CTI OS Security Certificate Configuration
The CTI OS Security Certificate comprises the following:
-
CTI OS Security Setup programs.
-
Signing CTI Toolkit Desktop Client Certificate Request with Self-Signed Certificate Authority (CA).
-
Signing CTI OS Server Certificate Request with Self-Signed CA.
-
Signing CTI Toolkit Desktop Client Certificate Request with Third-Party CA.
-
Signing CTI OS Server Certificate Request with Third-Party CA.
Each of these entities is detailed in this section.
Note |
Both Certificate Revocation List (CRL) and certificate chain are not supported in CTI OS Security. |
CTI OS Security Setup Programs
To configure the CTI OS, three setup programs are implemented. These setup programs are part of the Win32 CTI OS toolkit installation, and are located in the directory <drive>:\Program Files\Cisco Systems\CTIOS Client\CTIOS Security\Utilities.
The first setup program, CreateSelfSignedCASetupPackage.exe, creates a self-signed certificate authority (CA). This must be run once if the customer wants to use a self-signed CA instead of a third party and the output of CreateSelfSignedCASetupPackage.exe must be saved in a secure place. This program creates CA-related files. One file, CtiosRoot.pem, contains the private CA information. This file must be kept in a safe place. Another file, CtiosRootCert.pem, contains public CA information. This setup program asks the user to enter a password for the CA (between 8 and 30 characters), which are used when signing CTI OS certificate requests.
The second setup program, SecuritySetupPackage.exe, is used to generate certificate requests for both CTI Toolkit Desktop Client and CTI OS Server. If the certificate request is for the CTI OS Server, then it generates CtiosServerKey.pem, and CtiosServerReq.pem. These files are used when signing server certificates. If the certificate request is for the CTI Toolkit Desktop Client, then it generates CtiosClientkey.pem, and CtiosClientreq.pem. These files are used when signing client certificates.
-
Ctios Certificate Authority Password. This password is the one used to create a self-signed CA.
-
Select either CTI Toolkit Desktop Client Certificate Request or CTI OS Server Certificate Request.
Sign CTI Toolkit Desktop Client Certificate Request with Self-Signed CA
Note |
Generate CtiosRootCert.pem only once; use the same file for CTI OS server and client machines. |
Follow these steps to sign a CTI Toolkit Desktop Client certificate request.
Procedure
Step 1 |
If the self-signed CA does not exist, then run CreateSelfSignedCASetupPackage.exe and store all the files that were created by the CreateSelfSignedCASetupPackage.exe program in a safe place. This step generates CtiosRoot.pem and CtiosRootCert.pem in the same folder from where the setup is run. |
||
Step 2 |
Copy CtiosClientkey.pem and CtiosClientreq.pem files from the CTI Toolkit Desktop Client machine to the machine where CtiosRoot.pem and CtiosRootCert.pem reside.
|
||
Step 3 |
Run SignCertificateSetupPackage.exe from the same directory where CtiosClientkey.pem, CtiosClientreq.pem, CtiosRoot.pem, and CtiosRootCert.pem reside, select CTIOS Client Certificate Request, and enter the "Ctios Certificate Authority password." |
||
Step 4 |
Copy both CtiosClient.pem and CtiosRootCert.pem back to the machine where CTI Toolkit Desktop Client is installed and save them in the <drive>:\Program Files\Cisco Systems\CTIOS Client\CTIOS Security directory. |
||
Step 5 |
Delete CtiosClientkey.pem in <drive>:\Program Files\Cisco Systems\CTIOS Client\CTIOS Security\Utilities directory from the machine where CTI Toolkit Desktop Client is installed. |
||
Step 6 |
Delete CtiosClientkey.pem, CtiosClientreq.pem, and CtiosClient.pem from the machine where SignCertificateSetupPackage.exe ran. |
Sign CTI OS Server Certificate Request with Self-Signed CA
Note |
Generate CtiosRootCert.pem only once; use the same file for CTI OS server and client machines. |
Follow these steps to sign a CTI OS Server certificate request.
Procedure
Step 1 |
If the self-signed CA does not exist, then run CreateSelfSignedCASetupPackage.exe and store all the files that were created by the CreateSelfSignedCASetupPackage.exe program in a safe place. This step generates CtiosRoot.pem and CtiosRootCert.pem in the same folder from where the setup is run. |
||
Step 2 |
Copy CtiosServerKey.pem and CtiosServerReq.pem files from the CTI OS Server machine to the machine where CtiosRoot.pem and CtiosRootCert.pem reside.
|
||
Step 3 |
Run SignCertificateSetupPackage.exe from the same directory where CtiosServerKey.pem, CtiosServerReq.pem, CtiosRoot.pem, and CtiosRootCert.pem reside, select CTIOS Server Certificate Request, and enter the "Ctios Certificate Authority password." |
||
Step 4 |
Copy both CtiosServer.pem and CtiosRootCert.pem back to the machine where CTI OS Server resides and save them in the <drive>:\icm\Instance name\CTIOS1\Security directory. |
||
Step 5 |
Delete CtiosServerkey.pem under <drive>:\icm\Instance name\CTIOS1\Security from the machine where CTI OS Server is installed. |
||
Step 6 |
Delete CtiosServerKey.pem, CtiosServerReq.pem, and CtiosServer.pem from the machine where SignCertificateSetupPackage.exe ran. |
||
Step 7 |
If CTIOS Server has peer server, then:
|
Sign CTI Toolkit Desktop Client Certificate Request with Third-Party CA
Procedure
Step 1 |
Copy CtiosClientreq.pem file from the CTI Toolkit Desktop Client machine to the machine where the third-party CA resides. |
Step 2 |
Signing CTI Toolkit Desktop Client certificate request (CtiosClientreq.pem) with third-party CA generates a CTI Toolkit Desktop Client certificate. Rename it CtiosClientCert.pem. |
Step 3 |
The third-party CA has its certificate public information in a file. Rename this file CtiosRootCert.pem. |
Step 4 |
Copy both CtiosClientCert.pem and CtiosRootCert.pem to the machine where CTI Toolkit Desktop Client resides and save them in the <drive>:\Program Files\Cisco Systems\CTIOS Client\Security directory. |
Step 5 |
On the CTI Toolkit Desktop Client machine, copy the data in CtiosClientCert.pem and the data in CtiosClientkey.pem files into one file called CtiosClient.pem. The order is very important, so CtiosClient.pem must contain CtiosClientCert.pem data first and then CtiosClientkey.pem data second. |
Step 6 |
Delete CtiosClientCert.pem and CtiosClientkey.pem from the CTI Toolkit Desktop Client machine. |
Sign CTI OS Server Certificate Request with Third-Party CA
Follow these steps to sign a CTI OS Server certificate request.
Procedure
Step 1 |
Copy CtiosServerReq.pem file from the CTI OS Server machine to the machine where the third-party CA resides. |
Step 2 |
Signing CTI OS Server certificate request (CtiosServerReq.pem) with third-party CA generates a CTI OS Server certificate. Rename it CtiosServerCert.pem. |
Step 3 |
The third-party CA has its certificate public information in a file. Rename this file CtiosRootCert.pem. |
Step 4 |
Copy both CtiosServerCert.pem and CtiosRootCert.pem to the machine where CTI OS Server resides and save them in the <drive>:\icm\<Instance name>\CTIOS1\Security directory. |
Step 5 |
On the CTI OS Server machine, copy the data in CtiosServerCert.pem and the data in CtiosServerkey.pem files into one file called CtiosServer.pem. The order is very important, so CtiosServer.pem must contain CtiosServerCert.pem data first and then CtiosServerkey.pem data second. |
Step 6 |
Delete CtiosServerCert.pem and CtiosServerkey.pem from the CTI OS Server machine. |
Step 7 |
If CTIOS Server has peer server, then:
|
CTI OS Security Passwords
CTI OS Security introduces five types of passwords:
-
CTI OS Client certificate password: The administrator or installer enters this password when installing CTI OS Client security. This password is used for the CTI OS Client certificate request private key and it can be anything and the administrator or installer need not remember it.
-
CTI OS Server certificate password: The administrator or installer enters this password when installing CTI OS Server security. This password is used for the CTI OS Server certificate request private key and it can be anything and the administrator or installer need not remember it.
-
CTI OS Peer certificate password: The administrator or installer enters this password when installing CTI OS Server security. This password is used for the CTI OS Peer Server certificate request private key and it can be anything and the administrator or installer need not remember it.
-
Monitor Mode password: The administrator or installer enters this password when installing CTI OS Server security. This password is used by the agents when connecting to a secure CTI OS Server using CTI OS monitor mode applications such as AllAgents and AllCalls. This password must be the same on both CTI OS Peer Servers and the administrator or installer and whoever is using the CTI OS monitor mode applications must remember it.
-
Certificate Authority (CA) password: The administrator or installer enters this password when creating self-signed CA. The password can be anything and the administrator or installer must remember it because they must use it every time that this CA signs a certificate request.