This document provides installation instructions for Unified CCE 12.6(2) ES103. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behaviour.
This document contains these sections:
In the Product
Alert Tool, you can set up profiles to receive email notification of new
Field Notices, Product Alerts, or End of Sale information for your selected
products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
Unified CCE 12.6(2) ES103 patch contains defect fixes done on all previous ES along with a security feature enhancement done as part of CSCwp80812.
With the enhanced feature connection between CCE Router and CCE Logger, CCE Router and CCE AWHDS and connections between CCE Logger and its peer is made secured by introducing TLS in the existing TCP connection. This is also been done in the TCP connection between CCE Logger and CCE HDS, CCE Logger to CCE Dialer.
For the CCE Dialer to connect securely with CCE Logger, CCE 12.6(2)ES108 has to be installed on the CCE PG machine and for CCE Logger and CCE Router to connect securely with CCE AWHDS or AWHDS-DDS, CCE 12.6(2)ES102 has to be installed in AW machines.
Once 12.6(2)ES103 is installed few manual steps needs to be followed to enable the security feature. This will be covered in the section “Manual steps to enable TLS Security Feature”.
This section lists the Unified CCE components on which you can and cannot install this engineering special.
You can install Unified CCE 12.6(2) ES103 on these Unified CCE components:
Do not install this engineering special on any component other than:
You can use graceful shutdown procedure to install this ES with Zero down time. To avail this Zero Down Time feature, ES68 in Rogger/Router server, ES69 in Peripheral Gateway, ES70 in Admin Workstation/Distributor servers is a prerequisite to be present in the system.
To
install the Unified CCE 12.6(2) ES103 with maintenance mode (Zero Downtime),
follow the steps:
For more information about graceful shutdown, please refer to Administration guide for unified contact centre enterprise release -https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_12_6_2/administration/guide/administration-guide-for-cisco-unified-contact-center-enterprise-release-1262/ucce_m_graceful-shutdown.html?bookSearch=true
Note: If you have enabled the security feature by following the steps
given in “Steps to enable TLS Security Feature” section after installing the
patch then you have to disable the feature by following the steps given in the
section “Steps to disable TLS Security Feature” before the uninstall of the
patch.
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
With this feature,
inter-datacentre CCE components that communicate with each other across
different processes which carries customer
sensitive Personally Identifiable Information (PII) that include credit card
information, PIN, and other sensitive details become secure, as TLS 1.2 is now implemented over the
underlying TCP connections.
The following components and
processes are secured:
By default this
feature will be disabled, to enable refer to the steps to enable feature.
Prerequisites:
To enable this feature the following ES has to be installed.
1.
12.6(2)ES103 on
Routers
2.
12.6(2)ES108 on
Peripheral Gateways.
3.
12.6(2)ES102 on
AWHDS, AWHDS-DDS.
This feature requires the certificates to be exchanged between the CCE Router side A and Side B, Logger Side A and Logger Side B and also all PG sand AWHDS servers certificates needs to be installed on both sides of CCE Routers and CCE Logger and vice-versa. Hence on each node a certificate has to be deployed, and client should be installed with trust certificate of the server. For example, on Router A, the Router-B trust certificates has to be installed, similarly between Peripheral Gateways and Router. Certificates can be generated and installed using the CiscoCertUtil tool. Refer to the Cisco Security Guide for detailed instructions.
A. Enable Secured Communication
on Router-A and Router-B.
1. Once CCE 12.6(2)ES is installed, you open Websetup tool on Router SideA.
2. Login to Websetup and edit the router component and keep on clicking the “Next” button till you get “Router Security” tab.
3. In “Router Security” tab click the check box “Enable secure connection between Router and its Peer and Logger”
4. You check the other check boxes “Enable secure connection between Router and Peripheral Gateways” and “Enable secure connection between Router and AW Distributors”.
5. You uncheck the check “Enable secure-only connection” boxes to enable mixed mode connection. This is because in UCCE solution there is a possibility of having multiple Peripheral Gateways and AWHDS servers and it is not possible to convert all these servers to secure mode in one go. Till all the Peripheral Gateway and AWHDS servers move to secure mode Router should be in mixed mode so that both secure and non-secure clients connects to Router.
6. Do the same above steps in Router Side B after installing the 12.6(2)ES103.
7. With the above steps system will be able to communicate with its peer (other side of CCE Router) with TLS secured TCP connection via MDS process.
8. With the above steps system will be able to do state transfer with TLS on TCP connection during failover. And real time data to AWHDS over TLS on TCP.
B. Enable Secured Communication on Logger side A and Logger side B.
1. Once CCE 12.6(2)ES is installed, you open Websetup tool on Logger SideA.
2. Login to Websetup and edit the Logger component and keep on clicking the “Next” button till you get “Logger Security” tab.
3. In “Logger Security” tab click the check box “Enable secure connection between Logger and Router” and “Enable secure data recovery between Logger and Logger”
4. You check the other check boxes “Enable secure data replication between Logger and AW-HDS-DDS” and “Enable secure connection between Campaign Manager and Dialer (Outbound Option)”.
5. You uncheck the check “Enable secure-only connection” boxes to enable mixed mode connection. This is because in UCCE solution there is a possibility of having multiple Dialer components and AWHDS servers and it is not possible to convert all these servers to secure mode in one go. Till all the Dialers in each Peripheral Gateway and replication process in each AWHDS servers move to secure mode Logger should be in mixed mode so that both secure and non-secure clients connects to Logger.
6. Do the same above steps in Logger Side B after installing the 12.6(2)ES103.
7. With the above steps system will be able to communicate with its peer (other side of CCE Logger ) with TLS secured TCP connection via recovery process.
It is not recommend to disable the feature as this is security feature over the TCP connection going out of datacentre.
Do the below steps in maintenance.
A. Disable Secured
Communication on Router-A and Router-B.
1. Once CCE 12.6(2)ES is installed, you open Websetup tool on Router SideA.
2. Login to Websetup and edit the router component and keep on clicking the “Next” button till you get “Router Security” tab.
3. In “Router Security” tab uncheck the check box “Enable secure connection between Router and its Peer and Logger”
4. You uncheck the other check boxes “Enable secure connection between Router and Peripheral Gateways” and “Enable secure connection between Router and AW Distributors”.
5. You uncheck the check “Enable secure-only connection” boxes.
B. Disable Secured Communication on Logger side A and Logger side B.
1. Once CCE 12.6(2)ES is installed, you open Websetup tool on Logger SideA.
2. Login to Websetup and edit the Logger component and keep on clicking the “Next” button till you get “Logger Security” tab.
3. In “Logger Security” tab uncheck the check box “Enable secure connection between Logger and Router” and “Enable secure data recovery between Logger and Logger”
4. You uncheck the other check boxes “Enable secure data replication between Logger and AW-HDS-DDS” and “Enable secure connection between Campaign Manager and Dialer (Outbound Option)”.
5. You uncheck the check “Enable secure-only connection” boxes.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 12.6(2) ES103.
Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.
|
Identifier |
Severity |
Component |
Headline |
Dependency |
|
CSCwp80812 |
6 |
MDS |
Connections
among CCE components in different VMs via MDS is not secured. |
ES102
on AW, ES108 on PG |
|
CSCws32038
|
3 |
Router |
ACCESS_VIOLATION
crash on router.exe following admin script update |
|
|
CSCws94528 |
3 |
Router |
Maintenance
Mode not accepted by RTR B even though config logger is in sync with each
other |
|
|
CSCws37035 |
3 |
Outbound |
Campaign
manager SNMP status shows Unknown in monitoring system |
ES102
on AW, ES108 on PG |
|
|
|
|
|
|
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: