Security Certificates
Note |
To download PEM encoded certificates, refer to the respective browser documentation for instructions. |
Certificates for Live Data
You must set up security certificates for Finesse and Cisco Unified Intelligence Center with HTTPS.
You can:
-
Use the self-signed certificates provided with Finesse and Cisco Unified Intelligence Center.
-
Obtain and install a Certification Authority (CA) certificate from a third-party vendor.
-
Produce a certificate internally.
Note |
As is the case when using other self-signed certificates, agents must accept the Live Data certificates in the Finesse desktop when the sign in before they can use the Live Data gadget. |
Add Self-Signed Certificates for Live Data
Both Finesse and Unified Intelligence Center are installed with self-signed certificates. If you choose to work with these self-signed certificates (rather than producing your own CA certificate or obtaining a CA certificate from a third-party certificate vendor), you must first export the certificates from the Unified Intelligence Center Publisher and Subscriber. You must then import the certificates into Finesse, importing the Publisher certificate to the Finesse Primary node and the Subscriber certificate to the Finesse Secondary node.
As is the case when using other self-signed certificates, agents must accept the Live Data certificates in the Finesse desktop when they sign in before they can use the Live Data gadget.
Procedure
Step 1 |
Sign in to Cisco Unified Operating System Administration on Cisco Unified Intelligence Center (https://<hostname of Cisco Unified Intelligence Center server>/cmplatform). |
Step 2 |
From the Security menu, select Certificate Management. |
Step 3 |
Click Find. |
Step 4 |
Do one of the following:
|
Step 5 |
Download the PEM encoded certificate and save the file to your desktop. |
Step 6 |
Sign in to Cisco Unified Operating System Administration on the primary Finesse server (https://FQDN of Finesse server:8443/cmplatform). |
Step 7 |
From the Security menu, select Certificate Management. |
Step 8 |
Click Upload Certificate. |
Step 9 |
From the Certificate Name drop-down list, select tomcat-trust. |
Step 10 |
Click Browse and browse to the location of the certificate (Cisco Unified Intelligence Center publisher and subscriber certificates). |
Step 11 |
Click Upload File. |
Step 12 |
Restart Cisco Finesse Tomcat on the Finesse server. |
Obtain and Upload CA Certificate for Live Data from a Third Party Vendor
You can use a Certification Authority (CA) certificate provided by a third-party vendor to establish an HTTPS connection between the Finesse and Cisco Unified Intelligence Center servers.
Follow the instructions in the TechNote Procedure to Obtain and Upload CA Certificate from a Third-party Vendor, available at https://www.cisco.com/c/en/us/support/docs/customer-collaboration/unified-contact-center-enterprise-1101/200286-Unified-CCE-Solution-Procedure-to-Obtai.html.
Setup CA in Windows
Set up Microsoft Certificate Server for Windows 2008 R2
This procedure assumes that your deployment includes a Windows Server 2008 R2 (Standard) Active Directory server. Perform the following steps to add the Active Directory Certificate Services role on the Windows 2008 R2 (Standard) domain controller.
Procedure
Step 1 |
Click Start, right-click Computer, and select Manage. |
Step 2 |
In the left pane, click Roles. |
Step 3 |
In the right pane, click Add Roles. The Add Roles Wizard opens. |
Step 4 |
On the Select Server Roles screen, check the Active Directory Certificate Services check box, and then click Next. |
Step 5 |
On the Introduction to Active Directory Certificate Services screen, click Next. |
Step 6 |
On the Select Role Services screen, check the Certification Authority check box, and then click Next. |
Step 7 |
On the Specify Setup Type screen, select Enterprise, and then click Next. |
Step 8 |
On the Specify CA Type screen, select Root CA, and then click Next. |
Step 9 |
Click Next on the Set Up Private Key, Configure Cryptography for CA, Configure CA Name, Set Validity Period, and Configure Certificate Database screens to accept the default values. |
Step 10 |
On the Confirm Installations Selections screen, verify the information, and then click Install. |
Set up Microsoft Certificate Server for Windows Server
This procedure assumes that your deployment includes a Windows Server Active Directory server. Perform the following steps to add the Active Directory Certificate Services role on the Windows Server domain controller.
