This document provides installation instructions for Unified CCE 12.6(2) ES102. It also contains a list of Unified CCE issues resolved by this engineering special. Review all installation information before installing the product. Failure to install this engineering special as described can result in inconsistent Unified CCE behaviour.
This document contains these sections:
In the Product
Alert Tool, you can set up profiles to receive email notification of new
Field Notices, Product Alerts, or End of Sale information for your selected
products.
The Product
Alert Tool is available at https://www.cisco.com/cisco/support/notifications.html.
Unified CCE 12.6(2) ES102 patch contains defect fixes done on all previous ES along with a security feature enhancement done as part of CSCwp80812.
With the enhanced feature connection between CCE Router Side A and CCE Logger Side A and connections between CCE Logger and its peer is made secured by introducing TLS in the existing TCP connection. This is also been done in the TCP connection between CCE Logger and CCE HDS, CCE Router to CCE-HDS and CCE Logger to CCE Dialer.
For the CCE Dialer to connect securely with CCE Logger, CCE 12.6(2)ES108 has to be installed on the CCE PG machine and CCE 12.6(2)ES103 on CCE Logger. For CCE Logger to connect securely with CCE AWHDS or AWHDS-DDS, CCE 12.6(2)ES102 has to be installed in AW machines.
As this patch has other deliverable dependency so this patch must be installed on all Admin Client machines.
You need to re-install ISE after installing CCE 12.6(2)ES102 in AW box.
Once 12.6(2)ES102 is installed few manual steps needs to be followed to enable the security feature. This will be covered in the section “Manual steps to enable TLS Security Feature”.
This section lists the Unified CCE components on which you can and cannot install this engineering special.
You can install Unified CCE 12.6(2) ES102 on these Unified CCE components:
Do not install this engineering special on any component other than:
You can use graceful shutdown procedure to install this ES with Zero down time. To avail this Zero Down Time feature, ES68 in Rogger/Router server, ES69 in Peripheral Gateway, ES70 in Admin Workstation/Distributor servers is a prerequisite to be present in the system.
To
install the Unified CCE 12.6(2) ES102 with maintenance mode (Zero Downtime),
follow the steps:
For more information about graceful shutdown, please refer to Administration guide for unified contact centre enterprise release -https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_12_6_2/administration/guide/administration-guide-for-cisco-unified-contact-center-enterprise-release-1262/ucce_m_graceful-shutdown.html?bookSearch=true
Note: If you have enabled the security feature by following the steps
given in “Steps to enable TLS Security Feature” section after installing the
patch then you have to disable the feature by following the steps given in the
section “Steps to disable TLS Security Feature” before the uninstall of the
patch.
Note: Remove patches in the reverse order of their installation. For example, if you installed patches 3, then 5, then 10 for a product, you must uninstall patches 10, 5, and 3, in that order, to remove the patches from that product.
With this feature,
inter-datacentre CCE components that communicate with each other across
different processes which carries customer
sensitive Personally Identifiable Information (PII) that include credit card
information, PIN, and other sensitive details become secure, as TLS 1.2 is now implemented over the
underlying TCP connections.
The following components and
processes are secured:
By default this feature will be disabled, to enable refer to the steps to enable feature.
Prerequisites:
To enable this feature the following ES has to be installed.
1.
12.6(2)ES103 on
Routers
2.
12.6(2)ES108 on
Peripheral Gateways.
3.
12.6(2)ES102 on
AWHDS, AWHDS-DDS.
This feature requires the certificates to be exchanged between the CCE Router side A and Side B, Logger Side A and Logger Side B and also all PG sand AWHDS servers certificates needs to be installed on both sides of CCE Routers and CCE Logger and vice-versa. Hence on each node a certificate has to be deployed, and client should be installed with trust certificate of the server. For example, on Router A, the Router-B trust certificates has to be installed, similarly between Peripheral Gateways and Router. Certificates can be generated and installed using the CiscoCertUtil tool. Refer to the Cisco Security Guide for detailed instructions.
A. Enable Secured Communication on AWHDS or AWHDS-DDS
1. Make sure 12.6(2)ES103 is installed and feature is enabled on CCE Logger component before enabling the feature. Refer readme document of 12.6(2)ES103.
2. Once CCE 12.6(2)ES is installed, you open Websetup tool on CCE AWHDS.
3. Login to Websetup and edit the “Administration & data server” component and keep on clicking the “Next” button till you get “AW Security” tab.
4. In “AW Security” tab click the check box “Enable secure data replication from Logger database to AW-HDS database” and “Enable secure connection between Distributor and AW Clients”
5. You check the other check box “Enable secure connection to CCE Router for configuration updates”.
6. You uncheck the check “Enable secure-only connection” box to enable mixed mode connection. This is because in UCCE solution there is a possibility of having multiple Administration Client boxes and it is not possible to convert all these clients to secure mode in one go. Till all the CCE Administration Client boxes are moved to secure mode Real time distributor process in AWHDS should be in mixed mode so that both secure and non-secure clients connects to AWHDS.
7. Do the above steps in all AWHDS server.
B. Enable Secured Communication on CCE Administration Client.
1. Make sure 12.6(2)ES103 is installed and feature is enabled on CCE Logger component before enabling the feature. Refer readme document of 12.6(2)ES103.
2. Make sure 12.6(2)ES102 is installed and feature is enabled on CCE AWHDS component before enabling the feature.
3. Login Admin Client Setup and check the checkbox “Enable Secure Mode”.
It is not recommend to disable the feature as this is security feature over the TCP connection going out of datacentre.
Do the below steps in maintenance.
A. Disable Secured Communication on AWHDS or AWHDS-DDS
1. Once CCE 12.6(2)ES is installed, you open Websetup tool on CCE AWHDS.
2. Login to Websetup and edit the “Administration & data server” component and keep on clicking the “Next” button till you get “AW Security” tab.
3. In “AW Security” tab uncheck the check box “Enable secure data replication from Logger database to AW-HDS database” and “Enable secure connection between Distributor and AW Clients”
4. You uncheck the other check box “Enable secure connection to CCE Router for configuration updates”.
5. You uncheck the check “Enable secure-only connection” box.
6. Do the above steps in all AWHDS server.
B. Disable Secured Communication on CCE Administration Client.
1. Login Admin Client Setup and uncheck the checkbox “Enable Secure Mode”.
This section provides a list of significant Unified CCE defects resolved by this engineering special. It contains these subsections:
Note: You can view more information on and track individual Unified CCE defects using the Cisco Bug Search tool, located at: https://bst.cloudapps.cisco.com/bugsearch/search?null.
This section lists caveats specifically resolved by Unified CCE 12.6(2) ES102.
Caveats in this section are ordered by UNIFIED CCE component, severity, and then identifier.
|
Identifier |
Severity |
Component |
Headline |
Dependency |
|
CSCwp80812 |
6 |
MDS |
Connections
among CCE components in different VMs via MDS is not secured. |
ES103
on Router, ES108 on PG |
|
|
|
|
|
|
You can access current Cisco documentation on the Support pages at the following sites:
To provide comments about this document, send an email message to the following address:
contactcenterproducts_docfeedback@cisco.com
We appreciate your comments.
Cisco.com is a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC site.
Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. You can also resolve technical issues with online technical support and download software packages. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.
The Cisco TAC site is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to https://www.cisco.com/c/en/us/support/index.html.
P3 and P4 level problems are defined as follows:
In each of the above cases, use the Cisco TAC site to quickly find answers to your questions.
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at the following site: https://mycase.cloudapps.cisco.com/create/start/
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following sites:
P1 and P2 level problems are defined as follows: