

  • 3DES
  • AES-192
  • AES-256

For more information, see the SNMP Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted.

Related References

Additional encryption

In addition to the various areas of application-level encryption provided in the Unified ICM suite of applications, Cisco supports the deployment of the solution across sites running Cisco IOS IPsec in Tunnel Mode with HMAC-SHA1 Authentication (ESP-SHA-HMAC) and 3DES Encryption (ESP-3DES).

Related Information