Before you begin
Before you begin, Microsoft .Net Framework must be installed. See Windows Server documentation for instructions.
Procedure
Step 1 |
In Windows, open the Server Manager. |
Step 2 |
In the Quick Start window, click Add Roles and Features . |
Step 3 |
In the Set Installation Type tab, select Role-based or feature-based installation , and then click Next. |
Step 4 |
In the Server Selection tab, select the destination server then click Next. |
Step 5 |
In the Server Roles tab, check the Active Directory Certificate Services box, and then click the Add Features button in the pop-up window. |
Step 6 |
In the Features and AD CS tabs, click Next to accept default values. |
Step 7 |
In the Role Services tab, verify that Certification Authority box is checked, and then click Next. |
Step 8 |
In the Confirmation tab, click Install. |
Step 9 |
After the installation is complete, click the Configure Active Directory Certificate Service on the destination server link. |
Step 10 |
Verify that the credentials are correct (for the domain Administrator user), and then click Next. |
Step 11 |
In the Role Services tab, check the Certification Authority box, and then click Next. |
Step 12 |
In the Setup Type tab, select Enterprise CA, and then click Next. |
Step 13 |
In the CA Type tab, select Root CA, and then click Next. |
Step 14 |
In the Private Key, Cryptography, CA Name, Validity Period, and Certificate Database tabs, click Next to accept default values. |
Step 15 |
Review the information in the Confirmation tab, and then click Configure. |
Generate and Import CA Signed Certificate in AW Machine
Procedure
Step 1 |
Log in to the AW-HDS-DDS Server. |
||
Step 2 |
Execute the following command:
|
||
Step 3 |
Remove the existing certificate by executing:
|
||
Step 4 |
Enter the keystore password when prompted. The default keystore password is changeit.
|
||
Step 5 |
Generate a new key pair for the alias with the selected key size by running keytool.exe -genkeypair -alias <certificate_name> -v -keysize 1024 -keyalg RSA -keystore ..\lib\security\cacerts.
|
||
Step 6 |
Enter the keystore password when prompted. |
||
Step 7 |
Generate the CSR certificate for the alias by running keytool.exe -alias <certificate_name> -certreq -keystore ..\lib\security\cacerts -file c:\cert\<certificate_name>.csr and save it to a file (for example, tomcatCert.csr). |
||
Step 8 |
Enter the keystore password when prompted. |
||
Step 9 |
Copy the root CA certificate and the CA-signed certificate to %JAVA_HOME%\bin>. |
||
Step 10 |
Install the root CA certificate by running keytool.exe -keystore ..\lib\security\cacerts -import -v -trustcacerts -alias root -file %Path_Of_Root_Cert%\<filename_of_root_cert>. |
||
Step 11 |
Enter the keystore password when prompted. |
||
Step 12 |
Install the signed certificate by running keytool.exe -keystore ..\lib\security\cacerts -import -v -trustcacerts -alias <certificate_name> -file %Path_Of_Root_Cert%\<filename_of_CA_signed_cert>. |
||
Step 13 |
Go to Services and restart Tomcat. |
Generate and Import Self-signed Certificate in AW Machine
Procedure
Step 1 |
Log in to the AW-HDS-DDS Server. |
||
Step 2 |
Execute the following command:
|
||
Step 3 |
Remove the existing certificate by executing:
|
||
Step 4 |
Enter the keystore password when prompted. The default keystore password is changeit.
|
||
Step 5 |
Generate a new key pair for the alias with the selected key size by running: keytool.exe -genkeypair -alias <certificate_name> -v -keysize 1024 -keyalg RSA -keystore ..\lib\security\cacerts.
|
||
Step 6 |
Go to Services and restart Tomcat. |
Generate Self-Signed Certificate in ECE Web Server
Procedure
Step 1 |
Login to the ECE Web Server. |
Step 2 |
Open the Internet Information Services (IIS) Manager. |
Step 3 |
In the left pane, under Connections, choose the configured <hostname>. The <hostname> Home page appears. |
Step 4 |
From the IIS area, click Server Certificates. |
Step 5 |
In the right pane, under Actions, click Create Self-Signed Certificate. The Create Self-Signed Certificate window appears. |
Step 6 |
In the Specify a friendly name for the certificate field, enter a name for the certificate. |
Step 7 |
From the Select a certificate store for the new certificate drop-down list, choose Web Hosting. |
Step 8 |
Click OK. The certificate is generated and appears in the Home page. |
Step 9 |
In the left pane, under Connections, navigate to . The Default Web Site Home page appears. |
Step 10 |
In the right pane, under Actions, click Bindings. |
Step 11 |
Click Add. The Add Site Binding window appears. |
Step 12 |
From the Type drop-down list, choose https. |
Step 13 |
From the SSL certificate drop-down list, choose the <hostname>. |
Step 14 |
Click OK. |
Step 15 |
In the right pane, under Manage Website, click Restart. |
Change Java Truststore Password
Procedure
Step 1 |
Log in to the Windows machine. |
Step 2 |
Run the following command:
|
Step 3 |
Change the truststore password by running the following command:
|
Procedure
Step 1 |
Download Packaged CCE webadmin self-signed certificate to %CVP_HOME%\conf\security\. |
Step 2 |
Import the certificate to the CVP Call Server keystore - %CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias AW_cert -file %CVP_HOME%\conf\security\<AW certificate>. |
Import WSM CA Certificate into CVP
Procedure
Step 1 |
Log in to the Call Server or Reporting Server and retrieve the keystore password from the
|
||
Step 2 |
Remove the existing certificate by running %CVP_HOME%\jre\bin\keytool.exe -delete -alias wsm_certificate -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS. |
||
Step 3 |
Enter the keystore password when prompted. |
||
Step 4 |
Generate a new key pair for the alias with selected key size by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias wsm_certificate -v -validity <duration in days> -keysize 2048 -keyalg RSA.
|
||
Step 5 |
Generate the CSR certificate for the alias by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias wsm_certificate
-file %CVP_HOME%\conf\security\wsm.csr and save it to a file (for example, |
||
Step 6 |
Enter the keystore password when prompted. |
||
Step 7 |
Download |
||
Step 8 |
Copy the root CA certificate and the CA-signed certificate to %CVP_HOME%\conf\security\ |
||
Step 9 |
Install the root CA certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -validity <duration in days> -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>. |
||
Step 10 |
Enter the keystore password when prompted. |
||
Step 11 |
Install the signed certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -validity <duration in days> -trustcacerts -alias wsm_certificate -file %CVP_HOME%\conf\security\<filename_of_CA_signed_cert>. |
||
Step 12 |
Enter the keystore password when prompted. |
||
Step 13 |
Restart the Cisco CVP WebServicesManager service. |
Import CA Certificate into AW Machines
Note |
Prior to attempting to manage the system through Unified CCE Administration, the Administration & Data Server (AW) must exchange the SSL certificates with the Customer Voice Portal (CVP), Finesse, Cisco Enterprise Chat and Email (ECE), Cisco Unified Intelligence Center (CUIC), Cisco Unified Communication Manager (CUCM), Cisco Identity Service (idS), and Virtual Voice Browser (VVB) to establish a trust communication. |
Procedure
Step 1 |
Log in to the AW-HDS-DDS Server. |
||
Step 2 |
Execute the following command:
|
||
Step 3 |
Copy the Root or intermediate certificates to a location in AW Machine. |
||
Step 4 |
Remove the existing certificate by executing:
|
||
Step 5 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 6 |
At the AW machine terminal, run the following command:
|
||
Step 7 |
Enter the truststore password when prompted. |
||
Step 8 |
Go to Services and restart Apache Tomcat. |
Add Solution Components Self-Signed Certificate to AW Machine
Add Finesse Certificate to AW Machine
If you do not have a CA certificate, you must import a self-signed certificate from the Finesse server to an AW machine. This enables AW Machine to communicate to Finesse over a secure channel.
