Package CCE Solution: Procedure to Obtain and Upload Third-Party CA Certificates

Available Languages

Updated:June 27, 2018
Document ID:200287

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the steps involved in order to obtain and install a Certification Authority (CA) certificate, generated from a third-party vendor in order to establish a HTTPS connection between Finesse and Cisco Unified Intelligence Center (CUIC) servers.

    In order to use HTTPS for secure communication between Finesse and CUIC servers, security certificates setup is needed. By default, these servers provide self-signed certificates that are used or customers can procure and install CA certificates. These CA certificates can be obtained either from a third-party vendor like VeriSign, Thawte, GeoTrust or can be produced internally.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Package Contact Center Enterprise (PCCE)
    • CUIC
    • Cisco Finesse
    • CA certificates

    Components Used

    The information used in the document is based on PCCE solution 11.0 (1) version.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any step.

    Procedure

    In order to set up certificates for HTTPS communication in Finesse and CUIC servers, follow these steps:

    • Generate and download Certificate Signing Request (CSR)
    • Obtain root, intermediate (if applicable) and application certificate from CA with the use of CSR
    • Upload certificates to the servers

    Generate and Download CSR

    1. Steps described here are in order to generate and download CSR. These steps are the same for Finesse and CUIC servers.

    2. Open Cisco Unified Communications Operating System Administration page with the URL and sign in with the Operating System (OS) admin account created at the time of the installation process. https://hostname of primary server/cmplatform

    3. Generate Certificate Signing Request.

    a. Navigate to Security > Certificate Management > Generate CSR.

    b. From the Certificate Purpose* drop-down list, select tomcat.

    c. Select Hash Algorithm as SHA256.

    d. Click Generate as shown in the image.

    4. Download CSR.

    a. Navigate to Security > Certificate Management > Download CSR.

    b. From the Certificate Purpose* drop-down list, select tomcat.

    c. Click Download CSR as shown in the image.

    Note: Perform these steps on the secondary server's with the URL https://hostname of secondary server/cmplatform in order to obtain CSR's for CA.

    Obtain Root, Intermediate (if Applicable) and Application Certificate from CA

    1. Provide the primary and secondary server's CSR information to third party CA like VeriSign, Thawte, GeoTrust etc.

    2. From CA, you must receive these certificate chain for the primary and secondary servers:

    • Finesse servers: Root, Intermediate and Application certificate
    • CUIC servers: Root and Application certificate

    Upload Certificates to Servers

    This section describes on how to upload the certificate chain correctly on Finesse and CUIC servers.

    Finesse Servers

    1. Upload primary Finesse server root certificate:

    a. On the primary server's Cisco Unified Communications Operating System Administration page, navigate to Security > Certificate Management > Upload Certificate.

    b. From the Certificate Purpose drop-down list, select tomcat-trust.

    c. In the Upload File field, click Browse and browse root certificate file.

    d. Click Upload File.

    2. Upload primary Finesse server intermediate certificate:

    a. From the Certificate Purpose drop-down list, select tomcat-trust.

    b. In the Root Certificate filed, enter the name of the root certificate that is uploaded in the previous step. This is a .pem file that is generated when the root/public certificate was installed.

    In order to view this file, navigate to Certificate Management > Find. In the certificate list, .pem file name is listed against tomcat-trust.

    c. In the Upload File field, click Browse and browse intermediate certificate file.

    d. Click Upload File.

    Note: As tomcat-trust store is replicated between the primary and secondary servers, it is not needed to upload the primary Finesse server root or Intermediate certificate to the secondary Finesse server.

    3. Upload primary Finesse server application certificate:

    a. From the Certificate Purpose drop-down list, select tomcat.

    b. In the Root Certificate field, enter the name of the intermediate certificate that is uploaded in the previous step. Include the .pem extension (for example, TEST-SSL-CA.pem).

    c. In the Upload File field, click Browse and browse application certificate file.

    d. Click Upload File.

    4. Upload secondary Finesse server root and Intermediate certificate:

    a. Follow the same steps as mentioned in Steps 1 and 2 on the secondary server for its certificates.

    Note: As tomcat-trust store is replicated between the primary and secondary servers, it is not needed to upload the secondary Finesse server root or Intermediate certificate to the primary Finesse server.

    5. Upload secondary Finesse server application certificate:

    a. Follow the same steps as mentioned in Step 3. on the secondary server for its own certificates.

    6. Restart servers:

    a. Access the CLI on the primary and secondary Finesse servers and run the command utils system restart in order to restart the servers.

    CUIC Servers

    1. Upload CUIC primary server root (public) certificate:

    a. On primary server's Cisco Unified Communications Operating System Administration page, navigate to Security > Certificate Management > Upload Certificate.

    b. From the Certificate Purpose drop-down list, select tomcat-trust.

    c. In the Upload File field, click Browse and browse root certificate file.

    d. Click Upload File.

    Note: As Tomcat-trust store is replicated between the primary and secondary servers, it is not needed to upload the primary CUIC server root certificate to the secondary CUIC servers.

    2. Upload CUIC primary server application (primary) certificate:

    a. From the Certificate Purpose drop-down list, select tomcat.

    b. In the Root Certificate field, enter the name of the root certificate that is uploaded in the previous step.

    This is a .pem file that is generated when the root/public certificate was installed. In order to view this file, Navigate to certificate management > Find .

    In the certificate list .pem file name is listed against tomcat-trust. Include that .pem extension (for example, TEST-SSL-CA.pem).

    c. In the Upload File field, click Browse and browse application (primary) certificate file.

    d. Click Upload File.

    3. Upload CUIC secondary server root (public) certificate:

    a. On the secondary CUIC server, follow the same steps as mentioned in the Step 1. for its root certificate.

    Note: As tomcat-trust store is replicated between the primary and secondary servers, it is not needed to upload the secondary CUIC server root certificate to the primary CUIC server.

    4. Upload CUIC secondary server application (primary) certificate:

    a. Follow the same process as stated in Step 2. on the secondary server for its own certificate.

    5. Restart servers:

    a. Access the CLI on the primary and secondary CUIC servers and run the command utils system restart in order to restart the servers.

    Note: In order to avoid the certificate exception warning, you must access the servers with the use of the Fully Qualified Domain Name (FQDN).

    Certificate Dependencies

    As Finesse agents and supervisors utilize CUIC gadgets for reporting purposes, you have to upload root certificates of these servers as well, in the order mentioned here to maintain certificate dependencies for HTTPS communication between these servers and as shown in the image.

    • Upload CUIC servers root certificate on Finesse primary server
    • Upload Finesse root\intermediate certificate on CUIC primary server 

    Upload CUIC Servers Root Certificate on Finesse Primary Server

    1. On primary Finesse server, open Cisco Unified Communications Operating System Administration page with the URL and sign in with the OS admin account created at the time of the installation process:

    https://hostname of primary Finesse server/cmplatform

    2. Upload Primary CUIC root certificate.

    a. Navigate to Security > Certificate Management > Upload Certificate.

    b. From the Certificate Purpose drop-down list, select tomcat-trust.

    c. In the Upload File field, click Browse and browse root certificate file.

    d. Click Upload File.

    3. Upload Secondary CUIC root certificate.

    a. Navigate to Security > Certificate Management > Upload Certificate.

    b. From the Certificate Purpose drop-down list, select tomcat-trust.

    c. In the Upload File field, click Browse and browse root certificate file.

    d. Click Upload File

    Note: As tomcat-trust store is replicated between the primary and secondary servers, it is not needed to upload the CUIC root certificates to the secondary Finesse server.

    4. Access the CLI on the primary and secondary Finesse servers and run the command utils system restart in order to restart the servers.

    Upload Finesse Root/Intermediate Certificate on CUIC Primary Server

    1. On primary CUIC server, open Cisco Unified Communications Operating System Administration page with the URL and sign in with the OS admin account created atthe time of the installation process:

    https://hostname of primary CUIC server/cmplatform

    2. Upload Primary Finesse root certificate:

    a. Navigate to Security > Certificate Management > Upload Certificate.

    b. From the Certificate Purpose drop-down list, select tomcat-trust.

    c. In the Upload File field, click Browse and browse root certificate file.

    d. Click Upload File.

    3.Upload primary Finesse intermediate certificate:

    a. From the Certificate Purpose drop-down list, select tomcat-trust.

    b. In the Root Certificate filed, enter the name of the root certificate that is uploaded in the previous step.

    c. In the Upload File field, click Browse and browse intermediate certificate file.

    d. Click Upload File.

    4. Perform the same Step 2 and Step 3. for secondary Finesse root\Intermediate certificates on primary live data server.

    Note: As tomcat-trust store is replicated between the primary and secondary servers, it is not needed to upload the Finesse root /Intermediate certificate to the secondary CUIC servers.

    5. Access the CLI on the primary and secondary CUIC servers and run the command utils system restart in order to restart the servers.

    Revision History

    Revision Publish Date Comments
    1.0
    21-Apr-2016
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Anuj Bhatia
      Cisco TAC Engineer
    • Carl Haas
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco