Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Cisco SSL Encryption utility
Downloads: This chapterpdf (PDF - 527.0KB) The complete bookPDF (PDF - 3.48MB) | Feedback

Cisco SSL Encryption utility

Cisco SSL Encryption utility

About SSL Encryption utility

In Unified ICM release 9.0(1), Unified ICM web servers are configured for secure access (HTTPS) using SSL. Cisco provides an application called the SSL Encryption Utility (SSLUtil.exe) to help with the task of configuring web servers for use with SSL.


Note


This utility is only supported on servers running Windows Server 2008 R2.

The operations performed by the SSL encryption utility can also be accomplished by the operating system facilities such as IIS; however the Cisco utility simplifies the process.

SSLUtil.exe is located in the <ICMInstallDrive>\icm\bin folder. The SSL Encryption Utility can be invoked in either standalone mode or automatically as part of setup.

The SSL Encryption Utility generates log messages pertaining to the operations that it performs. When it runs as part of setup, log messages are written to the setup log file. When the utility is in standalone mode, the log messages appear in the SSL Utility Window and the <SystemDrive>\temp\SSLUtil.log file.

The SSL Encryption Utility performs the following major functions:

  • SSL Configuration
  • SSL Certificate Administration

SSL is available only for Unified ICM web applications installed on Windows Server 2008 R2. The Unified ICM/ Unified CCE web applications that you can configure for SSL are:

  • Internet Script Editor
  • Agent Re-skilling

SSL installation during setup

By default, setup enables SSL for Unified CCE Internet Script Editor, and Agent Re-skilling applications.


Note


If you use IIS manager to modify SSL settings while the SSL Configuration Utility is open, those changes are not reflected in the SSL Configuration Utility until it is closed and reopened.


The SSL Configuration Utility also facilitates creation of self-signed certificates and installation of the created certificate in IIS. A certificate may also be removed from IIS using this tool. When invoked as part of setup, the SSL Configuration Utility sets SSL port in IIS to 443 if it is found to be blank.

To use SSL for Agent Re-skilling or Internet Script Editor, accept the default settings during installation and the supported servers will use SSL.

When the utility runs during setup a self-signed certificate is generated (using OpenSSL), imported into the Local Machine Store, and installed on the web server. Virtual directories are enabled and configured for SSL with 128-bit encryption.


Note


During setup, if a certificate exists or the web server is found to have an existing server certificate installed, a log entry is added and no changes take effect. Any certificate management changes must be done using the utility in standalone mode or directly using the IIS Services Manager.


SSL Encryption utility in standalone mode

In standalone mode, the SSL Configuration Utility displays the list of Unified ICM instances installed on the local machine. When Unified ICM instance is selected, the web applications installed and their SSL settings are displayed. You can then alter the SSL settings for the web application.

Figure 1. SSL Config Utility - Configuration Tab. The following image shows the Configuration tab of the SSL Encryption Utility:



The SSL Configuration Utility also facilitates the creation of self-signed certificates and the installation of the created certificate in IIS. A certificate may also be removed from IIS using this tool. When invoked as part of setup, the SSL Configuration Utility sets SSL port in IIS to 443 if it is found to be blank.

Figure 2. SSL Config Utility - Certificate Administration Tab. The following image shows the Certificate Administration tab of the Encryption Utility:



Enable Transport Layer Security (TLS) 1.0 protocol

The ICM security template enables FIPS-compliant strong encryption, which requires the TLS 1.0 protocol enabled instead of SSL 2.0 or SSL 3.0. To ensure web browser connectivity to Dynamic Re-skilling (Agent Re-skilling) over HTTPS using Internet Explorer, you must enable TLS 1.0 protocol.

Use the following steps to enable the TLS 1.0 protocol:

Procedure
    Step 1   Launch Internet Explorer.
    Step 2   From the Tools menu, select Internet Options.
    Step 3   Click the Advanced tab.
    Step 4   Scroll to Security and check the Use TLS 1.0 check box.

    See the Microsoft Knowledge Base (KB) KB 811833 for additional information about security settings.


    Note


    If security hardening is applied when the Internet Explorer is not configured to support the TLS 1.0 protocol, the web browser cannot connect to the web server. An error message indicates that the page is either unavailable or that the website might be experiencing technical difficulties.