Certificate Management for Secured Connections

Certificates

Certificates are used to ensure that browser communication is secure by authenticating clients and servers on the Web. Users can purchase certificates from a certificate authority (CA-signed certificates - recommended) or they can use self-signed certificates.

Self-Signed Certificates

Self-signed certificates (as the name implies) are signed by the same entity whose identity they certify, as opposed to being signed by a certificate authority. Self-signed certificates are not considered to be as secure as CA certificates, but they are used by default in many applications.

CCE Certificate Management Utilities

Cisco provides the following certificate management utilities:

Cisco SSL Encryption Utility: A certificate management utility used for web applications.

CiscoCertUtil: A certificate management utility used for creating and installing self-signed certificates and CA signed certificates.


Note

The Unified CCE Certificate Monitoring service monitors the self-signed and CA signed certificates and keys that are used for certificate management. The service alerts the system administrator about the validity and expiry of these certificates. For more information, see the Serviceability Guide for Cisco Unified ICM/Contact Center Enterprise at http://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-installation-and-configuration-guides-list.html

SSL Encryption Utility


Note

Although this utility currently has its original name, the SSL Encryption Utility now configures web servers for use with TLS.

Unified CCE web servers are configured for secure access (HTTPS). Cisco provides SSL Encryption Utility (SSLUtil.exe) to help you configure web servers for use with TLS.


Note

The SSL Encryption Utility is only supported on servers running Windows Server 2016.

Operating system facilities such as IIS can also accomplish the operations performed by the SSL encryption utility; however the Cisco utility simplifies the process.

SSLUtil.exe is located in the <ICMInstallDrive>\icm\bin folder. You can invoke the SSL Encryption Utility in standalone mode or automatically as part of setup.

The SSL Encryption Utility generates log messages pertaining to the operations that it performs. When it runs as part of setup, log messages are written to the setup log file. When the utility is in standalone mode, the log messages appear in the SSL Utility Window and the <SystemDrive>\temp\SSLUtil.log file.

The SSL Encryption Utility performs the following major functions:

  • SSL Configuration

  • SSL Certificate Administration

TLS is available for Unified CCE web applications installed on Windows Server 2016. You can configure Internet Script Editor for TLS.

TLS Installation During Setup

By default, setup enables TLS for the Unified CCE Internet Script Editor application.


Note
You must restart the SSL Configuration Utility if you use IIS manager to modify TLS settings while the utility is open.

The SSL Configuration Utility also facilitates creation of self-signed certificates and installation of the created certificate in IIS. You can also remove a certificate from IIS using this tool. When invoked as part of setup, the SSL Configuration Utility sets TLS port in IIS to 443 if it is found to be blank.

To use TLS for Internet Script Editor, accept the default settings during installation and the supported servers use TLS.

During setup, the utility generates a self-signed certificate, imports it into the Local Machine Store, and installs it on the web server. Virtual directories are enabled and configured for TLS with 256-bit encryption.


Note

During setup, if a certificate exists or the web server has an existing server certificate installed, a log entry is added and no changes take effect. Use the utility in standalone mode or use the IIS Services Manager to make certificate management changes.

Encryption Utility in Standalone Mode

In standalone mode, the SSL Configuration Utility displays the list of Unified ICM instances installed on the local machine. When you select an instance, the utility displays the installed web applications and their SSL settings. You can then alter the SSL settings for the web application.

The SSL Configuration Utility also facilitates the creation of self-signed certificates and the installation of the created certificate in IIS. You can also remove a certificate from IIS using this tool. When invoked as part of setup, the SSL Configuration Utility sets TLS port in IIS to 443 if it is found to be blank.

CiscoCertUtil Utility

The CiscoCertUtil utility helps you manage certificates on any CCE machine to secure PII that the system handles across components.

The TLS enabled components use this utility to set up certificates, and the CCE setup uses this utility to generate and install certificates.

The CiscoCertUtil utility:

  • Generates self-signed certificates.

  • Generates certificate signing requests (CSR).

  • Installs remote certificates to the local machine certificate store under the Personal folder.

  • Deletes certificates from the local machine certificate store under the Personal folder.

  • Generates self-signed certificates in the PEM format, which is an X509 extension.

  • Generates the corresponding key with the filename host.key.

  • Does not validate any certificate.

  • Does not create any log file pertaining to the operations that it performs. If there are errors, the error log appears on the console.

  • Is supported on servers running Windows Server.


    Note

    Use the CiscoCertUtil utility to install or delete self-signed certificates only.

Using the CiscoCertUtil Utility

Use the CiscoCertUtil [/generateCert]|[/generateCSR]|[/generateCert /f]|[/remove <cert_name>]|[/install <cert_file>]| [/list]|[/help]| commands.

Where:

  1. /list displays a list of certificates that are present in the local machine store under the trusted root.

  2. /generateCert generates a self-signed certificate with the filename host.pem and a key with the filename host.key. The self-signed certificate is copied to C:\icm\ssl\certs and the key is copied to C:\icm\ssl\keys. If the key exists, the same key is used to generate the self-signed certificate host.pem. An RSA key length of 2048 bits is used.

    The /generateCert command does not overwrite host.key and host.pem. To overwrite the existing self-signed certificate, use the /generateCert /f command. This command overwrites host.key and host.pem if already available in the system.


    Note

    During CCE installation, a self-signed certificate is already generated. You need to use the /generateCert command only if you have to generate a new certificate. For example, you may need to generate a certificate in situations when the key of the certificate is compromised or the self-signed certificate has expired.

  3. /generateCSR generates a CSR with the filename host.csr and a key with the filename host.key, which is a private key. The host.csr is then sent to Certification Authority to obtain the digital identity certificate. If the key exists, the same key is used to generate host.csr.

  4. /remove <certificate_name> removes the certificate <cert_name> from the local machine certificate store under the Personal folder. If the command fails to execute, an error message appears. To display the list of certificates that are present, use the /list command.

  5. /install <cert_file_path> installs the certificate that is mentioned under <cert_file_path> into the local machine certificate store under the Personal folder. If the command fails to execute, an error message appears.

    An example of this command:
    CiscoCertUtil /install c:\icm\ssl\certs\host.pem.

  6. /help displays the usage of the commands.


    Note
    If the remove command fails, use the list command to verify whether the certificate you attempted to remove is present in the local machine certificate store.

Secured PII in Transit

The contact center enterprise solution handles customer sensitive Personally Identifiable Information (PII) that include credit card information, PIN, and other sensitive details. Such sensitive information is sent across the system in ECC variables and can be exploited.

The transport channels such as GED 188, GED 125, GED 145, and MR carry PII and are susceptible to exploitation. It is therefore necessary to secure the transport channels that carry PII and protect them from any threats.

Securing PII is also necessary to adhere to the regulatory security compliance. The CCE solution uses the TLS protocol to enable security of the transport channels that carry PII.


Note

The communication channels between the Central Controller and PG are not secure. For end-to-end solution security, use the IPSec Network Isolation Zone.

Figure 1. Secured Connection Example

The following table lists the use cases for secured connections, the corresponding server to client matrix, and the protocol used.

Use Case

Server

Supported Client

Protocol

Secured self-service communications: To secure self-service communications, enable secured connection in CVP and VRU PG.

CVP

VRU PG

GED 125

Secured outbound calls: To secure outbound calls, enable secured connection in the CTI server, Dialer, and Media Routing PG.

CTI Server

Dialer

GED 188

Dialer

MR PG

Media Routing Protocol

Secured agent desktop communications: To secure the communications with Cisco Finesse Server and CTI OS, enable mixed-mode connection in the CTI server. Next, enable secured connection in the Cisco Finesse Server or in CTI OS, as applicable.

CTI Server

Cisco Finesse

GED 188

CTI OS

Secured third-party integration: To secure third-party integration with CCE, enable secured connection in the application gateway servers and clients.

Application Gateway Servers

Application Gateway Clients

GED 145

Secured multi-channel communications:To secure multi-channel communications, enable secured connection between:

  • ECE (Services Server) and MR PG (Client)

  • CTI server and ECE (Client)

ECE

MR PG

Media Routing Protocol

Customer Collaboration Platform

CTI Server

ECE

GED 188

To establish secured connection between a server and a client, you need to create mutual authentication by using one of the following security certificates:

  • Self-signed Certificate

  • Third-party CA Signed Certificate

For example, if you wish to establish secured connection between the CTI Server and Dialer, by exchanging self-signed certificates, you need to perform the following steps:

  1. Copy and install the self-signed certificate available on the CTI Server into the Dialer. If a valid certificate is not already available, you may need to generate a new certificate. For more information, see Managing Self-Signed Certificates.

  2. Similarly, copy and install the self-signed certificate that is available on the Dialer into the CTI Server.


    Note

    If the client and the server are on the same machine, then the security certificate that is available on the machine needs to be placed on the trusted store once, by either the server or the client. The second attempt to place the certificate on the trusted store will fail. For more information, see CiscoCertUtil Utility.

  3. Next, you need to check the Enable Secured Connection check box at the respective interfaces. In this case, you need to check the Enable Secured Connection check box in the CTI Server Component Properties screen and in the Outbound Option Dialer Properties screen.

    For more information, see the following guides:


    Note

    Ensure to exchange certificates and establish secured connection separately on both Side A and Side B of the solution.

    Note

    If you perform a new task with the certificates, such as you add, delete, or renew a certificate, ensure to restart the service to establish a new connection.

Similarly, you can establish secured connection between the other servers and clients that are specified in the table Server-Client Matrix for Secured Connections.

For information on secured connections between the other components, see the following guides:

Locations for Certificates and Keys

Store the certificates, intermediate and trusted certificates, and keys at the following directories in the respective machines:

Certificates and Keys

Directory

Certificates

C:\icm\ssl\certs

Intermediate and Trusted Certificates

C:\icm\ssl\trust-certs

The trusted certificates may be stored in this location and installed from here to the Microsoft Windows store.

Keys

C:\icm\ssl\keys

The steps to generate and install certificates are provided in this section.

Managing Self-Signed Certificates

Use the following procedure to generate and copy the self-signed certificates into the designated folders on the machine that are defined as server within the purview of Interface-Server-Client relationship.

See the CiscoCertUtil Utility command descriptions for the /generateCert /generateCert /f, and generateCSR commands.

Managing Certificates for Systems Running on Windows Operating System

Refer the following steps for managing certificates for systems running on Windows operating system.

Installing the Server Certificate on the Client Machine
Procedure
Step 1

On the server machine, generate a certificate by using the command: <Install_Dir>:\icm\bin>CiscoCertUtil /generateCert. This command generates a certificate in the PEM format and copies it in this path C:\icm\ssl\certs.

If a valid self-signed certificate is already available, skip to step 2. For more information, see the /generateCert section in CiscoCertUtil Utility.

Step 2

Navigate to the path c:\icm\ssl\certs.

Step 3

Copy host.pem to a temporary location on the client machine.
Step 4

On the client machine, install this certificate file on the trusted certificate store, by using the command:CiscoCertUtil /install c:\icm\ssl\certs\host.pem. If the certificate file already exists in the trusted certificate store of the client machine, remove this existing certificate file before installing a new one.

Step 5

To confirm that you installed the certificate file successfully, run the CiscoCertUtil /list command. Then, check if the server host name is listed under LOCAL_MACHINE/ROOT.
Installing the Client Certificate on the Server
Procedure
Step 1

On the client system, generate a certificate by using the command: <Install_Dir>:\icm\bin>CiscoCertUtil /generateCert. This command generates a certificate in the PEM format and copies it in this path C:\icm\ssl\certs.

If a valid self-signed certificate is already available, skip to step 2. For more information, see the /generateCert section in CiscoCertUtil Utility.

Step 2

Navigate to c:\icm\ssl\certs.

Step 3

Copy host.pem to a temporary location on the server.
Step 4

On the server, install this certificate file on the trusted certificate store, by using the command:CiscoCertUtil /install c:\icm\ssl\certs\host.pem. If the certificate file already exists in the trusted certificate store of the server, remove this existing certificate file before installing a new one.

Step 5

To confirm that you have installed the certificate file successfully, run the CiscoCertUtil /list command. Then, check if the client host name is listed under LOCAL_MACHINE/ROOT.
What to do next

Restart the corresponding services after installing the certificates.

Managing Certificates for Finesse

Refer the following steps for security certificate management for Finesse server.

Exporting a Certificate from Finesse Server

Use this procedure to export security certificates, from Finesse server.

Procedure
Step 1

Sign in to Cisco Unified Operating System Administration on Finesse server.

Use the FQDN path of the Finesse server (http://FQDN of Finesse server:8443/cmplatform) to sign in.

Step 2

Select Security > Certificate Management.

Step 3

Click Find.

Step 4

Perform one of the following steps based on whether the Tomcat certificate is listed or not:

  • If the Tomcat certificate is not listed:

    • Click Generate New.

    • Reboot the VOS server when the certificate generation is complete.

    • Restart this procedure.

  • If the Tomcat certificate is listed:

    • Click the certificate to select it. Click Download .pem file and save the file to your desktop.

    • Ensure that the certificate you select includes the hostname for the server.
What to do next

Perform these steps for all the Finesse server nodes.

Importing a Certificate to Finesse Server

Use this procedure to import security certificates, to Finesse server.

Procedure
Step 1

Sign in to Cisco Unified Operating System Administration on Finesse server.

Use the FQDN path of the Finesse server (http://FQDN of Finesse server:8443/cmplatform) to sign in.

Step 2

Select Security > Certificate Management.

Step 3

Click Upload Certificate.
Step 4

Select Certificate Name > tomcat-trust.

Step 5

Click Browse.

Browse to the location of the CTI Server certificate with the .pem file extension.

Step 6

Select the file and click Upload File.

What to do next

Repeat steps 3 to 6 for the remaining unloaded certificate.

After you upload all the certificates, restart the Finesse Tomcat application.

Certificate Management for Customer Collaboration Platform

Control Customer Collaboration Platform Application Access

By default, access to Customer Collaboration Platform administration user interface is restricted. Administrator can provide access by allowing clients IP addresses and revoke by removing the client's IP from the allowed list. For any modification to allowed list to take effect, Cisco Tomcat must be restarted.


Note
IP address range and subnet masks are not supported.

utils whitelist admin_ui list

This command displays all the allowed IP addresses. This list is used to authorize the source of the incoming requests.

Syntax

utils whitelist admin_ui list

Example
admin: utils whitelist admin_ui list

Admin UI whitelist is:
10.232.20.31
10.232.20.32
10.232.20.33
10.232.20.34

utils whitelist admin_ui add

This command adds the provided IP address to the allowed list of addresses.

Syntax

utils whitelist admin_ui add

Example
admin:utils whitelist admin_ui add 10.232.20.33

Successfully added IP: 10.232.20.33 to the whitelist

Restart Cisco Tomcat for the changes to take effect

utils whitelist admin_ui delete

This command deletes the provided IP address from the allowed list.

Syntax

utils whitelist admin_ui delete

Example
admin:utils whitelist admin_ui delete 10.232.20.34

Successfully deleted IP: 10.232.20.34 from the whitelist

Restart Cisco Tomcat for the changes to take effect

Obtaining a CA-Signed Certificate

Each time you sign-in, the browser validates the certificate presented by the server. If the certificate is not signed by a trusted root Certificate Authority (CA), the browser will typically not allow the connection until the user explicitly allows it. In order to avoid this, you must obtain a root certificate signed by a CA and install it onto Customer Collaboration Platform.

Use the Certificate Management utility from Unified OS Administration to do this.

Open Unified OS Administration from the Administration tab > Platform Administration.

To Obtain the Certificates

  1. Select Security > Certificate Management > Generate CSR.

  2. After the successful generation, click Download CSR.

  3. Use the CSR to obtain the signed application certificate and the CA root certificate from the CA.

To Upload the Certificates

  1. When you receive the certificates, open Unified OS Administration from the Administration tab > Platform Administration.

  2. Select Security > Certificate Management > Upload Certificate.

  3. Select the certificate name from the Certificate Name list.

  4. Upload the root certificate.

    1. In the Upload dialog box, select tomcat trust from the drop-down.

    2. Browse to the file and click Open.

    3. Click Upload File.

  5. Upload the application certificate.

    1. In the Upload dialog box, select tomcat from the drop-down.

    2. Enter the name of the CA root in the Root Certificate text box.

    3. Browse to the file and click Open.

    4. Click Upload File.

For more information about CA-signed certificates, see the Security topics in the Unified OS Administration online help.

After You Upload the Certificates

  1. Sign out of Customer Collaboration Platform.

  2. Restart the XMPP Service. (SSH to Customer Collaboration Platform and enter the command admin:utils service restart Customer Collaboration Platform XMPP Server) in the command line interface.

  3. Restart Tomcat. (SSH to Customer Collaboration Platform and enter the command admin:utils service restart Cisco Tomcat) in the command line interface.

  4. Sign in to Customer Collaboration Platform.

Obtaining a Self-Signed Certificate

Browsers handle self-signed certificates in different ways. The sections below describe how to handle self-signed certificates on the browsers supported for Customer Collaboration Platform.

Internet Explorer and Self-Signed Certificates

When using an IE browser on a Windows machine, make sure your DNS server is properly configured and you can resolve the fully qualified Customer Collaboration Platform hostname to the Customer Collaboration Platform address. Use a signed certificate from a trusted certificate authority (like Verisign).

If you use a self-signed certificate (which is what is installed with Customer Collaboration Platform), follow these steps to avoid getting certificate warnings each time you sign in.

  • In your Start menu, right click on IE and select "Run as Administrator".

  • Enter the URL for your Customer Collaboration Platform server in the address bar.

  • When prompted by the security warning, click on Continue to this website (not recommended).

  • Your address bar turns red and you see a certificate error next to the address bar. Select the certificate error.

  • Select View certificates at the bottom of the popup. This opens a certificate dialog.

  • On the General tab, select Install Certificate....

  • The certificate export wizard launches. Click Next.

  • When prompted for where to store the certificates, select Place all certificates in the following store, then click Browse and select Trusted Root Certification Authorities.

  • Click Ok, then click Next and Finish to complete the certificate import wizard.

  • Click Yes when prompted about importing the certificate.

  • Close and restart your browser to access Customer Collaboration Platform.

Firefox and Self-Signed Certificates

Due to changes in the Firefox security model, there are additional self-signed certificates that must be accepted to use the Customer Collaboration Platform web application on Firefox.

When accessing a Customer Collaboration Platform server using a newly installed Firefox browser (any version), Firefox attempts to connect to the main port that Customer Collaboration Platform uses first (port 443). If it cannot connect, it prompts the user to accept the self-signed certificate.


Note

If pop ups are blocked, you are given instructions on how to manually launch the certificate page. Also, if the certificate window is closed before the certificate is accepted, the page will automatically re-launch.

  • If prompted, click I Understand the Risks, then click Add Exception.

  • Click Confirm Security Exception.

Next, Firefox attempts to connect to port 7443 (the secure XMPP port). With Firefox, a second self-signed certificate must now be accepted to use this port. Customer Collaboration Platform displays a "Checking Connectivity..." screen during this process

If the"Checking Connectivity..." screen persists after a few seconds, click Continue to proceed to the Firefox certificate acceptance screen (as above).

Click I Understand the Risks, then Add Exception, and Confirm Security Exception again.

Users need only go through this process the first time they use a new Firefox browser and self-signed certificates. After the certificates are in place, users may not see the "Checking Connectivity..." screen (or it will appear briefly and proceed to the Customer Collaboration Platform sign on screen).

Google Chrome and Self-Signed Certificates

When accessing a Customer Collaboration Platform server using Google Chrome Browser, it attempts to establish a Private secure connection using port 7443.

  • After keying in the Server IP address in Chrome, the browser displays a connection warning stating "Your Connection is not private." To proceed with a secure connection, click Advanced.

  • Click Proceed to <Server IP Address>. Next, Chrome attempts to connect to port 7443 (the secure XMPP port).

  • The browser displays "Checking connectivity." Click Continue to proceed. This opens another Chrome tab, where you are prompted with another connection warning.
  • Click Advanced.
  • Upon clicking "Proceed to <Server IP Address>", the Customer Collaboration Platform log on page is displayed.

Note

Users need to go through this process only the first time they use a new Chrome browser and self-signed certificates.

Transport Layer Security (TLS) Requirement

Contact center enterprise solutions use Transport Layer Security (TLS). Refer to your browser's documentation for details on how to configure support for TLS. See the Contact Center Enterprise Compatibility Matrix at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-device-support-tables-list.html for the supported TLS versions.


Note

For backward compatibility with the earlier versions of clients, you can downgrade the Unified CCE Windows systems to earlier versions of TLS by following Microsoft procedures.

If you apply security hardening without configuring support for TLS, your browser cannot connect to the web server. An error message indicates that the page is either unavailable or that the website is experiencing technical difficulties.