Introduction
This document describes how to exchange self-signed certificates in Unified Contact Center Enterprise (UCCE) solution.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- UCCE Release 12.6(2)
- Customer Voice Portal (CVP) Release 12.6(2)
- Cisco Virtualized Voice Browser (VVB)
Components Used
The information in this document is based on these software versions:
- UCCE 12.6(2)
- CVP 12.6(2)
- Cisco VVB 12.6(2)
- CVP Operations Console (OAMP)
- CVP New OAMP (NOAMP)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
In UCCE solution configuration of new features which involves core applications such as Roggers, Peripheral Gateways (PG), Admin Workstations (AW)/ Administration Data Server (ADS), Finesse, Cisco Unified Intelligence Center (CUIC) and so on is done through Contact Center Enterprise (CCE) Admin page. For Interactive Voice Response (IVR) applications like CVP, Cisco VVB, and gateways, NOAMP controls the configuration of new features. From CCE 12.5(1), due to security-management-compliance (SRC), all the communication to CCE Admin and NOAMP is strictly done via secure HTTP protocol.
To achieve seamless secure communication between these applications in a self-signed certificate environment, exchange of certificates between the servers is a must. Next section explains in detail the steps needed to exchange self-signed certificate between:
- CCE AW Servers and CCE Core Application Servers
- CVP OAMP Server and CVP Components Servers
Note: This document applies to CCE version 12.6 ONLY. See related information section for links to other versions.
Procedure
CCE AW Servers and CCE Core Application Servers
These are the components from which self-signed certificates are exported, and components into which self-signed certificates need to be imported.
CCE AW servers: This server requires certificate from:
- Windows platform: Router and Logger(Rogger){A/B}, Peripheral Gateway (PG){A/B}, and all AW/ADS.
Note: IIS and Diagnostic Framework Portico (DFP) are needed.
- VOS Platform: Finesse, CUIC, Live Data (LD), Identity Server (IDS) , Cloud Connect, and other applicable servers which are part of inventory database. Same applies for other AW servers in the solution.
Router \ Logger Server: This server requires certificate from:
- Windows platform: All AW servers IIS certificate.
The steps needed to effectively exchange the self-signed certificates for CCE are divided into these sections.
Section 1: Certificate Exchange Between Router\Logger, PG and AW Server
Section 2: Certificate Exchange Between VOS Platform Application and AW Server
Section 1: Certificate Exchange Between Router\Logger, PG and AW Server
The steps needed to complete this exchange successfully are:
Step 1. Export IIS certificates from Router\Logger, PG, and all AW servers.
Step 2. Export DFP certificates from Router\Logger, PG, and all AW servers.
Step 3. Import IIS and DFP certificates from Router\Logger, PG, and AW to AW servers.
Step 4 . Import IIS certificate to Router\Logger and PG from AW servers.
Caution: Before you begin, you must backup the keystore and open a command prompt as Administrator.
(i) Know the java home path to ensure where the java keytool is hosted. There are couple of ways you can find the java home path.
Option 1: CLI command: echo %CCE_JAVA_HOME%
Option 2: Manually via Advanced system setting, as shown in the image
(ii) Backup the cacerts file from the folder <ICM install directory>ssl\ . You can copy it to another location.
Step 1. Export IIS certificates from Router\Logger, PG and all AW Servers.
(i) On AW server from a browser, navigate to the servers (Roggers, PG, other AW servers) url: https://{servername}.
(ii) Save the certificate to a temporary folder. For example c:\temp\certs and name the cert as ICM{svr}[ab].cer.
Note: Select the option Base-64 encoded X.509 (.CER).
Step 2. Export DFP certificates from Router\Logger, PG, and all AW servers.
(i) On AW server, open a browser, and navigate to the servers (Router, Logger or Roggers, PGs) DFP url : https://{servername}:7890/icm-dp/rest/DiagnosticPortal/GetProductVersion.
(ii) Save the certificate to folder example c:\temp\certs and name the cert as dfp{svr}[ab].cer
Note: Select the option Base-64 encoded X.509 (.CER).
Step 3. Import IIS and DFP certificates from Router\Logger, PG, and AW to AW servers.
Command to import the IIS self-signed certificates into AW server. The path to run the Key tool: %CCE_JAVA_HOME%\bin:
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\IIS{svr}[ab].cer -alias {fqdn_of_server}_IIS -keystore {ICM install directory}\ssl\cacerts
Example:%CCE_JAVA_HOME%\bin\keytool.exe -import -file c:\temp\certs\IISAWA.cer -alias AWA_IIS -keystore C:\icm\ssl\cacerts
Note: Import all the server certificates exported into all AW servers.
Command to import the DFP self-signed certificates into AW servers:
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\dfp{svr}[ab].cer -alias {fqdn_of_server}_DFP -keystore {ICM install directory}\ssl\cacerts
Example: %CCE_JAVA_HOME%\bin\keytool.exe -import -file c:\temp\certs\dfpAWA.cer -alias AWA_DFP -keystore C:\icm\ssl\cacerts
Note: Import all the server certificates exported into all AW servers.
Restart the Apache Tomcat service on the AW servers.
Step 4. Import IIS certificate to Router\Logger and PG from AW servers.
Command to import the AW IIS self-signed certificates into Router\Logger and PG servers:
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\IIS{svr}[ab].cer -alias {fqdn_of_server}_IIS -keystore {ICM install directory}\ssl\cacerts
Example: %CCE_JAVA_HOME%\bin\keytool.exe -import -file c:\temp\certs\IISAWA.cer -alias AWA_IIS -keystore C:\icm\ssl\cacerts
Note: Import all the AW IIS server certificates exported into Rogger and PG servers on A and B sides.
Restart the Apache Tomcat service on the Router\Logger and PG Servers.
Section 2: Certificate Exchange Between VOS Platform Applications and AW Server
The steps needed to complete this exchange successfully are:
Step 1. Export VOS Platform Application Server Certificates.
Step 2. Import VOS Platform Application Certificates to AW Server.
This process is applicable for VOS applications such as:
- Finesse
- CUIC \ LD \ IDS
- Cloud Connect
Step 1. Export VOS Platform Application Server Certificates.
(i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.
(ii) Navigate to Security > Certificate Management and find the application primary server certificates in tomcat-trust folder.
(iii) Select the certificate and click download .PEM file to save it in a temporary folder on the AW server.
Note: Perform the same steps for the subscriber.
Step 2. Import VOS Platform Application to AW Server.
Path to run the Key tool: %CCE_JAVA_HOME%\bin
Command to import the self-signed certificates:
%CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\vosapplicationX.pem -alias {fqdn_of_VOS} -keystore {ICM install directory}\ssl\cacerts
Example: %CCE_JAVA_HOME%\bin\keytool.exe -import -file C:\Temp\certs\CUICPub.pem -alias CUICPub -keystore C:\icm\ssl\cacerts
Restart the Apache Tomcat service on the AW servers.
Note: Perform the same task on other AW servers.
CVP OAMP Server and CVP Component Servers
These are the the components from which self-signed certificates are exported and components into which self-signed certificates need to be imported.
(i) CVP OAMP server: This server requires certificate from
- Windows platform: Web Services Manager (WSM) certificate from CVP server and Reporting servers.
- VOS Platform: Cisco VVB and Cloud Connect server.
(ii) CVP Servers: This server requires certificate from
- Windows platform: WSM certificate from OAMP server.
- VOS Platform: Cloud Connect server, and Cisco VVB server.
(iii) CVP Reporting servers: This server requires certificate from
- Windows platform: WSM certificate from OAMP server
(iv) Cisco VVB servers: This server requires certificate from
- Windows platform: VXML certificate form CVP server and Callserver certificate from CVP server
- VOS Platform: Cloud Connect server
The steps needed to effectively exchange the self-signed certificates in the CVP environment are explained through these three sections.
Section 1: Certificate Exchange Between CVP OAMP Server and CVP Server and Reporting Servers
Section 2: Certificate Exchange Between CVP OAMP Server and VOS Platform Applications
Section 3: Certificate Exchange Between CVP Server and VOS Platform Applications
Section 1: Certificate Exchange Between CVP OAMP Server and CVP Server and Reporting Servers
The steps needed to complete this exchange successfully are:
Step 1. Export the WSM certificate from CVP Server, Reporting and OAMP server.
Step 2. Import the WSM certificates from CVP Server and Reporting server into OAMP server.
Step 3. Import the CVP OAMP server WSM certificate into CVP Servers and Reporting servers.
Caution: Before you begin, you must do this:
1. Open a command window as administrator.
2. For 12.6.2, to identify the keystore password, go to the %CVP_HOME%\bin folder and run the DecryptKeystoreUtil.bat file.
3. For 12.6.1, to identify the keystore password, run the command, more %CVP_HOME%\conf\security.properties.
4. You need this password when running the keytool commands.
5. From the %CVP_HOME%\conf\security\ directory, run the command, copy .keystore backup.keystore.
Step 1. Export the WSM certificate from CVP Server, Reporting and OAMP Server.
(i) Export WSM certificate from each CVP Server to a temporary location, and rename the certificate with a desired name. You can rename it as wsmX.crt. Replace X with the hostname of the server. For example, wsmcsa.crt, wsmcsb.crt, wsmrepa.crt, wsmrepb.crt, wsmoamp.crt.
Command to export the self-signed certificates:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -export -alias wsm_certificate -file %CVP_HOME%\conf\security\wsm.crt
(ii) Copy the certificate from the path %CVP_HOME%\conf\security\wsm.crt from each server and rename it as wsmX.crt based on the server type.
Step 2. Import WSM certificates from CVP Server and Reporting Server into OAMP Server.
(i) Copy each CVP Server and Reporting server WSM certificate (wsmX.crt) to the %CVP_HOME%\conf\security directory on the OAMP server.
(ii) Import these certificates with the command:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_cvp}_wsm -file %CVP_HOME%\conf\security\wsmcsX.crt
(iii) Reboot the server.
Step 3. Import the CVP OAMP Server WSM certificate into CVP Servers and Reporting servers.
(i) Copy OAMP server WSM certificate (wsmoampX.crt) to the %CVP_HOME%\conf\security directory on all the CVP Servers and Reporting servers.
(ii) Import the certificates with the command:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_cvp}_wsm -file %CVP_HOME%\conf\security\wsmoampX.crt
(iii) Reboot the servers.
Section 2: Certificate Exchange Between CVP OAMP Server and VOS Platform Applications
The steps needed to complete this exchange successfully are:
Step 1. Export the application certificate from the VOS platform.
Step 2. Import the VOS application certificate into the OAMP server.
This process is applicable for VOS applications such as:
Step 1. Export the application certificate from the VOS platform.
(i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.
(ii) Navigate to Security > Certificate Management and find the application primary server certificates in the tomcat-trust folder.
(iii) Select the certificate and click download .PEM file to save it in a temporary folder on the OAMP server.
Step 2. Import the VOS application certificate into the OAMP Server.
(i) Copy the VOS certificate to the %CVP_HOME%\conf\security directory on the OAMP server.
(ii) Import the certificates with the command:
%CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_VOS} -file %CVP_HOME%\conf\security\VOS.pem
(ii) Reboot the server.
Section 3: Certificate Exchange Between CVP Server and VOS Platform Applications
This is an optional step to secure the SIP communication between CVP and other Contact Center components. For more information refer to the CVP Configuration Guide: CVP Configuration Guide - Security.
CVP CallStudio Web Service Integration
For detailed information about how to establish a secure communication for Web Services Element and Rest_Client element
refer to User Guide for Cisco Unified CVP VXML Server and Cisco Unified Call Studio Release 12.6(2) - Web Service Integration [Cisco Unified Customer Voice Portal] - Cisco
Related Information