Jump to: navigation, search

Message Server

The Genesys Framework component that provides centralized processing and storage of every application’s maintenance events. Events are stored as log records in the Centralized Log Database, where they are available for further centralized processing. Message Server can also be set up to produce outbound messages (alarms) that are triggered by configured log events. If it detects a match, it sends the alarm to Solution Control Server for immediate processing.



Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Log

A record of actions that have occurred.



Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

High Availability

Also known as HA. The use of Redundancy to enable contact centers to minimize interruptions that are due to hardware, software, or network connectivity issues.



Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Deploying Recording Crypto Server

Genesys Interaction Recording (GIR) needs the Recording Crypto Server (RCS) to manage the certificates and the encryption/decryption process when retrieving and playing back the stored recording files.


Important
RCS does not support on-the-fly configuration changes. Restart RCS to apply changes to the Genesys Advanced Disconnect Detection Protocol (ADDP) configuration.


Installing Recording Crypto Server

Preparing the Host


If Java JRE 7 or 8 is not already installed on the host machine where the Recording Crypto Server will be installed, install it now as follows: {{NoteFormat| For more detailed information about the supported versions for each operating system, see the Genesys Supported Operating Environment Reference Guide.

  • Download the Oracle Java Runtime Environment Kit (JRE) from the Oracle website.
  • (Linux) Select the tar.gz package.
    Important
    Refer to the Oracle documentation for more information on how to install the tar.gz package.
  • (Windows) Double-click the Java installer. The contents will be installed in the directory that you specify during the installation.

Set the following environment variables for your host, as follows:

  • (Linux) Insert the following lines into the /etc/profile file:
    export JAVA_HOME=/usr/lib/java/jre-<version of Java downloaded>/jre
    Log out and log in again to activate the new environment variables in the current session.
  • (Windows) Create a new System Variable named JAVA_HOME and use the path that was used during installation as the value. To do this, right-click your Computer icon. Select Properties > Advanced System Settings > Environment Variables, and then create the JAVA_HOME variable.

Installing Recording Crypto Server Using the Deployment Wizard

For instructions about installing Recording Crypto Server using the Genesys Administrator Extension, see the Solution Deployment section of the Genesys Administrator Extension User Guide.

When Recording Crypto Server (RCS) is started for the first time, and then terminated (either by using the Solution Control Interface or by killing the process) soon after, the RCS directory structure might be left in a partially initialized state. This can cause RCS to fail on subsequent attempts to start. To work around this, do not terminate RCS for at least 60 seconds starting it for the first time. If the directory structure is still invalid, delete all sub-directories in the RCS root directory, except for the conf and legal directories. When RCS is re-started, the required directories will be created.


Installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

The default Java installation limits key sizes to 128 bits. Larger key sizes can be enabled by installing Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.


To install:

  1. Download the Java 7 or Java 8 specific package from the Oracle website and follow the instructions provided with the package.
  2. Copy the Local_policy.jar and Us_export_policy.jar files to the JRE_HOME/lib/security directory. If there are already copies of these files in that directory, make backup copies of these existing files in case you want to revert the installation.
    Important
    Make sure that the policy files are installed before starting the RCS for the first time. RCS will not start without these files.

Upgrading Recording Crypto Server

  1. Make a backup copy of the rcs.properties file.
  2. Make a backup copy of the keystore file.
  3. Uninstall the Recording Crypto Server component.
  4. Install the new Recording Crypto Server component.
  5. Copy the settings from the backup copy of the rcs.properties file to the new rcs.properties file.
  6. Copy the backup keystore file to the desired keystore file location and update the rcs.properties configuration file's keystorepath parameter to point to this file.

Configuring Recording Crypto Server

This section describes how to configure the Recording Crypto Server in your environment using Genesys Administrator Extension.

For more information about using Genesys Administrator Extension, see the Genesys Administrator Extension Help.

Configuring the KeyStore and Certificate Authority

For information on how Genesys supports TLS for secure data exchange, refer to Securing Connections Using TLS in the Genesys Security Deployment Guide.

The Recording Crypto Server stores certificate and key data files based keystores. Certificates uploaded to the server can be optionally validated against a Certificate Authority (CA).

Important
The CA configuration is used for recording certificates and not for TLS network connections. This section describes the keystore and CA related configuration parameters.

To limit access, all recording encryption key related parameters are stored in a local <Recording Crypto Server Install Directory>/conf/rcs.properties configuration file.

The following table lists the parameters used in the rcs.properties configuration file.

Parameter Name Default Value Description
keystorepath keystore.bin Specifies the path to the keystore file. If HA is enabled, the keystore file should be accessed through a network share (see Configure HA).
keystorepassword genesys Specifies the password that accesses the keystore file.

Note: The keystorepassword parameter can be overridden by the RCS_KEYSTORE_PASSWORD environment variable. In this case the same password is used for both keystorepassword and keypassword.

keypassword genesys Specifies the password used for each private key that is added to the keystore.

Note:

  • The same password is used for each private key.
  • The keypassword parameter can be overridden by the RCS_KEYSTORE_PASSWORD environment variable. In this case, the same password is used for both keystorepassword and keypassword.
cacertstorepath Java-ROOT Specifies the CA certificate keystore. Possible values are:
  • Java-ROOT—The path to the default Java JRE CA certificate file.
  • Windows-ROOT—The path to the Windows system keystore. This is not valid for Linux systems.
  • File Path—The path to use the CA keystore. This file must be a Java JKS keystore file.
  • None—Disables validation of certificates.
cacertstorepassword changeit Specifies the password for the CA certificate keystore.

The following shows an example rcs.properties configuration file:

keystorepath=keystore.bin
keystorepassword=keystorepassword
keypassword=keypassword
cacertstorepath=Java-ROOT
cacertstorepassword=capassword

Configuring the Connection to Interaction Recording Web Services (Web Services)


The Recording Crypto Server uses API calls to Interaction Recording Web Services (or Web Services if you're using version 8.5.210.02 or earlier) for recording playback and archival operations. To configure the Interaction Recording Web Services (Web Services) connection, set the following parameters in the [htcc] section of the Recording Crypto Server application:

Parameter Name Default Value Description
baseurl https://htcchost:8080 Specifies the base URL for the Interaction Recording Web Services (Web Services) connection. This parameter is dependent on the Interaction Recording Web Services (Web Services) server protocol (http or https), port, and URL suffix.
internalUrlPrefix /api/v2 Controls the prefix added to requests sent to Interaction Recording Web Services to retrieve recording files. By default, or if a value other than disable is specified, RCS will concatenate the baseurl, internalUrlPrefix, and the mediaPath returned by RWS as the request URL. If the internalUrlPrefix value is set to disable, RCS will use the mediaUri from the metadata instead when fetching the recordings from RWS.
domain Empty string Specifies the domain of the Interaction Recording Web Services (Web Services) contact center. This is the domain ID set for the contact center within Interaction Recording Web Services (Web Services).
user ops Specifies the name of the operations user for the Interaction Recording Web Services (Web Services) connection.
password opspassword Specifies the password of the operations user for the Interaction Recording Web Services (Web Services) connection.
max-sr-playback-connections 50 Specifies the maximum number of HTTP connections between Recording Crypto Server and Interaction Recording Web Services (Web Services) for screen recording playback.
contactcenterid Empty string Specifies the contact center ID value in the RCS requests sent to Interaction Recording Web Services (RWS). If this value is not specified, the contact center ID information is derived from the /api/v2/ops/contact-centers request sent to RWS.
trusted-ca false Configures TLS certificate validation when making a secure outbound connection to Interaction Recording Web Services (RWS). Valid values are true, false, and the path to a trusted certificate authority (CA) bundle. The CA file must be in PEM format. RCS will exit during initialization under the following conditions: CA path does not exist, CA file is not a valid PEM file, or CA file is corrupted. For more information, see Configuring TLS connection to Interaction Recording Web Services (Web Services) on the Configuring Transport Layer Security (TLS) Connections (Optional) tab.

Configuring Cross Origin Resource Sharing (CORS)

If Interaction Recording Web Services (or Web Services if you're using version 8.5.210.02 or earlier) has Configuring Cross-Site Request Forgery (CSRF) protection enabled, CORS must be configured.

To configure CORS, set the following options in the [cors] section of the Recording Crypto Server application:

Parameter Name Default Value Description
allowed-origins empty Specifies the allowed origins list that is attached in the HTTP response Access-Control-Allow-Origins header, sent to a cross-origin request.
allowed-headers X-Requested-With,Content-Type,Accept,Origin,Cookie,authorization,ssid,surl,ContactCenterId,X-CSRF-TOKEN,Range Specifies the allowed headers list that is attached in the HTTP response Access-Control-Allow-Headers header, sent to a cross-origin request.
allowed-methods GET,POST,PUT,DELETE,OPTIONS Specifies the allowed methods list that is attached in the HTTP response Access-Control-Allow-Methods header, sent to a cross-origin request.
allow-credentials true Specifies the value sent in Access-Control-Allow-Credentials header of the HTTP response to cross-origin request.

Configure Passwords

Important
  • In a Linux or Windows environment, RCS supports reading the RCS keystore password from an environment variable instead of from the configuration file. When both are available, the environment variable takes precedence.
  • RCS_KEYSTORE_PASSWORD - maps to the existing configuration parameters keystorepassword and keypassword in the RCS properties file. When specified the same password is used for both parameters.

In a Windows environment only, the Recording Crypto Server (RCS) can store the password in the Windows Vault instead of in the rcs.properties file.

For example, run the following commands for the Recording Crypto Server located at <Recording Crypto Server Directory>\scripts\powershell:

Command to store: encryptPassword.bat [-store <path to credentials store>] -password <password>

Command to start RCS: startRCS.bat [-store <path to credentials store>] -rcs <command to start RCS>

For example:
startRCS.bat -store C:\GCTI\RecordingCryptoServer\rcs.secret -rcs java %JAVA_OPTS% -jar rcs.war -host host1.example.com -port 8888 -app RCS_Application

where:

  • host1.example.com is the host for the Configuration Server.
  • 8888 is the port for the Configuration Server.
  • RCS_Application is the RCS application object.
Important
If the command <path to credentials store> contains a space, the path must be enclosed with quotation marks (").

Configuring Archiving


The Recording Crypto Server provides support for automatic archiving of recordings that are older than a predefined time.

Important
Genesys recommends that the Media Lifecycle Management (MLM) functionality, which provides more flexible backup and purging rules, be used instead (see Media Lifecycle Management). New features, such as protecting recordings from deletion, are not supported with the Recording Crypto Server archiving mechanism.

To configure archiving, set the following options:

  1. In the [general] section, set the archive.block-size option to the number of recordings RCS will fetch for archiving. The valid value ranges from 100 to 10000 and the default value is 5000. This option is used to verify that RCS does not run out of memory when it fetches all of the recordings at one time for archiving.
  2. Important
    Genesys recommends setting the RCS maximum Java heap size to no less than 1024 MB when archive.block-size is 5000. This setting enables you to avoid RCS running out of memory. Increase the maximum Java heap size accordingly when you increase the archive.block-size. To set the maximum Java heap size for RCS, add the JVM option (-xmx1024m), to the RCS start script.
  3. On the Annex tab of each Tenant (including the Environment Tenant), in the [recording.archive] section, set the following parameters:
    Parameter Name Default Value Description
    interval 1 Specifies how often, in days, the archiving process runs.
    retentiontime 60 Specifies how long, in days, to keep the recordings before archiving them.
    speechminerurl https://host/ interactionreceiver Specifies the SpeechMiner URL where the recording metadata is stored.
    user archiveuser Specifies the SpeechMiner username used to authenticate the SpeechMiner database.
    password changeit Specifies the SpeechMiner password that is used to authenticate the SpeechMiner database.
    outputfolder archive Specifies the destination folder where the archived recordings are stored.
    speechminer-trusted-ca false Configures TLS certificate validation when making a secure outbound connection to SpeechMiner Interaction Receiver. Valid values are true, false, and the path to a trusted certificate authority (CA) bundle. The CA file must be in PEM format. RCS will exit during initialization under the following conditions: CA path does not exist, CA file is not a valid PEM file, or CA file is corrupted. For more information, see Configuring TLS connection to SpeechMiner Interaction Receiver on the Configuring Transport Layer Security (TLS) Connections (Optional) tab.
Important
Genesys does not recommend using a Network driver for Recording Crypto Server archive output. Therefore, set output to be a physical hard drive on the same machine.

Configuring High Availability

The Recording Crypto Server provides High Availability (HA) support to multiple Recording Crypto Server instances accessed through a load balancer. In this mode, all Recording Crypto Server instances use the same keystore file accessed through a network share, and are accessed through a single URL that utilizes the load balancer. To configure HA:

  1. Set the Redundancy Type to Hot Standby on each Recording Crypto Server application instance. This setting enables logic for coordinated access to a shared keystore file.
  2. Create a network share for the keystore file and set the keystorepath parameter in the Recording Crypto Server local configuration file to point to this file. Ensure that each Recording Crypto Server instance has read and write access to the keystore file.
  3. Set the Recording Crypto Server URL parameter of the SpeechMiner application to the load balancer URL of Recording Crypto Server. If Genesys Administrator Extension is to be configured with a tenant specific URL for Recording Crypto Server, set this to the URL of the load balancer.
  4. Create a Recording Crypto Server Cluster application using the recording_crypto_850 application template, and set the following parameters:
    • On the General tab:
      • Application Name—The name of the cluster (for example, RCS_Cluster).
      • Working Directory—A period ".".
      • Command Line—A period ".".
      • Command Line Arguments—A period ".".
      • Host—The name of the host that the load balancer is installed on. This host must be in the configuration database.
    • On the Ports tab:
      • Add the application server port, and set the Port to 8082, and the Connection Protocol to https.
  5. Add a connection in the Genesys Administrator Extension application to the Recording Crypto Cluster application.
Important
For RCS HA configuration, each RCS instance operates in primary mode. The Backup Server setting on the Server Info tab of each RCS application should be set to None.

Example Load Balancer Configuration

The following is example configuration for the Apache load balancer. The details of setting up the required Apache modules are not shown. The load balancer setup must include "session sticky" so that a session that starts on a particular balancer member continues to be directed to the same member. This is achieved in the example below using the route and stickysession parameters. The route value must be set to the application name of the Recording Crypto Server instance, where " " characters in the name are replaced with the _ character. For example, if the application name is RCS 1, set the route value to RCS_1.

<Proxy balancer://rcscluster>
BalancerMember https://rcshost1:port/rcs disablereuse=On connectiontimeout=10000ms route=RCS1_Application_Name
BalancerMember https://rcshost2:port/rcs disablereuse=On connectiontimeout=10000ms route=RCS2_Application_Name
ProxySet stickysession=JSESSIONID
</Proxy>
ProxyPass /rcs balancer://rcscluster

If High Availability mode is not to be used, set the Recording Crypto Server's application Redundancy Type to Not Specified. For this mode, the keystore file can be located on the local file system, a network share is optional.

Configuring an HTTP Port

The HTTP port and protocol are configured in the Ports section of the Server Info tab in the Recording Crypto Server application:

  1. Add a port (or edit the existing one). There must be one port only.
Important
If you are working in a system prior to Version 8.5.030.47, use Configuration Manager with https as the Connection Protocol. If you are working with a system with Version 8.5.030.47 and on, use both Configuration Manager or GAX and verify that the http protocol is secure by selecting the Secured radio button.
  1. Set the Connection Protocol to HTTP.
  2. Select the Secured radio button.
  3. Set the Port—for example, 8080.

If the protocol is set to https or left blank, a TLS server certificate and private key must be configured. This is done using the common method for Genesys applications as documented in the Genesys Security Deployment Guide. The certificate and private key can be configured in the application port entry for https, the application object, or the host object. Configuration at the port level has precedence over the application level, which has precedence over the host level. Note that the Recording Crypto Server does not support configuration of the server certificate and private key in the Windows certificate store, Recording Crypto Server supports PEM files only for these.

The private key PEM file must be in PKCS8 format. This can be achieved using the following openSSL command:

openssl pkcs8 -topk8 -nocrypt -in private_keyfile.pem -inform PEM -out private_keyfile_pkcs8.pem

Configuring the Connection to the Primary Configuration Server

To work with Configuration Server High Availability, the Recording Crypto Server (RCS) requires a connection to the primary Configuration Server application. For information on how to set this connection, see the Framework 8.5.1 Management Layer User's Guide.

RCS supports an Advanced Disconnect Detection Protocol (ADDP) connection to the Configuration Server. To enable ADDP, perform the following:

  • Add the Configuration Server to the RCS Connections tab.
  • Specify the connection protocol as ADDP.
  • Configure remote and local timeouts, valid values are 0-3600, where 0 means no timeout.
  • Specify the required trace mode, either Local, Remote, or both.

For additional details, see the Advanced Disconnect Detection Protocol page in the Framework 8.5.1 Deployment Guide.

Important
  • You will see log messages about ADDP activity in the RCS logs despite switching ADDP Trace Mode to Trace Is Turned Off or Trace On Server Side. This is due to the underlying libraries handling ADDP protocol functionality.
  • ADDP debug logging will be suppressed by adding the following:
    • com.genesyslab.platform.commons
      .connection.interceptor.AddpInterceptor
    • com.genesyslab.platform.commons.timer.impl.SchedulerImpl
    • suppress-debug-loggers value in [log] section of RCS configuration.
  • Genesys Advanced Disconnect Detection Protocol (ADDP) will appear in the [log] section of the Configuration Server log files when verbose=all.

Configuring Log Output

The Recording Crypto Server supports the Genesys Management Framework log configuration. For information on how to set up log output appropriate for your Recording Crypto Server application, see the Common Log Options section of the Framework 8.5.1 Configuration Options Reference Manual.

