Jump to: navigation, search
Line 1: Line 1:
= Secured Connections=
+
= Transport Layer Security=
__NOTOC__
+
__TOC__
  
== Overview ==
+
Web Services can use a secured Transport Layer Security (TLS) connection mechanism provided by Genesys servers. When configured, Web Services connects to a secure port on the Genesys server, verifies the server's authority, and encrypts/decrypts network traffic.
Web Services can use a secured Transport Layer Security (TLS) connection mechanism provided by Genesys servers. When configured, Web Services will connect to a secure port on the Genesys server, verify the server's authority, and encrypt/decrypt network traffic.
 
  
 
== Prerequisites==
 
== Prerequisites==
Before configuring Web Services, it is assumed that the Genesys Server secure port is configured as described in [http://docs.genesys.com/Special:Repository/81g_dep-security.pdf?id=c9043536-fe62-42a5-807b-f4eb80f31a26#G27.1117411 Chapter 20: Genesys TLS Configuration] of the [http://docs.genesys.com/Special:Repository/81g_dep-security.pdf?id=c9043536-fe62-42a5-807b-f4eb80f31a26 Genesys Security Deployment Guide] and that all certificates for server host and CA are configured and available.
+
Before configuring Web Services, make sure the Genesys server secure port is configured as described in [http://docs.genesys.com/Special:Repository/81g_dep-security.pdf?id=c9043536-fe62-42a5-807b-f4eb80f31a26#G27.1117411 Chapter 20: Genesys TLS Configuration] of the [http://docs.genesys.com/Special:Repository/81g_dep-security.pdf?id=c9043536-fe62-42a5-807b-f4eb80f31a26 Genesys Security Deployment Guide] and that all certificates for server host and the certificate authority are configured and available.
  
 +
==Configuration==
 +
You can configure secured connections to Genesys components in the following ways:
 +
* [[SecuredConnections#Minimal_configuration|Minimal configuration]]
 +
* [[SecuredConnections#Validate_the_certificate_against_the_CA|Validate the certificate against the CA]]
  
 +
==Minimal configuration==
 +
Web Services does not check the server's certificate against certificate authority, but all traffic is encrypted. To configure Web Services with minimal configuration, all you need to do is configure a connection to a secured port on the Genesys server. You can do this using '''either''' of the following methods:
 +
*For the initial connection to Configuration Server, set the '''tlsEnabled''' option to <tt>true</tt> in the '''onpremise-settings.yaml''' file. This creates a secured connection to Configuration Server the first time Web Services starts.
 +
*For an environment that is already configured with Configuration Manager synchronization enabled, you can make changes with Configuration Manager as described in the [http://docs.genesyslab.com/Special:Repository/81g_dep-security.pdf?id=c9043536-fe62-42a5-807b-f4eb80f31a26#G27.1040827 Genesys Security Deployment Guide]. These changes are synchronized back to the Cassandra database from Configuration Manager.
  
<div class="map-box">
+
==Validate the certificate against the CA==
====Secured Connections====
+
In order to support the client-side certificate check, Web Services needs the public key for the Certificate Authority (CA). Web Services supports two formats of key storage:
* [[Documentation:HTCC:Dep:SecuredConnectionsConfiguration:8.5.2|Secure Connections Configuration]]
+
* PEM
* [[Documentation:HTCC:Dep:SecuredConnectionsWithCassandra:8.5.2|Secure Connections with Cassandra DB]]
+
* JKS
</div>
+
 
 +
Genesys recommends using JKS because it's compatible with both Cassandra and HTTPS.
 +
 
 +
Complete the steps below to validate the certificate against the CA.
 +
'''Start'''
 +
<ol>
 +
<li>If you plan to use a JKS file, you can generate if from a PEM file by importing the PEM certificate, as shown here:
 +
<Source lang="text">
 +
keytool -importcert -file ca_cert.pem -keystore ca_cert.jks
 +
</source>
 +
This generates a '''ca_cert.jks''' key storage file that Web Services can use.
 +
</li>
 +
<li>Once you have the '''ca_cert.jks''' file, place it in a location available from your Web Services host, such as: 
 +
* A local folder on the Web Services host
 +
* A network share
 +
* The '''genconfig''' folder on the Web Services host
 +
</li>
 +
<li>Configure the following option in the '''server-settings.yaml''' file configure:
 +
<ul>
 +
<li>For a PEM file, set [[HTCCConfigurationOptionsReference#caCertificate|caCertificate]] to the location of the file. For example:
 +
<source lang="text">
 +
caCertificate: /opt/jetty/genconfig/ca_cert.pem
 +
</source>
 +
</li>
 +
<li>For a JKS file, set [[HTCCConfigurationOptionsReference#caCertificate|caCertificate]] to the location of the file and set [[HTCCConfigurationOptionsReference#jksPassword|jksPassword]] to the password for the key storage. For example:
 +
<source lang="text">
 +
caCertificate: /opt/jetty/genconfig/ca_cert.jks
 +
jksPassword: pa$$word
 +
</source>
 +
</li>
 +
</ul>
 +
</li>
 +
<li>
 +
</ol>
 +
'''End'''
  
<div style="clear:both;"></div>
 
  
 
==Next Step==
 
==Next Step==

Revision as of 14:30, February 1, 2016

Transport Layer Security

Web Services can use a secured Transport Layer Security (TLS) connection mechanism provided by Genesys servers. When configured, Web Services connects to a secure port on the Genesys server, verifies the server's authority, and encrypts/decrypts network traffic.

Prerequisites

Before configuring Web Services, make sure the Genesys server secure port is configured as described in Chapter 20: Genesys TLS Configuration of the Genesys Security Deployment Guide and that all certificates for server host and the certificate authority are configured and available.

Configuration

You can configure secured connections to Genesys components in the following ways:

Minimal configuration

Web Services does not check the server's certificate against certificate authority, but all traffic is encrypted. To configure Web Services with minimal configuration, all you need to do is configure a connection to a secured port on the Genesys server. You can do this using either of the following methods:

  • For the initial connection to Configuration Server, set the tlsEnabled option to true in the onpremise-settings.yaml file. This creates a secured connection to Configuration Server the first time Web Services starts.
  • For an environment that is already configured with Configuration Manager synchronization enabled, you can make changes with Configuration Manager as described in the Genesys Security Deployment Guide. These changes are synchronized back to the Cassandra database from Configuration Manager.

Validate the certificate against the CA

In order to support the client-side certificate check, Web Services needs the public key for the Certificate Authority (CA). Web Services supports two formats of key storage:

  • PEM
  • JKS

Genesys recommends using JKS because it's compatible with both Cassandra and HTTPS.

Complete the steps below to validate the certificate against the CA. Start

  1. If you plan to use a JKS file, you can generate if from a PEM file by importing the PEM certificate, as shown here: 
    keytool -importcert -file ca_cert.pem -keystore ca_cert.jks

    This generates a ca_cert.jks key storage file that Web Services can use.

  2. Once you have the ca_cert.jks file, place it in a location available from your Web Services host, such as:
    • A local folder on the Web Services host
    • A network share
    • The genconfig folder on the Web Services host
  3. Configure the following option in the server-settings.yaml file configure:
    • For a PEM file, set caCertificate to the location of the file. For example: 
      caCertificate: /opt/jetty/genconfig/ca_cert.pem
    • For a JKS file, set caCertificate to the location of the file and set jksPassword to the password for the key storage. For example: 
      caCertificate: /opt/jetty/genconfig/ca_cert.jks
jksPassword: pa$$word

End


Next Step

Comments or questions about this documentation? Contact us for support!