This document provides installation instructions for Unified CCE 12.6(2) ES90. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behaviour.
This document contains these sections:
In the Product
Alert Tool, you can set up profiles to receive email notification of new
Field Notices, Product Alerts, or End of Sale information for your selected
products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
Unified CCE 12.6(2) ES90 patch contains defect fixes done on all previous ES along with a security feature enhancement done as part of CSCwp80812 on ES80.
With the enhanced feature connection between CCE Router Side A and CCE Logger Side A and connections between CCE Logger and its peer is made secured by introducing TLS in the existing TCP connection. This is also been done in the TCP connection between CCE Logger and CCE HDS, CCE Logger to CCE Dialer.
For the CCE Dialer to connect securely with CCE Logger, CCE 12.6(2)ES91has to be installed on the CCE PG machine and for CCE Logger to connect securely with CCE AWHDS or AWHDS-DDS, CCE 12.6(2)ES92 has to be installed in AW machines.
Once 12.6(2)ES90 is installed few manual steps needs to be followed to enable the security feature. This will be covered in the section “Manual steps to enable TLS Security Feature”.
This section lists the Unified CCE components on which you can and cannot install this engineering special.
You can install Unified CCE 12.6(2) ES90 on these Unified CCE components:
Do not install this engineering special on any component other than:
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
With this feature,
inter-datacentre CCE components that communicate with each other across
different processes which carries customer
sensitive Personally Identifiable Information (PII) that include credit card
information, PIN, and other sensitive details become secure, as TLS 1.2 is now implemented over the
underlying TCP connections.
The following components and
processes are secured:
By default this feature will be disabled, to enable refer
to the steps to enable feature.
Prerequisites:
To enable this feature the following ES has to be installed.
1.
12.6(2)ES90 on
Routers
2.
12.6(2)ES91 on
Peripheral Gateways.
3.
12.6(2)ES92 on AWHDS,
AWHDS-DDS.
This feature requires the certificates to be exchanged between the CCE Router side A and Side B, Logger Side A and Logger Side B and also all PG sand AWHDS servers certificates needs to be installed on both sides of CCE Routers and CCE Logger and vice-versa. Hence on each node a certificate has to be deployed, and client should be installed with trust certificate of the server. For example, on Router A, the Router-B trust certificates has to be installed, similarly between Peripheral Gateways and Router. Certificates can be generated and installed using the CiscoCertUtil tool. Refer to the Cisco Security Guide for detailed instructions.
A. Enable Secured Communication
between Router-A and Router-B
1. Once CCE 12.6(2)ES is installed you will find new registries in the system as given below. Go to registry path in Router SideA
2. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\RouterA\MDS\CurrentVersion\Process.
3. Find the registry Key “EnableSecureMode” and modify the value to 1.
4. Do the same above steps in Router Side B after installing the 12.6(2)ES90.
5. With the above steps system will be able to communicate with its peer (other side of CCE Router) with TLS secured TCP connection via MDS process.
6. With the above steps system will be able to do state transfer with TLS on TCP connection during failover.
B. Enable Secured Communication between Router and Peripheral Gateway
1. Go to the registry path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\RouterA\DMP\CurrentVersion”.
2. Find the registry Key “EnableSecureMode” and modify the value to 2.
3. Do the above steps in CCE Router Side B.
4. The above settings will make CCAgent process in CCE Router to run in mixed mode so that CCE PGs can connect to CCE Router in secured as well as non-secured mode. We can keep it in mixed mode until all PGs are not set to secured mode.
5. Go to the registry path Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\RouterA\DMP\CurrentVersion\CCLocalSide\HighPriority.
6. Modify the value of registry key “SecurePort” to “40011”.
7. Go to registry path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\RouterA\DMP\CurrentVersion\CCLocalSide\LowPriority”.
8. Modify the value of registry key “SecurePort” to “40014”.
9. Go to the registry path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\RouterA\DMP\CurrentVersion\CCLocalSide\MediumPriority”
10. Modify the value of registry key “SecurePort” to “40018”.
11. Do the above steps in CCE Router Side B. Only the corresponding port numbers has to be 41011, 41014, 41018 respectively.
12. Cycle CCE Router Service on Side A and Side B.
13. Once all PGs are configured with Secured mode then above mentioned registry key “EnableSecureMode” value can be modified to 1 (CCE Router service restart required) which will make CCAgent process to run in secured mode.
14. Once Secured mode is set then no CCE PG can connect to CCE Router in non-secured mode.
C. Enable Secured Communication between Router
and Logger (if configured on separate machine)
1. Go
to the registry path “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco
Systems, Inc.\ICM\<instance name>\RouterA\ MDS\CurrentVersion\Process”.
2. Find
the registry Key “EnableSecureMode” and modify
the value to 1.
3. Do
the above steps in CCE Router Side B.
4. The
above settings will make “mdsproc” process in CCE
Router to run in secured mode so that all
mds clients can connect to CCE Router in secured
mode.
5. Go
to the registry path in Logger box “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco
Systems, Inc.\ICM\<instance name>\ LoggerA\ MDS\CurrentVersion\Process”.
6. Find the registry Key “EnableSecureMode” and modify the value to 1.
7. Do
the above steps in CCE Logger Side B.
8. The processes
such as node manager, Campaign Manager, recovery, replication, configLogger which are running on logger machine are mds clients to mdsproc which is running
on Router box. Connection between the processes running on Logger and mdsproc on Router nodes are secured.
D. Enable Secured Communication between Logger
side A and Logger side B.
