Secure JMX Communication between OAMP and Call Server using Mutual Authentication
You can secure JMX communication by:
-
Exchanging the CA-signed certificates between the components.
-
Signing the certificates by a Certificate Authority.
Self-Signed Certificates
On Call Server or VXML Server or Reporting Server
Log in to the CVP/Reporting Server. Retrieve the keystore password from the security.properties file.
Note |
At the command prompt, enter more %CVP_HOME%\conf\security.properties. Security.keystorePW = <Returns the keystore password> Enter the keystore password when prompted. |
Procedure
Step 1 |
Export the following certificates: |
Step 2 |
Enter the keystore password when prompted. |
Step 3 |
Copy all the generated certificates from the %CVP_HOME%\conf\security\ folder of the Call/VXML/Reporting Server machine to the %CVP_HOME%\conf\security\ folder on the OAMP machine. |
Step 4 |
On the OAMP machine, export the OAMP Server certificate by running %CVP_HOME%\jre\bin\keytool.exe -export -v -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias oamp_certificate -file %CVP_HOME%\conf\security\oamp_security.cer |
Step 5 |
Enter the keystore password when prompted. |
Step 6 |
Copy the generated OAMP Server certificate from the %CVP_HOME%\conf\security\ folder of the OAMP machine to the %CVP_HOME%\conf\security\ folder of the CVP/Reporting Server machine. |
Step 7 |
On the CVP/Reporting Server machine, import the OAMP Server certificate by running %CVP_HOME%\jre\bin\keytool.exe -import -trustcacerts -keystore %CVP_HOME%\conf\security\.keystore -storetype JCEKS -alias oamp_certificate -file %CVP_HOME%\conf\security\oamp_security.cer |
Step 8 |
Enter the keystore password when prompted. |
Step 9 |
Trust this certificate? [no]: yes |
Step 10 |
Configure WSM in CVP: |
Step 11 |
Run the regedit command. |
Step 12 |
Configure JMX of callserver in CVP. Go to c:\cisco\cvp\conf\jmx_callserver.conf. Update the file as shown and save the file:
|
Step 13 |
Configure JMX of VXMLServer in CVP. Go to c:\cisco\cvp\conf\jmx_vxml.conf. Edit the file as shown and save the file:
|
Step 14 |
Run the regedit command. |
Step 15 |
Restart the Operation Console Server and the Call Server machines. |
On OAMP
Log in to the Operations Console Server. Retrieve the keystore password from the security.properties file.
Note |
At the command prompt, enter more %CVP_HOME%\conf\security.properties. Security.keystorePW = <Returns the keystore password> Enter the keystore password when prompted. |
Procedure
Step 1 |
Import the following certificates:
|
Step 2 |
Enter the keystore password when prompted. |
Step 3 |
Trust this certificate? [no]: yes |
Step 4 |
Restart OAMP service. |
Step 5 |
Log into OAMP. To enable secure communication between OAMP and Call Server or VXML Server or Reporting Server, navigate to Enable secure communication with the Ops console check box. Save and deploy both Call Server and VXML Server. . Check the |
Generate CA-Signed Certificate for WSM Service in Call Server/VXML Server/Reporting Server/WSM Server
Log into the Call Server or VXML Server or Reporting Server or WSM Server. Retrieve the keystore password from the security.properties file.
Note |
At the command prompt, enter more %CVP_HOME%\conf\security.properties. Security.keystorePW = <Returns the keystore password> Enter the keystore password when prompted. |
Procedure
Step 1 |
Go to %CVP_HOME%\conf\security and delete the WSM certificate from by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -delete -alias wsm_certificate. Enter the keystore password when prompted. |
||
Step 2 |
Repeat Step 1 for Call Server, VXML Server, and Reporting Server. |
||
Step 3 |
Generate a CA-signed certificate for WSM server by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias wsm_certificate -v -keysize 2048 -keyalg RSA. |
||
Step 4 |
Generate the certificate request for the alias by running the following command and saving it to a file (for example, wsm.csr): %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias wsm_certificate -file %CVP_HOME%\conf\security\wsm_certificate.
|
||
Step 5 |
Sign the certificate on a CA.
|
||
Step 6 |
Copy the root certificate and the CA-signed WSM certificate to %CVP_HOME%\conf\security\. |
||
Step 7 |
Import the root certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cer>.
|
||
Step 8 |
Import the CA-signed WSM certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias wsm_certificate -file %CVP_HOME%\conf\security\<filename_of_your_signed_cert_from_CA>. Enter the keystore password when prompted. |
||
Step 9 |
Repeat Step3, 4, and 8 for Call Server, VXML Server, and Reporting Server. |
||
Step 10 |
Configure WSM in CVP: |
||
Step 11 |
Configure JMX of callserver in CVP: |
||
Step 12 |
Configure JMX of VXMLServer in CVP:
|
Generate CA-Signed Client Certificate for WSM
Log into the Call Server or VXML Server or Reporting Server or WSM. Retrieve the keystore password from the security.properties file.
Note |
At the command prompt, enter more %CVP_HOME%\conf\security.properties Security.keystorePW = <Returns the keystore password> Enter the keystore password when prompted. |
Procedure
Step 1 |
Go to %CVP_HOME%\conf\security and generate a CA-signed certificate for client authentication with callserver by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias <CN of Callserver WSM certificate> -v -keysize 2048 -keyalg RSA |
||
Step 2 |
Generate the certificate request for the alias by running the following command and saving it to a file (for example, jmx_client.csr): %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias <CN of Callserver WSM certificate> -file %CVP_HOME%\conf\security\jmx_client.csr
|
||
Step 3 |
Sign the certificate on a CA.
|
||
Step 4 |
Copy the root certificate and the CA-signed JMX Client certificate to %CVP_HOME%\conf\security\. |
||
Step 5 |
Import the CA-signed JMX Client certificate by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias <CN of Callserver WSM certificate> -file %CVP_HOME%\conf\security\<filename of CA-signed JMX Client certificate>
|
||
Step 6 |
Restart Cisco CVP VXMLServer service.
|
Generate CA-Signed Client Certificate for OAMP (to be done on OAMP)
Log into the OAMP Server. Retrieve the keystore password from the security.properties file.
security.properties file.
Note |
At the command prompt, enter more %CVP_HOME%\conf\security.properties. Security.keystorePW = <Returns the keystore password> Enter the keystore password when prompted. |
Procedure
Step 1 |
Go to %CVP_HOME%\conf\security and generate a CA-signed certificate for client authentication with callserver WSM by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -genkeypair -alias <CN of Callserver WSM certificate> -v -keysize 2048 -keyalg RSA. |
||||
Step 2 |
Generate the certificate request for the alias by running the following command and saving it to a file (for example, jmx.csr): %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -certreq -alias <CN of Callserver WSM certificate> -file %CVP_HOME%\conf\security\jmx.csr.
|
||||
Step 3 |
Sign the certificate on a CA.
|
||||
Step 4 |
Copy the root certificate and CA-signed JMX Client certificate to %CVP_HOME%\conf\security\. |
||||
Step 5 |
Import the root certificate of the CA by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias root -file %CVP_HOME%\conf\security\<filename_of_root_cert>.
|
||||
Step 6 |
Import the CA-signed JMX Client certificate of CVP by running %CVP_HOME%\jre\bin\keytool.exe -storetype JCEKS -keystore %CVP_HOME%\conf\security\.keystore -import -v -trustcacerts -alias <CN of Callserver WSM certificate> -file %CVP_HOME%\conf\security\<filename_of_your_signed_cert_from_CA>.
|
||||
Step 7 |
Restart OAMP service. |
||||
Step 8 |
Log into OAMP. To enable secure communication between OAMP and Call Server or VXML Server, navigate to Enable secure communication with the Ops console check box. Save and deploy both Call Server and VXML Server. . Check the |
||||
Step 9 |
Run the regedit command.
|
[Optional] Blocking JConsole Login to OAMP
This section is needed if you want to block JConsole login to OAMP.
Note |
OAMP will stop the JMX communication with the following procedure but OAMP to Call Server/VXML Server / Reporting Server/WSM will continue to work. |
Procedure
Step 1 |
Go to c:\cisco\cvp\conf\jmx_oamp.conf.
|
Step 2 |
Restart the OpsConsoleServer service. |
Step 3 |
Go to c:\cisco\cvp\conf\jmx_wsm.conf.
|
Step 4 |
Restart the WSM service. |
With the aforesaid steps, unsecure JConsole login to OAMP will stop from remote machines but JConsole will continue to work from the OAMP host.
Securing System CLI
To run the System CLI command on Cisco CVP CallServer, perform the following steps:
Procedure
Step 1 |
Import the root CA certificate in the JRE keystore:
The default keystore password is changeit.
|
Step 2 |
Restart the Cisco CVP CallServer service. |