This document describes about the latest Security enhancements added with Unified Contact Center Enterprise (UCCE) 12.5.
Open Secure Sockets Layer (SSL)
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
OpenSSL (64 bit) for windows
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
6. In the event of failure, command line shows error as shown in the image
Use Certificates with SHA-256 and Key Size 2048 Bits
Logs report error in the event of identifying non-complaint certificates (i.e not meeting the SHA-256 and/or keysize 2048 bits requirement.)
There are two important certificates from UCCE's perspective:
Cisco ICM Diagnostic Framework service certificate
Cisco ICM SSL Certificate
The certificates can be reviewed in the Internet Information Services (IIS) Manager option of windows server.
For Self-signed certificates (either for Diagnose Portico or Web Setup) , error line reported is:
Re-generating Cisco ICM SSL Certificate with SHA-256 and key size '2048' and will be binded with port 443.
a. In order to regenerate self-signed certificates (for WebSetup/CCEAdmin page) use SSLUtil tool (from location C:\icm\bin).
b. Select Uninstall to delete the current "Cisco ICM SSL Certificate".
c. Next select Install in SSLUtil tool and once the process completes , notice the certificate created now include SHA-256 and keysize '2048' bits.
In order to regenerate a self-signed certificate for Cisco ICM Diagnostic Framework service certificate, use command line "DiagFwCertMgr", as shown in the image:
Data Protection Tool
1. CCEDataProtectTool is used to encrypt and decrypt sensitive information that the Windows registry stores in it. Post upgrade to SQL 12.5 , value store in the SQLLogin registry need to be reconfigured with CCEDataProtectTool. Only administrator,domain user with administrattive rights,or a local administrator can run this tool.
2. This tool can be used to view,configure,edit,remove encrypted value store in SQLLogin registry.