1. Go
to the registry path in Logger side A
machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems,
Inc.\ICM\<instance name>\LoggerA\NodeManager\CurrentVersion\Processes\rcv”.
2. Find
the registry Key “ImageArgs” and append “/secure
true” to the end of the existing string value.
3. Do
the above steps in CCE Logger Side B.
4. The
above settings will make “recovery” process in CCE Logger to run in secured
mode and connects to “recovery” process running on other
side of CCE Logger in secured mode.
E. Enable Secured Communication between Logger
and AWHDS or AWHDS-DDS
1. Go
to the registry path in Logger Side A machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco
Systems, Inc.\ICM\<instance name>\ LoggerA\NodeManager\CurrentVersion\Processes\rpl”.
2. Find
the registry Key “ImageArgs” and append “/securereplicationport 40023 /securerecoveryport
40038 /secure mixed”
to the end of the existing string value.
3. Do
the above steps in CCE Logger Side B with “/securereplicationport 41023 /securerecoveryport 41038 /secure mixed”.
4. The above settings will make “replication” process in CCE Logger to run in mixed mode so that “ replication” process running as clients in AWHDS or AWHDS-DDS can connect either in secured or non-secured mode.
5. You need to Install CCE 12.6(2)ES92 in all AWHDS and AWHDS-DDS machine and do configuration explained in readme file of CCE 12.6(2)ES92 to connect to CCE Logger in secure mode. Once all AWHDS and AWHDS-DDS is changed to secure mode you can change the recovery process in CCE Logger to run in secure mode from mixed mode by simply changing the registry value to “/secure true”.
F. Enable Secured Communication between Logger
and AgentPG
1. Go
to the registry path in Logger Side A machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco
Systems, Inc.\ICM\<instance name>\ LoggerA\NodeManager\CurrentVersion\Processes\CampaignManager”.
2. Find the registry Key “EnableSecureMode” and modify the value to 2.
3. Find
the registry Key “SecurePort” and modify the
value to “40039”.
4. Do
the above steps in CCE Logger Side B with “SecurePort
41039”.
5. The above settings will make “CampaignManager” process in CCE Logger to run in mixed mode so that “ BADialer” process running as clients in all Agent PGs can connect either in secured or non-secured mode.
6. Restart Router and Logger Services on both Sides.
7. You
need to Install CCE 12.6(2)ES91 in all Agent PG machine and do configuration explained
in readme file of CCE 12.6(2)ES91 to connect to Campaign Manager process in CCE
Logger in secure mode. Once “BaDialer” process in all
Agent PG is changed to secure mode you can change the Campaign Manager process
to run in secure mode from mixed mode by simply changing the registry value to “EnableSecureMode” to 1.
It is not recommend to disable the feature as this is security feature over the TCP connection going out of datacentre.
Do the below steps in maintenance.
1. Make sure the current feature is disabled in all PGs by following the steps given in the readme file of 12.6(2)ES91 under section “Manual steps to disable TLS Security Feature”
2. Go to the registry “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\RouterA\DMP\CurrentVersion”.
3. Find the registry Key “EnableSecureMode” and modify the value to 0.
4. Go to registry path in Router SideA “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\RouterA\MDS\CurrentVersion\Process”.
5. Find the registry Key “EnableSecureMode” and modify the value to 0.
6. Do the same above steps in CCE Router B side.
7. Go to the registry path in Logger Side A machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\ LoggerA\NodeManager\CurrentVersion\Processes\CampaignManager”.
8. Find the registry Key “EnableSecureMode” and modify the value to 0.
9. Go to the registry path in Logger box “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\ LoggerA\ MDS\CurrentVersion\Process”.
10. Find the registry Key “EnableSecureMode” and modify the value to 0.
11. Go to the registry path in Logger side A machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\LoggerA\NodeManager\CurrentVersion\Processes\rcv”.
12. Find the registry Key “ImageArgs” and modify“/secure false” to the end of the existing string value.
13. Go to the registry path in Logger Side A machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\ LoggerA\NodeManager\CurrentVersion\Processes\rpl”.
14. Find the registry Key “ImageArgs” and modify“/secure false” to the end of the existing string value.
15. Do the above steps in CCE Logger Side B.
16. Cycle CCE Router and Logger service in Side A and Side B using Service Control tool.
17. SecurePort for DMP and Campaign Manager connections need not to be modified as it will not impact the non-secure connections.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 12.6(2) ES90.
Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.
|
Identifier |
Severity |
Component |
Headline |
|
CSCwp80812 |
6 |
MDS |
Connections
among CCE components in different VMs via MDS is not secured. |
|
CSCwn77282 |
2 |
router |
The
application gateway connection is lost during configuration updates for that
APPGW. |
|
|
|
|
|
Caveats are ordered by severity then defect number.
Defect Number: CSCwp80812
Component: MDS
Severity: 6
Headline: Connections among CCE components in different VMs via MDS is not secured.
NONE
(No Restrictions)
Symptom: TCP
connection without TLS..
Conditions: CCE components in different VM connection via TCP.
Workaround: None .
Further Problem Description: connections are not secured.
Defect Number: CSCwn77282
Component: router
Severity: 2
Headline: The
application gateway connection is lost during configuration updates for that
APPGW.
NONE
(No Restrictions)
Symptom: Application
gateway failed to restore communication with portal on below scenarios.
Conditions: Change the fault tolerance type from 'Hot Standby' to
'Alternate Request' in Application Gateway list tool and save it.
Workaround: Kill the agi process from task
manager or Cycle the router component.
Further Problem Description: n order to achieve
the zero down time, this has to be fixed.
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: