The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to exchange self-signed certificates in Cisco Packaged Contact Center Enterprise (PCCE) solution.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
In PCCE solution from 12.x all devices are controlled via Single Pane of Glass (SPOG) which is hosted in the principal AW server. Due to security-management-compliance (SRC) from PCCE 12.5(1) version all the communication between SPOG and other servers in the solution are strictly done via secure HTTP protocol.
Certificates are used in order to achieve seamless secure communication between SPOG and the other devices. In a self-signed certificate environment, certificate exchange between the servers is a must.
These are the the components from which self-signed certificates are exported and components into which self-signed certificates need to be imported.
(i) All AW/ADS Servers: These servers requires certificate from:
Note: IIS and Diagnostic Framework Portico (DFP) are needed.
Note: Web Service Management (WSM) certificate from all the servers are needed. Certificates must be with Fully Qualified Domain Name (FQDN).
(ii) Router \ Logger Servers: These servers require certificate from:
(iii) PG Servers: These servers require certificate from:
Note: This is needed to download the JTAPI client from CUCM server.
(iv) CVP Servers: These servers require certificate from
(v) CVP Reporting server: This server requires certificate from:
(vi) VVB Servers: This server requires certificate from:
The steps needed to effectively exchange the self-signed certificates in the solution are divided in three sections.
Section 1: Certificate Exchange Between CVP Servers and ADS Servers.
Section 2: Certificate Exchange Between VOS Platform Applications and ADS Server.
Section 3: Certificate Exchange Between Roggers, PGs and ADS Server.
The steps needed to complete this exchange successfully are:
Step 1. Export CVP Servers WSM Certificates.
Step 2. Import CVP Servers WSM Certificate to ADS Servers.
Step 3. Export ADS Server Certificate.
Step 4. Import ADS Server to CVP Servers and CVP Reporting Server.
Before you export the certificates from the CVP servers, you need to regenerate the certificates with the FQDN of the server, otherwise, few features like Smart Licensing, Virtual Agent Voice (VAV), and the CVP synchronization with SPOG can experience problems.
Caution: Before you begin, you must do this:
1. Open a command window as administrator.
2. For 12.6.2, to identify the keystore password, go to the %CVP_HOME%\bin folder and run the DecryptKeystoreUtil.bat file.
3. For 12.6.1, to identify the keystore password, run the command, more %CVP_HOME%\conf\security.properties.
4. You need this password when running the keytool commands.
5. From the %CVP_HOME%\conf\security\ directory, run the command, copy .keystore backup.keystore.
Note: You can streamline the commands used in this document by the use of the keytool parameter -storepass. For all CVP servers, provide the keytool password you identified. For the ADS servers the default password is: changeit
To regenerate the certificate on the CVP servers execute these steps:
(i) List the certificates in the server
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -list
Note: The CVP Servers have these self-signed certificates: wsm_certificate, vxml_certificate, callserver_certificate. If you use the parameter -v of the keytool, you are able to see more detailed information of each certificate. In addition, you can add the ">" symbol at the end of the keytool.exe list command to send the output to a text file, for example: > test.txt
(ii) Delete the old self-signed certificates
CVP servers: Commands to delete the self-signed certificates:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias wsm_certificate %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias vxml_certificate %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias callserver_certificate
CVP Reporting servers: Commands to delete the self-signed certificates:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias wsm_certificate
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias callserver_certificate
Note: CVP Reporting servers have these self-signed certificates: wsm_certificate, callserver_certificate.
(iii) Generate the new self-signed certificates with the FQDN of the server
CVP servers
Command to generate the self-signed certificate for WSM:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias wsm_certificate -keysize 2048 -keyalg RSA -validity XXXX
Note: By default, the certificates are generated for two years. Use -validity XXXX to set the expiry date when certificates are regenerated, otherwise certificates are valid for 90 days and need to be signed by a CA before this time. For most of these certificates, 3-5 years must be a reasonable validation time.
Here are some standard validity inputs:
One Year |
365 |
Two Years |
730 |
Three Years |
1095 |
Four Year |
1460 |
Five Years |
1895 |
Ten Years |
3650 |
Caution: From 12.5 certificates must be SHA 256, Key Size 2048, and encryption Algorithm RSA, use these parameters to set these values: -keyalg RSA and -keysize 2048. It is important that the CVP keystore commands include the -storetype JCEKS parameter. If this is not done, the certificate, the key, or worse the keystore can become corrupted.
Specify the FQDN of the server, on the question what is your fist and last name?
Complete these other questions:
What is the name of your organizational unit?
[Unknown]: <specify OU>
What is the name of your organization?
[Unknown]: <specify the name of the org>
What is the name of your City or Locality?
[Unknown]: <specify the name of the city/locality>
What is the name of your State or Province?
[Unknown]: <specify the name of the state/province>
What is the two-letter country code for this unit?
[Unknown]: <specify two-letter Country code>
Specify yes for the next two inputs.
Perform the same steps for vxml_certificate and callserver_certificate:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias vxml_certificate -keysize 2048 -keyalg RSA -validity XXXX
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias callserver_certificate -keysize 2048 -keyalg RSA -validity XXXX
Reboot the CVP call server.
CVP Reporting servers
Command to generate the self-signed certificates for WSM:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias wsm_certificate -keysize 2048 -keyalg RSA -validity XXXX
Specify the FQDN of the server for the query what is your fist and last name ? and continue with the same steps as done with CVP servers.
Perform the same steps for callserver_certificate:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias callserver_certificate -keysize 2048 -keyalg RSA -validity XXXX
Reboot the Reporting servers.
(iv) Export wsm_Certificate from CVP and Reporting servers
a) Export WSM Certificate from each CVP server to a temporary location, and rename the certificate with a desired name. You can rename it as wsmcsX.crt. Replace "X" with the hostname of the server. For example, wsmcsa.crt, wsmcsb.crt , wsmrepa.crt , wsmrepb.crt.
Command to export the self-signed certificates:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -export -alias wsm_certificate -file %CVP_HOME%\conf\security\wsm.crt
b) Copy the certificate from the path %CVP_HOME%\conf\security\wsm.crt, rename it to wsmcsX.crt and move it to a temporary folder on the ADS server.
To import the certificate in ADS server you need to use the keytool which is a part of java toolset. There are couple of ways you can find the java home path where this tool is hosted.
(i) CLI command > echo %CCE_JAVA_HOME%
(ii) Manually via Advanced system setting, as shown in the image.
On PCCE 12.6 default path of OpenJDK is C:\Program Files (x86)\OpenJDK\jre-8.0.272.10-hotspot\bin
Commands to import the self-signed certificates:
cd %CCE_JAVA_HOME%\bin
keytool.exe -import -file C:\Temp\certs\wsmcsX.crt -alias {fqdn_of_CVP} -keystore {ICM install directory}\ssl\cacerts
Note: Repeat the commands for each CVP in the deployment and perform the same task on other ADS servers
(iii) Restart the Apache Tomcat service on the ADS servers.
Here are the steps to export the ADS certificate:
(i) On ADS server from a browser, navigate to the server url : https://<servername>.
(ii) Save the certificate to a temporary folder, for example: c:\temp\certs and name the certificate as ADS<svr>[ab].cer.
Note: Select the option Base-64 encoded X.509 (.CER).
(i) Copy the certificate to CVP Servers and CVP Reporting server in the directory %CVP_HOME%\conf\security.
(ii) Import the certificate to CVP servers and CVP Reporting server.
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -trustcacerts -alias {fqdn_of_ads} -file %CVP_HOME%\conf\security\ADS{svr}[ab].cer
Perform the same steps for other ADS servers certificates.
(iii) Restart the CVP servers and Reporting server
The steps needed to complete this exchange successfully are:
Step 1. Export VOS Platform Application Server Certificates.
Step 2. Import VOS Platform Application Certificates to ADS Server.
Step 3. Import CUCM Platform Application Certificates to CUCM PG Servers.
This process is applicable for all VOS applications such as:
(i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.
(ii) Navigate to Security > Certificate Management and find the application primary server certificates in tomcat-trust folder.
(iii) Select the certificate and click on download .PEM file to save it in a temporary folder on the ADS server.
Note: Perform the same steps for the subscriber.
Path to run the Key tool: %CCE_JAVA_HOME%\bin
Commands to import the self-signed certificates:
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\vosapplicationX.cer -alias {fqdn_of_VOS>} -keystore {ICM install directory}\ssl\cacerts
Restart the Apache Tomcat service on the ADS servers.
Note: Perform the same task on other ADS servers
Path to run the Key tool: %CCE_JAVA_HOME%\bin
Commands to import the self-signed certificates:
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\cucmapplicationX.cer -alias {fqdn_of_cucm>} -keystore {ICM install directory}\ssl\cacerts
Restart the Apache Tomcat service on the PG servers.
Note: Perform the same task on other CUCM PG servers
The steps needed to complete this exchange successfully are:
Step 1. Export IIS Certificate from Rogger and PG Servers
Step 2. Export DFP Certificate from Rogger and PG Servers
Step 3. Import Certificates into ADS Servers
Step 4. Import ADS Certificate into Rogger and PG Servers
(i) On ADS server from a browser, navigate to the servers (Roggers , PG) url: https://{servername}
(ii)Save the certificate to a temporary folder, for example c:\temp\certs and name the cert as ICM<svr>[ab].cer
Note: Select the option Base-64 encoded X.509 (.CER).
(i) On ADS server from a browser, navigate to the servers (Roggers, PGs) DFP url : https://{servername}:7890/icm-dp/rest/DiagnosticPortal/GetProductVersion
(ii) Save the certificate to folder example c:\temp\certs and name the cert as dfp{svr}[ab].cer
Note: Select the option Base-64 encoded X.509 (.CER).
Command to import the IIS self-signed certificates into ADS server. The path to run the Key tool: %CCE_JAVA_HOME%\bin
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\temp\certs\ICM<svr>[ab].cer -alias {fqdn_of_server}_IIS -keystore {ICM install directory}\ssl\cacerts
Note: Import all the server certificates exported into all ADS servers.
Command to import the diagnostic self-signed certificates into ADS server
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\dfp<svr>[ab].cer -alias {fqdn_of_server}_DFP -keystore {ICM install directory}\ssl\cacerts
Note: Import all the server certificates exported into all ADS servers.
Restart the Apache Tomcat service on the ADS servers.
Command to import the IIS self-signed certificates into Rogger and PG servers. The path to run the Key tool: %CCE_JAVA_HOME%\bin.
%CCE_JAVA_HOME%\bin\keytool -keystore ..\lib\security\cacerts -import -storepass changeit -alias {fqdn_of_server}_IIS -file c:\temp\certs\ICM{svr}[ab].cer
Note: Import all the ADS server IIS certificates exported into all Rogger and PG servers.
Restart the Apache Tomcat service on the Rogger and PG servers.
For detailed information about how to establish a secure communication for Web Services Element and Rest_Client element
Revision | Publish Date | Comments |
---|---|---|
1.0 |
31-Jul-2023 |
Initial Release |