Configuring the Connection to Message Server

The Recording Crypto Server must have a connection to the Message Server application to enable central auditing and alarming. For information on how to set this connection, see the Framework 8.5.1 Management Layer User's Guide.

Configuring Transport Layer Security (TLS) Connections (Optional)

Configuring TLS connection to Interaction Recording Web Services (Web Services)

  1. Set up TLS on Interaction Recording Web Services. For more information, see Configuring TLS on the Server-Side for Interaction Recording Web Services section. For information on acquiring TLS certificates and private keys, see Genesys Security Deployment Guide.
  2. In the [htcc] section of the Recording Crypto Server configuration file, set the baseurl parameter to use https.
  3. In the [htcc] section of the Recording Crypto Server configuration file, configure the trusted-ca parameter as follows:
  • If the TLS certificate was issued by a well-known certificate authority such as Verisign, set trusted-ca to true.
  • If the TLS certificate being used by RWS is a self-signed certificate, set trusted-ca to the path to a file containing the CA that generated the self-signed certificate. The file containing the certificate must be in PEM format.
Important
If there are intermediate certificate authorities forming a chain of trust, then the certificate of the root certificate authority must be the certificate being set.
  • If you do not wish to verify the TLS certificate and use TLS only for encrypted transmission, set trusted-ca to false. If verification is not configured, certificates will not be checked if they have expired or the server hostname is matching the certificate's common name or subject alternative name. However, certificates will be checked if they are signed with a strong signature algorithm. Newer Java Runtime Environment 7 versions and Java Runtime Environment 8 disallow MD5 signatures for certificates.

Configuring TLS connection to SpeechMiner Interaction Receiver

  1. Set up TLS on SpeechMiner Interaction Receiver. For more information, see SpeechMiner Server-Side Configuration.
  2. On the Annex tab of each Tenant (including the Environment Tenant), in the [recording.archive] section, set the speechminerurl parameter to use https.
  3. In the [recording.archive] section, configure the speechminer-trusted-ca parameter as follows:
  • If the TLS certificate was issued by a well-known certificate authority such as Verisign, set speechminer-trusted-ca to true.
  • If the TLS certificate is a self-signed certificate, set speechminer-trusted-ca to the path to a file containing the CA that generated the self-signed certificate. The file containing the certificate must be in PEM format.
Important
If there are intermediate certificate authorities forming a chain of trust, then the certificate of the root certificate authority must be the certificate being set.
  • If you do not wish to verify the TLS certificate and TLS is used only for encrypted transmission, set speechminer-trusted-ca to false. If verification is not configured, certificates will not be checked if they have expired or the server hostname is matching the certificate's common name or subject alternative name. However, certificates will be checked if they are signed with a strong signature algorithm. Newer Java Runtime Environment 7 versions and Java Runtime Environment 8 disallow MD5 signatures for certificates.

Configuring TLS connection to Message Server

  1. Set up TLS on Message Server. For more information, see Securing Core Framework Connections section in the Genesys Security Deployment Guide. For information on acquiring TLS certificates and private keys, see Genesys Security Deployment Guide.
  2. To connect to the secure TLS port, see Configuring a Secure Client Connection to Other Genesys Servers section in the Genesys Security Deployment Guide.
  3. In the properties of the Connection table, configure the trusted-ca parameter as follows:
  • If the TLS certificate was issued by a well-known certificate authority such as Verisign, set trusted-ca to true.
  • If the TLS certificate is a self-signed certificate, set trusted-ca to the path to a file containing the CA that generated the self-signed certificate. The file containing the certificate must be in PEM format.
Important
If there are intermediate certificate authorities forming a chain of trust, then the certificate of the root certificate authority must be the certificate being set.
  • If you do not wish to verify the TLS certificate and TLS is used only for encrypted transmission, remove the trusted-ca parameter from the configuration. If verification is not configured, certificates will not be checked if they have expired or the server hostname is matching the certificate's common name or subject alternative name. However, certificates will be checked if they are signed with a strong signature algorithm. Newer Java Runtime Environment 7 versions and Java Runtime Environment 8 disallow MD5 signatures for certificates.

Configuring TLS connection to Configuration Server

  1. Set up TLS on the Configuration Server. For more information, see Configuring TLS on Configuration Server in the Genesys Security Deployment Guide. Refer to Genesys Security Deployment Guide to acquire TLS certificates and private keys.
  2. In the command line arguments of start information in the RCS application properties, change the port to use the Configuration Server Auto-Detect port.
For more information about the Recording Crypto Server options, see the Genesys Interaction Recording Options Reference.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on 3 June 2018, at 20:50.