Certificates for Unified Contact Center Enterprise Web Administration
Note |
|
CA Certificates
The following table outlines the CA certificate tasks for each component.
Components |
Tasks |
---|---|
Unified CCE Components |
|
Customer Voice Portal (CVP) Call Server/CVP Reporting Server1 |
See Configuration Guide for Cisco Unified Customer Voice Portal at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html |
Email and Chat |
See Enterprise Chat and Email Installation and Configuration Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/cisco-enterprise-chat-email/series.html |
Cisco Unified Communications Manager (CUCM) |
See Security Guide for Cisco Unified Communications Manager at https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-maintenance-guides-list.html |
Cisco Unified Intelligence Center (CUIC) |
|
Cisco Finesse |
See Cisco Finesse Administration Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/finesse/products-maintenance-guides-list.html |
Live Data |
|
Cisco Identity Service (IdS) |
For more information, see https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-configuration-examples-list.html. Ensure to run the instructions in IdS server. |
Cloud Connect |
|
Virtualized Voice Browser (VVB) |
See Configuration Guide for Cisco Unified Customer Voice Portal at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-customer-voice-portal/products-installation-and-configuration-guides-list.html |
Customer Collaboration Platform |
See Security Guide for Cisco Unified ICM/Contact Center Enterprise at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-installation-and-configuration-guides-list.html |
Generate CSR
Procedure
Step 1 |
Log in to Windows and choose . |
Step 2 |
In the Connections pane, click the server name. |
Step 3 |
In the IIS area, double-click Server Certificates. |
Step 4 |
In the Actions pane, click Create Certificate Request. |
Step 5 |
In the Request Certificate dialog box, do the following:
|
Step 6 |
Specify a file name for the certificate request and click Finish. |
Create Trusted CA-Signed Server or Application Certificate
You can create CA-signed certificate in any one of the following ways:
-
Create certificate internally. Do the following:
-
Download the CA-signed certificate on each component server. Do the following: -
Open the CA server certificate page (https://<CA-server-address>/certsrv).
-
Click Request a Certificate and then click advanced certificate request. Then do the following: -
Copy the Certificate Request content in the Base-64-encoded certificate request box.
-
From the Certificate Template drop-down list, choose Web Server.
-
Click Submit.
-
Choose Base 64 encoded.
-
Click Download certificate and save it to the desired destination folder.
-
-
On the CA server certificate page, click Download a CA Certificate, Certificate Chain, or CRL, and then do the following: -
Select the Encoding method as Base 64.
-
Click Download CA Certificate and save it to the desired destination folder.
-
-
-
Import the Root CA and Intermediate Authority certificates into Windows trust store of every component. For more information on how to import CA certificates into Windows trust store, see Microsoft documentation.
-
Import the Root CA and Intermediate Authority certificates into Java keystore of every component. For more information, see Import CA Certificate into AW Machines.
-
Obtain certificate from a trusted Certificate Authority (CA). Do the following:
-
Send the CSR to a trusted Certificate Authority (CA) for sign-off.
-
Obtain the CA-signed application certificate, Root CA certificate, and Intermediate Authority certificate (if any).
-
Import the Root CA and Intermediate Authority certificates into Windows trust store of every component. For more information on how to import CA certificates into Windows trust store, see Microsoft documentation.
-
Import the Root CA and Intermediate Authority certificates into Java keystore of every component. For more information, see Import CA Certificate into AW Machines.
-
Import CA Certificate into AW Machines
Procedure
Step 1 |
Log in to the AW-HDS-DDS Server. |
||
Step 2 |
Run the following command:
|
||
Step 3 |
Copy the Root or intermediate certificates to a location in AW Machine. |
||
Step 4 |
Run the following command and remove the existing certificate:
|
||
Step 5 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 6 |
At the AW machine terminal, run the following command:
|
||
Step 7 |
Enter the truststore password when prompted. |
||
Step 8 |
Go to Services and restart Apache Tomcat. |
Upload and Bind CA-Signed Certificate
Upload CA-Signed Certificate to IIS Manager
Before you begin
Procedure
Step 1 |
Log in to Windows and choose . |
Step 2 |
In the Connections pane, click the server name. |
Step 3 |
In the IIS area, double-click Server Certificates. |
Step 4 |
In the Actions pane, click Complete Certificate Request. |
Step 5 |
In the Complete Certificate Request dialog box, complete the following fields:
|
Step 6 |
Click OK to upload the certificate. |
Bind CA-Signed Certificate to IIS Manager
Bind CCE Web Applications
Procedure
Step 1 |
Log in to Windows and choose . |
Step 2 |
In the Connections pane, choose . |
Step 3 |
In the Actions pane, click Bindings.... |
Step 4 |
Click the type https with port 443, and then click Edit.... |
Step 5 |
From the SSL certificate drop-down list, select the uploaded signed Certificate Request. |
Step 6 |
Click OK. |
Step 7 |
Navigate to and restart the IIS Admin Service. |
Bind Diagnostic Framework Service
Procedure
Step 1 |
Open the command prompt. |
||
Step 2 |
Navigate to the Diagnostic Portico home folder using: cd <ICM install directory>:\icm\serviceability\diagnostics\bin |
||
Step 3 |
Remove the current certificate binding to the Diagnostic Portico tool using: DiagFwCertMgr /task:UnbindCert |
||
Step 4 |
Open the signed certificate and copy the hash content (without spaces) of the Thumbprint field. Run the following command: DiagFwCertMgr /task:BindCertFromStore /certhash:<hash_value> |
||
Step 5 |
Validate if the certificate binding was successful using: DiagFwCertMgr /task:ValidateCertBinding
|
||
Step 6 |
Restart the Diagnostic Framework service by running the following command: sc stop "diagfwsvc" sc start "diagfwsvc" |
Self-Signed Certificates
The following table lists components from which self-signed certificates are generated and components into which self-signed certificates are imported.
Note |
To establish a secure communication, run the commands (given in the links below) in the Command Prompt as an Administrator (right click over the Command Prompt and select Run as administrator). |
Import Self-signed Certificates to Target Server |
Generate Self-signed Certificates from Source Component Server |
Links |
---|---|---|
AW Machines |
Unified CCE Components (Router, Logger2, Rogger3, PGs, and HDS) |
Import CCE Component Certificates Import Diagnostic Framework Portico Certificate into AW Machines |
Cisco Finesse |
||
Cisco Unified Intelligence Center (CUIC) Publisher and Subscriber |
||
Cisco Identity Service (IdS) Publisher and Subscriber |
||
Cloud Connect |
||
Customer Collaboration Platform |
||
Logger |
AW |
|
Rogger |
Import CCE Component Certificates
Important |
The certificate CommonName (CN) must match the Fully Qualified Domain Name (FQDN) provided for the CCE components in the CCE Inventory. |
Procedure
Step 1 |
Log in to the required CCE component server. |
||
Step 2 |
From the browser (https://<FQDN of the CCE component server>), download the certificate. If you want to regenerate a certificate instead of using the existing certificate, run the following commands: |
||
Step 3 |
Copy the certificate to a location in the target server. |
||
Step 4 |
Run the following command at the target server (machine terminal):
|
||
Step 5 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 6 |
Go to Services and restart Apache Tomcat on target servers. |
Import Diagnostic Framework Portico Certificate into AW Machines
Procedure
Step 1 |
Log in to the CCE component server. |
||
Step 2 |
From the Cisco Unified CCE Tools, open the Diagnostic Framework Portico. |
||
Step 3 |
Download the self-signed certificate from the browser. |
||
Step 4 |
Copy the certificate to a location in AW Machine. |
||
Step 5 |
Run the following command at the AW machine terminal:
|
||
Step 6 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 7 |
Go to Services and restart Apache Tomcat. |
Import VOS Components Certificate
Important |
The certificate CommonName (CN) must match the Fully Qualified Domain Name (FQDN) provided for the respective component servers in the CCE Inventory. |
Procedure
Step 1 |
Sign in to the Cisco Unified Operating System Administration on the source component server using the URL (https://<FQDN of the Component server>:8443/cmplatform). |
Step 2 |
From the Security menu, select Certificate Management. |
Step 3 |
Click Find. |
Step 4 |
Do one of the following:
|
Step 5 |
Download the self-signed certificate that contains hostname of the primary server. |
Step 6 |
Copy the certificate to a location in the target server. |
Step 7 |
Run the following command as an administrator at the target server (machine terminal):
|
Step 8 |
Enter the truststore password when prompted. The default truststore password is changeit. |
Step 9 |
Go to Services and restart Apache Tomcat. |
Certificates for Live Data
Certificates and Secure Communications
For secure Cisco Finesse, Cisco Unified Intelligence Center, and Live Data server-to-server communication, perform any of the following:
-
Use the self-signed certificates provided with Live Data.
