This document provides installation instructions for Unified CCE 12.6(2) ES92. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behaviour.
This document contains these sections:
In the Product
Alert Tool, you can set up profiles to receive email notification of new
Field Notices, Product Alerts, or End of Sale information for your selected
products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
Unified CCE 12.6(2) ES92 patch contains defect fixes done on all previous ES along with a security feature enhancement done as part of CSCwp80812.
With the enhanced feature connection between CCE Router Side A and CCE Logger Side A and connections between CCE Logger and its peer is made secured by introducing TLS in the existing TCP connection. This is also been done in the TCP connection between CCE Logger and CCE HDS, CCE Logger to CCE Dialer.
For the CCE Dialer to connect securely with CCE Logger, CCE 12.6(2)ES91has to be installed on the CCE PG machine and CCE 12.6(2)ES90 on CCE Logger. For CCE Logger to connect securely with CCE AWHDS or AWHDS-DDS, CCE 12.6(2)ES92 has to be installed in AW machines.
As this patch has other deliverable dependency so this patch must be installed on all Admin Client machines if CCE 12.6(2)ES88 is installed previously to make the configuration manager to work.
You need to re-install ISE after installing CCE 12.6(2)ES92 in AW box.
Once 12.6(2)ES92 is installed few manual steps needs to be followed to enable the security feature. This will be covered in the section “Manual steps to enable TLS Security Feature”.
This section lists the Unified CCE components on which you can and cannot install this engineering special.
You can install Unified CCE 12.6(2) ES92 on these Unified CCE components:
Do not install this engineering special on any component other than:
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
With this feature,
inter-datacentre CCE components that communicate with each other across
different processes which carries customer
sensitive Personally Identifiable Information (PII) that include credit card
information, PIN, and other sensitive details become secure, as TLS 1.2 is now implemented over the
underlying TCP connections.
The following components and
processes are secured:
By default this feature will be disabled, to enable refer
to the steps to enable feature.
Prerequisites:
To enable this feature the following ES has to be installed.
1.
12.6(2)ES90 on
Routers
2.
12.6(2)ES91 on
Peripheral Gateways.
3.
12.6(2)ES92 on AWHDS,
AWHDS-DDS.
This feature requires the certificates to be exchanged between the CCE Router side A and Side B, Logger Side A and Logger Side B and also all PG sand AWHDS servers certificates needs to be installed on both sides of CCE Routers and CCE Logger and vice-versa. Hence on each node a certificate has to be deployed, and client should be installed with trust certificate of the server. For example, on Router A, the Router-B trust certificates has to be installed, similarly between Peripheral Gateways and Router. Certificates can be generated and installed using the CiscoCertUtil tool. Refer to the Cisco Security Guide for detailed instructions.
A. Enable Secured Communication between Logger
and AWHDS or AWHDS-DDS
1. Make sure 12.6(2)ES90 is installed and feature is enabled on CCE Logger component before enabling the feature. Refer readme document of 12.6(2)ES90.
2. Go
to the registry path in AWHDS or AWHDS-DDS machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco
Systems, Inc.\ICM\<instance name>\ Distributor\NodeManager\CurrentVersion\Processes\rpl”.
3. Find the registry Key “ImageArgs” and append “/securereplicationport 40023 /securerecoveryport 40038 /secure true” to the end of the existing string value.
4. Do
above steps in all AWHDS or AWHDS-DDS machine if it is connected to CCE Logger
Side A.
5. Do
the above steps in all AWHDS or AWHDS-DDS machine with “/securereplicationport 41023 /securerecoveryport
41038 /secure true”
if machine is connected to CCE Logger Side B.
6. The
above settings will make “replication” process in CCE Logger which is
running in either secure or mixed mode to make “ replication” process running as
clients in AWHDS or AWHDS-DDS to connect in secured mode.
7. You
need to Install CCE 12.6(2)ES92 in all AWHDS and AWHDS-DDS machine and do
configuration explained in readme file of CCE 12.6(2)ES92 to connect to CCE
Logger in secure mode. Once all AWHDS and AWHDS-DDS is changed to secure mode
you can change the recovery process in CCE Logger to run in secure mode from
mixed mode by simply changing the registry value to “/secure true” in
CCE Logger machine.
It is not recommend to disable the feature as this is security feature over the TCP connection going out of datacentre.
Do the below steps in maintenance.
A. Disable Secured
Communication between Logger and AWHDS or AWHDS-DDS
1. Make sure Replication process on both CCE Logger Side A and Side B is running in mixed mode.
2. Go to the registry path in AWHDS or AWHDS-DDS machine “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco Systems, Inc.\ICM\<instance name>\ Distributor\NodeManager\CurrentVersion\Processes\rpl”.
3. Find the registry Key “ImageArgs” and modify “secure false” to the end of the existing string value.
4. Do the above steps in all AWHDS or AWHDS-DDS machine.
5.
Restsart the services in
all AWHDS or AWHDS-DDS machine where the
feature is enabled.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 12.6(2) ES92.
Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.
|
Identifier |
Severity |
Component |
Headline |
|
CSCwp80812 |
6 |
MDS |
Connections
among CCE components in different VMs via MDS is not secured. |
|
|
|
|
|
Caveats are ordered by severity then defect number.
Defect Number: CSCwp80812
Component: MDS
Severity: 6
Headline: Connections among CCE components in different VMs via MDS is not secured.
NONE
(No Restrictions)
Symptom: TCP
connection without TLS..
Conditions: CCE components in different VM connection via TCP.
Workaround: None .
Further Problem Description: connections are not secured.
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: