Revision as of 14:30, February 1, 2016 by Jumunn (talk | contribs)
Jump to: navigation, search

Transport Layer Security

Web Services can use a secured Transport Layer Security (TLS) connection mechanism provided by Genesys servers. When configured, Web Services connects to a secure port on the Genesys server, verifies the server's authority, and encrypts/decrypts network traffic.

Prerequisites

Before configuring Web Services, make sure the Genesys server secure port is configured as described in Chapter 20: Genesys TLS Configuration of the Genesys Security Deployment Guide and that all certificates for server host and the certificate authority are configured and available.

Configuration

You can configure secured connections to Genesys components in the following ways:

Minimal configuration

Web Services does not check the server's certificate against certificate authority, but all traffic is encrypted. To configure Web Services with minimal configuration, all you need to do is configure a connection to a secured port on the Genesys server. You can do this using either of the following methods:

  • For the initial connection to Configuration Server, set the tlsEnabled option to true in the onpremise-settings.yaml file. This creates a secured connection to Configuration Server the first time Web Services starts.
  • For an environment that is already configured with Configuration Manager synchronization enabled, you can make changes with Configuration Manager as described in the Genesys Security Deployment Guide. These changes are synchronized back to the Cassandra database from Configuration Manager.

Validate the certificate against the CA

In order to support the client-side certificate check, Web Services needs the public key for the Certificate Authority (CA). Web Services supports two formats of key storage:

  • PEM
  • JKS

Genesys recommends using JKS because it's compatible with both Cassandra and HTTPS.

Complete the steps below to validate the certificate against the CA. Start

  1. If you plan to use a JKS file, you can generate if from a PEM file by importing the PEM certificate, as shown here: 
    keytool -importcert -file ca_cert.pem -keystore ca_cert.jks

    This generates a ca_cert.jks key storage file that Web Services can use.

  2. Once you have the ca_cert.jks file, place it in a location available from your Web Services host, such as:
    • A local folder on the Web Services host
    • A network share
    • The genconfig folder on the Web Services host
  3. Configure the following option in the server-settings.yaml file configure:
    • For a PEM file, set caCertificate to the location of the file. For example: 
      caCertificate: /opt/jetty/genconfig/ca_cert.pem
    • For a JKS file, set caCertificate to the location of the file and set jksPassword to the password for the key storage. For example: 
      caCertificate: /opt/jetty/genconfig/ca_cert.jks
jksPassword: pa$$word

End


Next Step

Comments or questions about this documentation? Contact us for support!