Note
When using self-signed certificates, agents must accept the Live Data certificates in the Finesse desktop when they sign in before they can use the Live Data gadget.
-
Obtain and install a Certification Authority (CA) certificate from a third-party vendor.
-
Produce a Certification Authority (CA) certificate internally.
Self-Signed Certificates and Third-Party CA Certificates
For secure Cisco Finesse, Cisco Unified Intelligence Center, and Live Data server-to-server communication, you must set up security certificates (Applicable for both Self-Signed and Third-Party CA Certificates):
-
For Cisco Finesse and Cisco Unified Intelligence Center servers to communicate with the Live Data server, you must to import the Live Data certificates and Cisco Unified Intelligence Center certificates into Cisco Finesse, and the Live Data certificates into Cisco Unified Intelligence Center.
On Server |
Import Certificates From |
---|---|
Finesse |
Live Data and Cisco Unified Intelligence Center |
Live Data |
None |
Cisco Unified Intelligence Center |
Live Data |
Export Self-Signed Live Data Certificates
Live Data installation includes the generation of self-signed certificates. If you choose to work with these self-signed certificates (rather than producing your own CA certificate or obtaining a CA certificate from a third-party certificate vendor), you must first export the certificates from Live Data and Cisco Unified Intelligence Center, as described in this procedure. You must export from both Side A and Side B of the Live Data and Cisco Unified Intelligence Center servers. You must then import the certificates into Finesse, importing both Side A and Side B certificates into each side of the Finesse servers.
As is the case when using other self-signed certificates, agents must accept the Live Data certificates in the Finesse desktop when they sign in before they can use the Live Data gadget.
Procedure
Step 1 |
Sign in to Cisco Unified Operating System Administration on Cisco Unified Intelligence Center (https://hostname of Cisco Unified Intelligence Center server/cmplatform). |
Step 2 |
From the Security menu, select Certificate Management. |
Step 3 |
Click Find. |
Step 4 |
Do one of the following:
|
Step 5 |
Click Download .pem file and save the file to your desktop. Be sure to perform these steps for both Side A and Side B. |
Step 6 |
After you have downloaded the certificates from Cisco Unified Intelligence Center, sign in to Cisco Unified Operating System Administration on the Live Data server (http://hostname of LiveData server/cmplatform), and repeat steps 2 to 5. This is applicable only for Standalone LiveData. |
What to do next
You must now import the Live Data and Cisco Unified Intelligence Center certificates into the Finesse servers.
Import Self-Signed Live Data Certificates
To import the certificates into the Finesse servers, use the following procedure.
Procedure
Step 1 |
Sign in to Cisco Unified Operating System Administration on the Finesse server using the following URL: http://FQDN of Finesse server:8443/cmplatform |
Step 2 |
From the Security menu, select Certificate Management. |
Step 3 |
Click Upload Certificate. |
Step 4 |
From the Certificate Name drop-down list, select tomcat-trust. |
Step 5 |
Click Browse and browse to the location of the Cisco Unified Intelligence Center certificate (with the .pem file extension). |
Step 6 |
Select the file, and click Upload File. |
Step 7 |
After you have uploaded the Cisco Unified Intelligence Center certificate repeat steps 3 to 6 for Live Data certificates.This is applicable only for standalone Live Data. |
Step 8 |
After you upload both the certificates, restart Cisco Finesse Tomcat on the Finesse server. |
What to do next
Be sure to perform these steps for both Side A and Side B.
Obtain and Upload Third-party CA Certificate
You can use a Certification Authority (CA) certificate provided by a third-party vendor to establish an HTTPS connection between the Live Data, Cisco Finesse, Cisco Unified Intelligence Center servers, and Cloud Connect servers.
To use third-party CA certificates:
-
From the Cisco Unified Operating System Administrator of Live Data, Cisco Finesse, Cisco Unified Intelligence Center, and Cloud Connect servers, generate and download a Certificate Signing Requests (CSR).
-
Obtain root and application certificates from the third-party vendor.
-
Upload the appropriate certificates to the Live Data, Unified Intelligence Center, Cisco Finesse, and Cloud Connect servers.
Follow the instructions provided in the Unified CCE Solution: Procedure to Obtain and Upload Third-Party CA certificates (Version 11.x) technical note at https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-enterprise-1101/200286-Unified-CCE-Solution-Procedure-to-Obtai.html .
Produce Certificate Internally
Set up Microsoft Certificate Server for Windows Server
This procedure assumes that your deployment includes a Windows Server Active Directory server. Perform the following steps to add the Active Directory Certificate Services role on the Windows Server domain controller.
Before you begin
Before you begin, Microsoft .Net Framework must be installed. See Windows Server documentation for instructions.
Procedure
Step 1 |
In Windows, open the Server Manager. |
Step 2 |
In the Quick Start window, click Add Roles and Features . |
Step 3 |
In the Set Installation Type tab, select Role-based or feature-based installation , and then click Next. |
Step 4 |
In the Server Selection tab, select the destination server then click Next. |
Step 5 |
In the Server Roles tab, check the Active Directory Certificate Services box, and then click the Add Features button in the pop-up window. |
Step 6 |
In the Features and AD CS tabs, click Next to accept default values. |
Step 7 |
In the Role Services tab, verify that Certification Authority, Certification Authority Web Enrollment, Certificate Enrollment Web Service, and Certificate Enrollment Policy Web Service boxes are box is checked, and then click Next. |
Step 8 |
In the Confirmation tab, click Install. |
Step 9 |
After the installation is complete, click the Configure Active Directory Certificate Service on the destination server link. |
Step 10 |
Verify that the credentials are correct (for the domain Administrator user), and then click Next. |
Step 11 |
In the Role Services tab, check the Certification Authority, Certification Authority Web Enrollment, Certificate Enrollment Web Service, and Certificate Enrollment Policy Web Service boxes box, and then click Next. |
Step 12 |
In the Setup Type tab, select Enterprise CA, and then click Next. |
Step 13 |
In the CA Type tab, select Root CA, and then click Next. |
Step 14 |
In the Private Key, Cryptography, CA Name, Validity Period, and Certificate Database tabs, click Next to accept default values. |
Step 15 |
In the following tabs, leave the default values, and click Next.
|
Step 16 |
Review the information in the Confirmation tab, and then click Configure. |
Download CA certificate
This procedure assumes that you are using the Windows Certificate Services. Perform the following steps to retrieve the root CA certificate from the certificate authority. After you retrieve the root certificate, each user must install it in the browser used to access Finesse.
Procedure
Step 1 |
On the Windows domain controller, run the CLI command certutil -ca.cert ca_name.cer, in which ca_name is the name of your certificate. |
Step 2 |
Save the file. Note where you saved the file so you can retrieve it later. |
Change Java Truststore Password
Procedure
Step 1 |
Log in to the Windows machine. |
Step 2 |
Run the following command:
|
Step 3 |
Change the truststore password by running the following command:
|