Exchange Self-Signed Certificates in a UCCE Solution

Available Languages

Download Options

  • PDF     (697.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (700.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (478.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 14, 2022
Document ID:215445

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to exchange self-signed certificates in Unified Contact Center Enterprise (UCCE) solution.

    Contributed by Anuj Bhatia, Robert Rogier and Ramiro Amaya, Cisco TAC Engineers

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • UCCE Release 12.5(1)
    • Customer Voice Portal (CVP) Release 12.5 (1)
    • Cisco Virtualized Voice Browser (VVB)

    Components Used

    The information in this document is based on these software versions:

    • UCCE 12.5(1)
    • CVP 12.5(1)
    • Cisco VVB 12.5
    • CVP Operations Console (OAMP)
    • CVP New OAMP (NOAMP)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background

    In UCCE solution configuration of new features which involves core applicatios such as Roggers, Peripheral Gateways (PG), Admin Workstations (AW), Finesse, Cisco Unified Intelligent Center (CUIC), etc is done through Contact Center Enterprise (CCE) admin page. For Interactive Voice Response (IVR) applications like CVP, Cisco VVB and gateways, NOAMP controls the configuration of new features. From CCE 12.5(1) due to security-management-compliance (SRC) all the communication to CCE admin and NOAMP is strictly done via secure HTTP protocol.

    To achieve seamless secure communication between these applications in a self-signed certificate environment exchange of these certificates between the servers become a must. Next section explains in detail the steps needed to exchange self-signed certificate between:

    • CCE AW Servers and CCE Core Application Servers
    • CVP OAMP server and CVP Components Servers

    Procedure

    CCE AW Servers and CCE Core Application Servers

    These are the the components from which self-signed certificates are exported and components into which self-signed certificates need to be imported.

    CCE AW servers: This server requires certificate from:

    • Windows platform: Router and Logger(Rogger){A/B}, Peripheral Gateway (PG){A/B}, all AW/ADS and Email and Chat (ECE) servers.

    Note: IIS and diagnostic framework certificates are needed.

    • VOS Platform: Cisco Unified Call Manager (CUCM), Finesse, CUIC, Live Data (LD), Identity Server (IDS) , Cloud Connect, and other applicable servers which are part of inventory database.

    Same applies for other AW servers in the solution.

    Router \ Logger Server: This server requires certificate from:

    • Windows platform: All AW servers IIS certificate.

    The steps needed to effectively exchange the self-signed certificates for CCE are divided in these sections.

    Section 1: Certificate Exchange Between Router\Logger, PG and AW Server.
    Section 2: Certificate Exchange Between VOS Platform Application and AW Server.

    Section 1: Certificate Exchange Between Router\Logger, PG and AW Server.

    The steps needed to complete this exchange successfully are:

    Step 1. Export IIS certificates from Router\Logger ,PG and all AW servers.
    Step 2. Export Diagnostic Framework Portico (DFP) certificates from Router\Logger and PG servers.
    Step 3. Import IIS and DFP certificates from Router\Logger, PG to AW servers.
    Step 4. Import IIS certificate to Router\Logger from AW servers.

    Caution: Before you begin, you must backup the keystore and run the commands from the java home as an Administrator.


    (i) Know the java home path to ensure where the java keytool is hosted. There are couple of ways you can find the java home path.


        Option 1: CLI command: echo %JAVA_HOME%

        screen shot 1

       Option 2: Manually via Advanced system setting, as shown in the image

       screen shot 2

    Note: On UCCE 12.5 default path is C:\Program Files (x86)\Java\jre1.8.0_221\bin. However, If you have used the 12.5(1a) installer or have 12.5 ES55 installed (mandatory OpenJDK ES), then use  CCE_JAVA_HOME instead of JAVA_HOME since the datastore path has changed with OpenJDK. More information about OpenJDK migration in CCE and CVP in these documents: Install and Migrate to OpenJDK in CCE 2.5(1) and Install and Migrate to OpenJDK in CVP 12.5(1).

    (ii) Backup the cacerts file from the folder C:\Program Files (x86)\Java\jre1.8.0_221\lib\security. You can copy it to another location.

    (iii) Open a command window as Administrator to run the commands.

    Step 1. Export IIS certificates from Router\Logger, PG and all AW servers.

    (i) On AW server from a browser, navigate to the servers (Roggers , PG , other AW servers) url: https://{servername}.

    screen shot 3

    (ii)Save the certificate to a temporary folder, for example c:\temp\certs and name the cert as ICM{svr}[ab].cer.

    Note:Select the option Base-64 encoded X.509 (.CER).

    Step 2. Export Diagnostic Framework Portico (DFP) certificates from Router\Logger and PG servers.

    (i) On AW server, open a browser, and navigate to the servers (Router, Logger or Roggers, PGs) DFP url : https://{servername}:7890/icm-dp/rest/DiagnosticPortal/GetProductVersion.

    screen shot 8

    (ii) Save the certificate to folder example c:\temp\certs and name the cert as dfp{svr}[ab].cer

    Note: Select the option Base-64 encoded X.509 (.CER).

    Step 3. Import IIS and DFP certificate from Rogger,  PG to AW servers.

    Command to import the IIS self-signed certificates into AW server. The path to run the Key tool: C:\Program Files (x86)\Java\jre1.8.0_221\bin:

    keytool -keystore "C:\Program Files (x86)\Java\jre1.8.0_221\lib\security\cacerts" -import -storepass changeit -alias {fqdn_of_server}_IIS -file c:\temp\certs\ ICM{svr}[ab].cer
Example: keytool -keystore "C:\Program Files (x86)\Java\jre1.8.0_221\lib\security\cacerts" -import -storepass changeit -alias myrgra.domain.com_IIS -file c:\temp\certs\ICMrgra.cer

    Note: Import all the server certificates exported into all AW servers.

    Command to import the DFP self-signed certificates into AW servers:

    keytool -keystore "C:\Program Files (x86)\Java\jre1.8.0_221\lib\security\cacerts" -import -storepass changeit -alias {fqdn_of_server}_DFP -file c:\temp\certs\ dfp{svr}[ab].cer
    Example: keytool -keystore "C:\Program Files (x86)\Java\jre1.8.0_221\lib\security\cacerts" -import -storepass changeit -alias myrgra.domain.com_DFP -file c:\temp\certs\dfprgra.cer

    Note: Import all the server certificates exported into all AW servers.

    Restart the Apache Tomcat service on the AW servers.

    Step 4. Import IIS certificate to Router\Logger from AW servers.

    Command to import the IIS self-signed certificates into Rogger servers:

    keytool -keystore "C:\Program Files (x86)\Java\jre1.8.0_221\lib\security\cacerts" -import -storepass changeit -alias {fqdn_of_server}_IIS -file c:\temp\certs\ ICM{svr}[ab].cer
Example: keytool -keystore "C:\Program Files (x86)\Java\jre1.8.0_221\lib\security\cacerts" -import -storepass changeit -alias myrgra.domain.com_IIS -file c:\temp\certs\ICMrgra.cer

    Note: Import all the AW IIS server certificates exported into Rogger A and B sides.

    Restart the Apache Tomcat service on the Rogger Servers.

    Section 2: Certificate Exchange Between VOS Platform Applications and AW Server.

    The steps needed to complete this exchange successfully are:

    Step 1. Export VOS Platform Application Server Certificates.
    Step 2. Import VOS Platform Application Certificates to AW Server.

    This process is applicable for all VOS applications such as:

    • CUCM
    • Finesse
    • CUIC \ LD \ IDS
    • Cloud Connect

    Step 1. Export VOS Platform Application Server Certificates.

    (i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.

    (ii) Navigate to Security > Certificate Management and find the application primary server certificates in tomcat-trust folder.

    screen shot 5

    (iii) Select the certificate and click download .PEM file to save it in a temporary folder on the AW server.

    screen shot 6

    Note: Perform the same steps for the subscriber.

    Step 2. Import VOS Platform Application to AW Server.


    Path to run the Key tool: C:\Program Files (x86)\Java\jre1.8.0_221\bin

    Command to import the self-signed certificates:

    keytool -keystore "C:\Program Files (x86)\Java\jre1.8.0_221\lib\security\cacerts" -import -storepass changeit -alias {fqdn_of_vos} -file c:\temp\certs\vosapplicationX.pem

    Restart the Apache Tomcat service on the AW servers.

    Note: Perform the same task on other AW servers.

    CVP OAMP server and CVP Component Servers

    These are the the components from which self-signed certificates are exported and components into which self-signed certificates need to be imported.

    (i) CVP OAMP server: This server requires certificate from

    • Windows platform: Web Services Manager (WSM) certificate from CVP Server and Reporting servers.
    • VOS Platform: Cisco VVB for Customer Virtual Agent (CVA) integration, Cloud Connect server for Webex Experience Management (WXM) Integration.

    (ii) CVP Servers: This server requires certificate from

    • Windows platform: WSM certificate from OAMP server.
    • VOS Platform: Cloud Connect server for WXM Integration, Cisco VVB server for secure SIP and HTTP communication.

    (iii) CVP Reporting servers: This server requires certificate from

    • Windows platform: WSM certificate from OAMP server.

    (iv) Cisco VVB servers:This server requires certificate from

    • Windows platform: CVP Server VXML  (secure HTTP), CVP Server callserver (secure SIP)

    The steps needed to effectively exchange the self-signed certificates in the CVP environment are explained through these three sections.

    Section 1: Certificate Exchange Between CVP OAMP Server and CVP Server and Reporting Servers.
    Section 2: Certificate Exchange Between CVP OAMP Server and VOS Platform Applications.
    Section 3: Certificate Exchange Between CVP Server and VVB Servers.

    Section 1: Certificate Exchange Between CVP OAMP Server and CVP Server and Reporting Servers.

    The steps needed to complete this exchange successfully are:

    Step 1. Export WSM certificate from CVP Server, Reporting and OAMP server.
    Step 2. Import WSM certificates from CVP Server and Reporting server into OAMP server.
    Step 3. Import CVP OAMP server WSM certificate into CVP Server and Reporting servers.

    Caution: Before you begin, you must do this:
    1. Obtain the keystore password. Run the command: more %CVP_HOME%\conf\security.properties
    2. Copy the %CVP_HOME%\conf\security folder to another folder.
    3. Open a command window as Administrator to run the commands.

    Step 1. Export WSM certificate from CVP Server, Reporting and OAMP server.

    (i) Export  WSM certificate from each CVP Server to a temporary location, and rename the certificate with a desired name. You can rename it as wsmX.crt. Replace X with a unique number or letter. For example, wsmcsa.crt, wsmcsb.crt , wsmrepa.crt , wsmrepb.crt , wsmoamp.crt.

    Command to export the self-signed certificates:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -export -alias wsm_certificate -file %CVP_HOME%\conf\security\wsm.crt

    (ii) Copy the certificate from the path C:\Cisco\CVP\conf\security\wsm.crt from each server and rename it as wsmX.crt based on the server type.

    Step 2. Import WSM certificates from CVP Server and Reporting server into OAMP server.

    (i) Copy each CVP Server and Reporting server WSM certificate (wsmX.crt) to the C:\Cisco\CVP\conf\security directory on the OAMP server.

    (ii) Import these certificates with the command:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_cvp}_wsm -file c:\cisco\cvp\conf\security\wsmcsX.crt

    (iii) Reboot the server.

    Step 3. Import CVP OAMP server WSM certificate into CVP Server and Reporting servers.

    (i) Copy OAMP server WSM certificate (wsmoampX.crt) to the C:\Cisco\CVP\conf\security directory on all the CVP Servers and Reporting servers.

    (ii) Import the certificates with the command:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_cvp}_wsm -file c:\cisco\cvp\conf\security\wsmoampX.crt

    (iii)  Reboot the servers.

    Section 2: Certificate Exchange Between CVP OAMP Server and VOS Platform Applications.

    The steps needed to complete this exchange successfully are:

    Step 1. Export application certificate from the VOS platform.

    Step 2. Import VOS application certificate into the OAMP server.

    Step 1. Export application certificate from the VOS platform.

    (i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.


    (ii) Navigate to Security > Certificate Management and find the application primary server certificates in tomcat-trust folder.

    screen shot 1

    (iii) Select the certificate and click download .PEM file to save it in a temporary folder on the OAMP server.

    screen shot 2

    Step 2. Import VOS application certificate into the OAMP server.

    (i) Copy theC VVB certificate to the C:\Cisco\CVP\conf\security directory on the OAMP server.

    (ii) Import the certificates with the command:

    %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -alias {fqdn_of_vos} -file c:\cisco\cvp\conf\security\vvb.pem

    (ii) Reboot the server.

    Section 3: Certificate Exchange Between CVP Server and CVVB servers.

    This is a optional step to secure the SIP and HTTP communication between the CVVB and CVP Servers. The steps needed to complete this exchange successfully are:

    Step 1. Export CVVB application certificate from the VOS platform.
    Step 2. Import vos application certificate into the CVP servers.
    Step 3: Export callserver and vxml certificate from CVP Servers. 
    Step 4: Import callserver and vxml certificate into CVVB Servers.

    Step 1. Export application certificate from the vos platform.


    (i) Follow the same stapes as stated in step 1 of Section 2 for CVVB servers.

    Step 2. Import VOS application certificate into the CVP Server.

    (i) Follow the same steps as stated in step 2 of Section 2 on all CVP Servers.

    Step 3: Export callserver and vxml certificate from CVP Servers


    (i) Export callserver and vxml certificate from each CVP Server to a temporary location, and rename the certificate with a desired name. You can rename it as callserverX.crt \ vxmlX.crt  Replace X with a unique number or letter. 

    Command to export the self-signed certificates:

    Callserver certificate : %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -export -alias callserver_certificate -file %CVP_HOME%\conf\security\callserverX.crt
Vxml certificate : %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -export -alias vxml_certificate -file %CVP_HOME%\conf\security\vxmlX.crt

    (ii) Copy the certificate from the path C:\Cisco\CVP\conf\security\wsm.crt from each server and rename it as callserverX.crt \ vxmlX.crt based on the certificate type.

    Step 4: Import callserver and vxml certificate into CVVB servers.


    (i) Navigate to Cisco Unified Communications Operating System Administration page: https://FQDN:8443/cmplatform.

    (ii) Navigate to Security > Certificate Management and select option upload Certificate/Certificate chain.

    screen shot 3


    (iii) On the upload certificate/Certificate chain select tomcat-trust in certificate purpose field and upload the exported certificates as performed in step 3. 

    screen shot 4

    (iv) Reboot the server.

    CVP CallStudio WEBService Integration

    For detailed information about how to establish a secure communication for Web Services Element and Rest_Client element

    refer to User Guide for Cisco Unified CVP VXML Server and Cisco Unified Call Studio Release 12.5(1) - Web Service Integration [Cisco Unified Customer Voice Portal] - Cisco

    Related Information

    Technical Support & Documentation - Cisco Systems

    Revision History

    Revision Publish Date Comments
    2.0
    14-Jul-2022
    Revision 11
    1.0
    24-Apr-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Anuj Bhatia
      Cisco TAC Engineer
    • Robert Rogier
      Cisco TAC Engineer
    • Ramiro Amaya
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products