Exchange Self-Signed Certificates in a UCCE 12.6 Solution

Available Languages

Download Options

  • PDF     (699.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (786.5 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (516.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 15, 2023
Document ID:220754

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to exchange self-signed certificates in Unified Contact Center Enterprise (UCCE) solution.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • UCCE Release 12.6(2)
    • Customer Voice Portal (CVP) Release 12.6(2)
    • Cisco Virtualized Voice Browser (VVB)

    Components Used

    The information in this document is based on these software versions:

    • UCCE 12.6(2)
    • CVP 12.6(2)
    • Cisco VVB 12.6(2)
    • CVP Operations Console (OAMP)
    • CVP New OAMP (NOAMP)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    In UCCE solution configuration of new features which involves core applications such as Roggers, Peripheral Gateways (PG), Admin Workstations (AW)/ Administration Data Server (ADS), Finesse, Cisco Unified Intelligence Center (CUIC) and so on is done through Contact Center Enterprise (CCE) Admin page. For Interactive Voice Response (IVR) applications like CVP, Cisco VVB, and gateways, NOAMP controls the configuration of new features. From CCE 12.5(1), due to security-management-compliance (SRC), all the communication to CCE Admin and NOAMP is strictly done via secure HTTP protocol.

    To achieve seamless secure communication between these applications in a self-signed certificate environment, exchange of certificates between the servers is a must. Next section explains in detail the steps needed to exchange self-signed certificate between:

    • CCE AW Servers and CCE Core Application Servers
    • CVP OAMP Server and CVP Components Servers

    Note: This document applies to CCE version 12.6 ONLY. See related information section for links to other versions.

    Procedure

    CCE AW Servers and CCE Core Application Servers

    These are the components from which self-signed certificates are exported, and components into which self-signed certificates need to be imported.

    CCE AW servers: This server requires certificate from:

    • Windows platform: Router and Logger(Rogger){A/B}, Peripheral Gateway (PG){A/B}, and all AW/ADS.

    Note: IIS and Diagnostic Framework Portico (DFP) are needed.

    • VOS Platform: Finesse, CUIC, Live Data (LD), Identity Server (IDS) , Cloud Connect, and other applicable servers which are part of inventory database. Same applies for other AW servers in the solution.

    Router \ Logger Server: This server requires certificate from:

    • Windows platform: All AW servers IIS certificate.

    The steps needed to effectively exchange the self-signed certificates for CCE are divided into these sections.

    Section 1: Certificate Exchange Between Router\Logger, PG and AW Server
    Section 2: Certificate Exchange Between VOS Platform Application and AW Server

    Section 1: Certificate Exchange Between Router\Logger, PG and AW Server

    The steps needed to complete this exchange successfully are:

    Step 1. Export IIS certificates from Router\Logger, PG, and all AW servers.
    Step 2. Export DFP certificates from Router\Logger, PG, and all AW servers.
    Step 3. Import IIS and DFP certificates from Router\Logger, PG, and AW to AW servers.

    Step 4 . Import IIS certificate to Router\Logger and PG from AW servers.

    Caution: Before you begin, you must backup the keystore and open a command prompt as Administrator.


    (i) Know the java home path to ensure where the java keytool is hosted. There are couple of ways you can find the java home path.


        Option 1: CLI command: echo %CCE_JAVA_HOME%

        Option 1 - JAVA Home Path

       Option 2: Manually via Advanced system setting, as shown in the image

       Option 2 - Environment Variables

    (ii) Backup the cacerts file from the folder <ICM install directory>ssl\ You can copy it to another location.

    Step 1. Export IIS certificates from Router\Logger, PG and all AW Servers.

    (i) On AW server from a browser, navigate to the servers (Roggers, PG, other AW servers) url: https://{servername}.

    Certificate Format on AW Server

    (ii) Save the certificate to a temporary folder. For example c:\temp\certs and name the cert as ICM{svr}[ab].cer.

    Note: Select the option Base-64 encoded X.509 (.CER).

    Step 2. Export DFP certificates from Router\Logger, PG, and all AW servers.

    (i) On AW server, open a browser, and navigate to the servers (Router, Logger or Roggers, PGs) DFP url : https://{servername}:7890/icm-dp/rest/DiagnosticPortal/GetProductVersion.

    Certificate Format on AW Server, Format DFP

    (ii) Save the certificate to folder example c:\temp\certs and name the cert as dfp{svr}[ab].cer

    Note: Select the option Base-64 encoded X.509 (.CER).

    Step 3. Import IIS and DFP certificates from Router\Logger, PG, and AW to AW servers.

    Command to import the IIS self-signed certificates into AW server. The path to run the Key tool: %CCE_JAVA_HOME%\bin:

    %CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\IIS{svr}[ab].cer -alias {fqdn_of_server}_IIS -keystore {ICM install directory}\ssl\cacerts
Example:%CCE_JAVA_HOME%\bin\keytool.exe -import -file c:\temp\certs\IISAWA.cer -alias AWA_IIS -keystore C:\icm\ssl\cacerts

    Note: Import all the server certificates exported into all AW servers.

    Command to import the DFP self-signed certificates into AW servers:

    %CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\dfp{svr}[ab].cer -alias {fqdn_of_server}_DFP -keystore {ICM install directory}\ssl\cacerts
    Example: %CCE_JAVA_HOME%\bin\keytool.exe -import -file c:\temp\certs\dfpAWA.cer -alias AWA_DFP -keystore C:\icm\ssl\cacerts

    Note: Import all the server certificates exported into all AW servers.

    Restart the Apache Tomcat service on the AW servers.

    Step 4. Import IIS certificate to Router\Logger and PG from AW servers.

    Command to import the AW IIS self-signed certificates into Router\Logger and PG servers:

    %CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\IIS{svr}[ab].cer -alias {fqdn_of_server}_IIS -keystore {ICM install directory}\ssl\cacerts
Example: %CCE_JAVA_HOME%\bin\keytool.exe -import -file c:\temp\certs\IISAWA.cer -alias AWA_IIS -keystore C:\icm\ssl\cacerts

    Note: Import all the AW IIS server certificates exported into Rogger and PG servers on A and B sides.

    Restart the Apache Tomcat service on the Router\Logger and PG Servers.

    Section 2: Certificate Exchange Between VOS Platform Applications and AW Server

    The steps needed to complete this exchange successfully are:

    Step 1. Export VOS Platform Application Server Certificates.
    Step 2. Import VOS Platform Application Certificates to AW Server.

    This process is applicable for VOS applications such as:

    • Finesse
    • CUIC \ LD \ IDS
    • Cloud Connect

    Step 1. Export VOS Platform Application Server Certificates.

    (i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.

    (ii) Navigate to Security > Certificate Management and find the application primary server certificates in tomcat-trust folder.

    VOS Platform Application Server Certificates

    (iii) Select the certificate and click download .PEM file to save it in a temporary folder on the AW server.

    Download .PEM File

    Note: Perform the same steps for the subscriber.

    Step 2. Import VOS Platform Application to AW Server.


    Path to run the Key tool: %CCE_JAVA_HOME%\bin

    Command to import the self-signed certificates:

    %CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\vosapplicationX.pem -alias {fqdn_of_VOS} -keystore {ICM install directory}\ssl\cacerts
    Example: %CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\CUICPub.pem -alias CUICPub -keystore C:\icm\ssl\cacerts

    Restart the Apache Tomcat service on the AW servers.

    Note: Perform the same task on other AW servers.

    CVP OAMP Server and CVP Component Servers

    These are the the components from which self-signed certificates are exported and components into which self-signed certificates need to be imported.

    (i) CVP OAMP server: This server requires certificate from

    • Windows platform: Web Services Manager (WSM) certificate from CVP server and Reporting servers.
    • VOS Platform: Cisco VVB and Cloud Connect server.

    (ii) CVP Servers: This server requires certificate from

    • Windows platform: WSM certificate from OAMP server.
    • VOS Platform: Cloud Connect server, and Cisco VVB server.

    (iii) CVP Reporting servers: This server requires certificate from

    • Windows platform: WSM certificate from OAMP server

    (iv) Cisco VVB servers: This server requires certificate from

    • Windows platform: VXML certificate form CVP server and Callserver certificate from CVP server
    • VOS Platform: Cloud Connect server

    The steps needed to effectively exchange the self-signed certificates in the CVP environment are explained through these three sections.

    Section 1: Certificate Exchange Between CVP OAMP Server and CVP Server and Reporting Servers
    Section 2: Certificate Exchange Between CVP OAMP Server and VOS Platform Applications
    Section 3: Certificate Exchange Between CVP Server and VOS Platform Applications

    Section 1: Certificate Exchange Between CVP OAMP Server and CVP Server and Reporting Servers

    The steps needed to complete this exchange successfully are:

    Step 1. Export the WSM certificate from CVP Server, Reporting and OAMP server.
    Step 2. Import the WSM certificates from CVP Server and Reporting server into OAMP server.
    Step 3. Import the CVP OAMP server WSM certificate into CVP Servers and Reporting servers.

    Caution: Before you begin, you must do this:
    1. Open a command window as administrator.
    2. For 12.6.2, to identify the keystore password, go to the %CVP_HOME%\bin folder and run the DecryptKeystoreUtil.bat file.
    3. For 12.6.1, to identify the keystore password, run the command, more %CVP_HOME%\conf\security.properties.
    4. You need this password when running the keytool commands.
    5. From the %CVP_HOME%\conf\security\ directory, run the command, copy .keystore backup.keystore.

    Step 1. Export the WSM certificate from CVP Server, Reporting and OAMP Server.

    (i) Export WSM certificate from each CVP Server to a temporary location, and rename the certificate with a desired name. You can rename it as wsmX.crt. Replace X with the hostname of the server. For example, wsmcsa.crt, wsmcsb.crt, wsmrepa.crt, wsmrepb.crt, wsmoamp.crt.

    Command to export the self-signed certificates:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -export -alias wsm_certificate -file %CVP_HOME%\conf\security\wsm.crt

    (ii) Copy the certificate from the path %CVP_HOME%\conf\security\wsm.crt from each server and rename it as wsmX.crt based on the server type.

    Step 2. Import WSM certificates from CVP Server and Reporting Server into OAMP Server.

    (i) Copy each CVP Server and Reporting server WSM certificate (wsmX.crt) to the %CVP_HOME%\conf\security directory on the OAMP server.

    (ii) Import these certificates with the command:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_cvp}_wsm -file %CVP_HOME%\conf\security\wsmcsX.crt

    (iii) Reboot the server.

    Step 3. Import the CVP OAMP Server WSM certificate into CVP Servers and Reporting servers.

    (i) Copy OAMP server WSM certificate (wsmoampX.crt) to the %CVP_HOME%\conf\security directory on all the CVP Servers and Reporting servers.

    (ii) Import the certificates with the command:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_cvp}_wsm -file %CVP_HOME%\conf\security\wsmoampX.crt

    (iii)  Reboot the servers.

    Section 2: Certificate Exchange Between CVP OAMP Server and VOS Platform Applications

    The steps needed to complete this exchange successfully are:

    Step 1. Export the application certificate from the VOS platform.

    Step 2. Import the VOS application certificate into the OAMP server.

    This process is applicable for VOS applications such as:

    • CUCM
    • VVB
    • Cloud Connect

    Step 1. Export the application certificate from the VOS platform.

    (i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.


    (ii) Navigate to Security > Certificate Management and find the application primary server certificates in the tomcat-trust folder.

    CUCM certificate

    (iii) Select the certificate and click download .PEM file to save it in a temporary folder on the OAMP server.

    Download .PEM File on CUCM

    Step 2. Import the VOS application certificate into the OAMP Server.

    (i) Copy the VOS certificate to the %CVP_HOME%\conf\security directory on the OAMP server.

    (ii) Import the certificates with the command:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_VOS} -file %CVP_HOME%\conf\security\VOS.pem

    (ii) Reboot the server.

    Section 3: Certificate Exchange Between CVP Server and VOS Platform Applications

    This is an optional step to secure the SIP communication between CVP and other Contact Center components. For more information refer to the CVP Configuration Guide: CVP Configuration Guide - Security.

    CVP CallStudio Web Service Integration

    For detailed information about how to establish a secure communication for Web Services Element and Rest_Client element

    refer to User Guide for Cisco Unified CVP VXML Server and Cisco Unified Call Studio Release 12.6(2) - Web Service Integration [Cisco Unified Customer Voice Portal] - Cisco

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    15-Aug-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Bhaskar Sastry Garimella
      Cisco Technical Consulting Engineer
    • Ramiro Amaya
      Cisco Technical Consulting Engineer
    • Robert Rogier
      Cisco Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products