Note |
|
Procedure
Step 1 |
Sign in to the Cisco Unified Operating System Administration on the primary server (https://<FQDN of Finesse server>:8443/cmplatform). |
Step 2 |
From the Security menu, select Certificate Management. |
Step 3 |
Click Find. |
Step 4 |
Do one of the following:
|
Step 5 |
Download the PEM encoded certificate and save the file to your desktop. |
Step 6 |
Copy the certificate to a location in AW Machine. |
Step 7 |
Run the following command at the AW machine terminal:
|
Step 8 |
Go to Services and restart Tomcat. |
Add IdS Certificate to AW Machine
If you do not have a CA certificate, you must import a self-signed certificate from the Cisco Identify Service (IdS) to an AW machine. This enables AW Machine to communicate to IdS over a secure channel.
Note |
|
Procedure
Step 1 |
Sign in to the Cisco Unified Operating System Administration on the primary server (https://<FQDN of Ids server:8443>/cmplatform). |
Step 2 |
From the Security menu, select Certificate Management. |
Step 3 |
Click Find. |
Step 4 |
Do one of the following:
|
Step 5 |
Download the PEM encoded self-signed certificate and save the file to your desktop. |
Step 6 |
Copy the certificate to a location in AW Machine. |
Step 7 |
Run the following command at the AW machine terminal:
|
Step 8 |
Go to Services and restart Tomcat. |
Add ECE Web Server Certificate to AW Machine
If you do not have a CA certificate, you must import a self-signed certificate from the ECE web server to AW machine. This will enable you to launch the ECE gadget in the Unified CCE Administration.
Procedure
Step 1 |
From the ECE Web Server (https://<ECE Web Server>), download the PEM encoded certificate, and save the file to your desktop. |
||
Step 2 |
Copy the certificate to a location in AW Machine. |
||
Step 3 |
Run the following command at the AW machine terminal:
|
||
Step 4 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 5 |
Go to Services and restart Tomcat. |
Import WSM Certificate into AW Machines
Note |
This procedure is applicable if you do not have the CA certificate. |
When you install CVP Call Server or Reporting Server, you must import the Web Service Manager (WSM) self-signed certificate into all AW machines. This will eliminate any browser warnings and establish HTTPS connection between CVP Call Server or Reporting Server and AW machine. Use Keytool to generate a Self-Signed Certificate.
Important |
The certificate CommonName (CN) must match the Fully Qualified Domain Name (FQDN) provided for the CVP Call Server or Reporting Server in the Packaged CCE Inventory. |
Procedure
Step 1 |
Log in to the CVP Call Server or Reporting Server. |
||
Step 2 |
On the command prompt, navigate to the directory where .keystore is located.
|
||
Step 3 |
Delete the wsm certificate from the CVP keystore using the following command:
|
||
Step 4 |
Enter the CVP keystore password. The CVP keystore password is available at %CVP_HOME%\conf\security.properties. Or,
|
||
Step 5 |
Run the following command to generate the self-signed certificate:
|
||
Step 6 |
Enter the key password for |
||
Step 7 |
Restart the CVP Call Server or Reporting Server. |
||
Step 8 |
Download the self-signed certificate from the browser (https://FQDN of the CVP Server:8111/cvp-dp/rest/DiagnosticPortal/GetProductVersion). |
||
Step 9 |
Copy the certificate to a location in AW Machine. |
||
Step 10 |
At the AW machine terminal, run the following command:
|
||
Step 11 |
Enter the truststore password when prompted. The default truststore password is changeit.
|
||
Step 12 |
Go to Services and restart Apache Tomcat. |
Import VVB Self-Signed Certificate into AW Machines
Import self-signed certificate from Virtualized Voice Browser (VVB) into all AW machines. This enables the AW Machine to communicate with the component over a secure channel.
Note |
|
Procedure
Step 1 |
Sign in to the Cisco Unified Operating System Administration on the VVB server using the URL (https://<FQDN of VVB server>:8443/cmplatform). |
||
Step 2 |
From the Security menu, select Certificate Management. |
||
Step 3 |
Click Find. |
||
Step 4 |
Do one of the following:
|
||
Step 5 |
Download the PEM encoded certificate and save the file to your desktop. |
||
Step 6 |
Copy the certificate to a location in AW Machine. |
||
Step 7 |
Run the following command as an administrator at the AW machine terminal:
|
||
Step 8 |
Enter the keystore password when prompted. The default keystore password is changeit.
|
||
Step 9 |
Go to Services and restart Apache Tomcat. |