How to Enable TLS 1.2 on Different Interfaces of CVP VXML Server

Introduction

This document describes how to configure Cisco Customer Voice Portal (CVP) Call Server and Voice Extensible Markup Language (VXML) Server Transport Layer Security (TLS)  support for HyperText Transfer Protocol (HTTP).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• CVP  VXML Server
• Cisco Virtual Voice Browser (CVVB)
• VXML gateways

Components Used

The information in this document is based on these software versions:

• CVP 11.5(1)
• CVVB 11.5(1)

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

At present, the VXML Server can have three secure interfaces with different components, as shown in the image.

TLS Interface of VXML Server

Interface 1. This is the Hypertext Transfer Protocol (HTTP) interface between VXML Gateway, Cisco Virtualized Voice Browser (CVVB) and VXML Server. Here the VXML Server acts as a server.

Interface 2. This is the typical HTTP Interface where the VXML Server interacts with an external Web server that uses HTTP/Simple Object Access Protocol (SOAP) interface. This interface is defined as a part of the custom element or WebService element or SOAP element.

Interface 3. This is external Database (DB) (Microsoft  Structured Query Language (MSSQL) Server and ORACLE DB), that uses built-in DB Element interface or custom element interface. 

In this scenario, in the Interface 1., VXML Server acts as a server, and in Interface 2. and 3., VXML Server acts as secure clients.

Problem: How to Enable TLS 1.2 on Different Interfaces of CVP VXML Server

CVP VXML Server communicates to various devices and servers with help of different interfaces. TLS 1.2 has to be enabled on all of them to achieve desired security level.

Solution

Procedure to Enable TLS 1.2 in Interface 1

In this interface, as described earlier, CVP VXML Server acts as a server. This secure implementation is done by Tomcat. This configuration is controlled by the server.xml in Tomcat.

Typical Connector Configuration :

<Connector SSLCertificateFile="C:\Cisco\CVP\conf\security\vxml.crt" SSLCertificateKeyFile="C:\Cisco\CVP\conf\security\vxml.key" SSLEnabled="true" acceptCount="1500" 
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256" 
clientAuth="false" disableUploadTimeout="true" enableLookups="false" executor="tomcatThreadPool" keyAlias="vxml_certificate"
 keystoreFile="C:\Cisco\CVP\conf\security\.keystore" keystorePass="3WJ~RH0WjKgyq3CKl$x?7f0?JU*7R3}WW0jE,I*_RC8w2Lf" keystoreType="JCEKS" maxHttpHeaderSize="8192" port="7443"
 protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS"/>

This example has TLS v1.2, so the parameters needed to be configured (sslEnabledProtocols and certificate) have the required configuration to have the support of TLS 1.2.

Use java keytool.exe in order to generate TLS 1.2 certificates. This tool can be found in Cisco\CVP\jre\bin\.

Keytool documentation

Procedure to Enable TLS 1.2 in Interface 2

This is the most common interface used. Here the VXML Server acts a client and needs to open secure communication to an external WebServer. 

There are two different ways to handle this. 

• Use Custom Code.
• Use CVP Framework.

This describes the use of CVP Framework.

From 11.6 it is enabled by default, for previous versions check this table: 

If you have an ES release installed that is affected by this defect: CSCvc39129 VXML Server as TLS client, you need to apply this manual configuration:

Step 1. Open registry editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\VXMLServer\Parameters\Java.

Step 2. Open Options Key and add -Dhttps.client.protocol=TLSv1.2 at the end.

Step 3. Restart Cisco CVP VXMLServer service.

Here is the quick list  of default protocol support in different JAVA Versions.

 -Djdk.tls.client.protocols=TLSv1.2.

This configuration mandates the VXML Server use the TLS 1.2 in Java SE Development Kit (JDK) 7 and JDK6.

Note: SSL is disabled by default.

Procedure to Enable TLS 1.2 in Interface 3

In this interface, as described earlier, CVP VXML Server acts as a Client and a third party Database server that acts as Server.

Ensure that third party database server supports TLS 1.2 and TLS 1.2 is enabled on it.

Example, if you use SQL server 2014 with Service Pack (SP) 2, it supports TLS 1.2 and confirm that TLS 1.2 protocol is enabled under the registry as mentioned here on SQL server:

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

In order to enable TLS 1.2 for interface 3 on CVP side:

Step 1. Open registry editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\VXMLServer\Parameters\Java.

Step 2. Open Options Key and add -Djdk.tls.client.protocols=TLSv1.2 at the end.

Step 3. Restart Cisco CVP VXMLServer service.

Note: Check this  bug for more detail: CSCvg20831 JNDI Database connection fails with CVP11.6 SQL 2014SP2.

Procedure to Upgrade JRE for TLS 1.2 Support

CVP Supports the upgrade Java Runtime Environment (JRE) to the latest version for bug defects. 

This table shows JAVA versions.

JAVA Versions

Follow the procedure described in this link.

Caution: Upgrade from 32 bit to 64 bit and vice versa is not supported

Procedure to Upgrade Tomcat

Tomcat Minor upgrade is supported. However, ensure that you checkc the compatibilty issues between Custom Jars (AXIS, JDBC etc..) before you perform the upgrade.

For more details check the procedure here.