Jump to: navigation, search

Configuring System Security

Genesys Pulse has features that enhance your system security. This section discusses Genesys Pulse security features and describes how to configure them.

TLS: Configuring the Genesys Pulse Database

You must configure your Oracle, Microsoft SQL, or PostgreSQL server to use TLS. In addition to the appropriate procedure below, refer to the documentation that came with your database for information on how to use TLS security.

Oracle

  1. Set up the Genesys Pulse database (for Oracle).
  2. Configure Oracle as described in the related database guides, and configure a TCPS listener. See Management Framework documentation for more information.
  3. Configure the jdbc_url option in the [pulse] section of your Genesys Pulse DAP application object:
    jdbc_url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<Database host>)(PORT=<Database port>))(CONNECT_DATA=(SERVICE_NAME=<Database Service name>)))

SSL connection using TLS v1.2
JDK 7 and JDK 8 releases support TLS v1.2 protocol. Other protocols, such as TLS v1.1, TLS v1, SSL v3, and SSL v2 have security vulnerabilities. Genesys recommends to use the latest standard TLS v1.2 version and use more secure SSL cipher suites.

The correct JDBC Thin driver is required in order to use TLS v1.2.

Important
If you are using the ojdbc8.jar from 12.2.0.1 version then you are all set.
If you are using the 12.1.0.2 JDBC driver, you need to either download the 12.1.0.2 patched driver or apply the patch (that allows TLS v1.2) for the bug 19030178. The patch allows TLS v1.2 but does not enable it by default. So, you must set the oracle.net.ssl_version=1.2 property. This property can be set either as the system property (using -D) or through the datasource properties.


MS SQL

  1. Set up the Genesys Pulse database (for MS SQL).
  2. Configure Microsoft SQL Server as described in the related database guides. See Management Framework documentation for more information.
  3. Configure the jdbc_url option in the [pulse] section of your Genesys Pulse DAP application object:
    jdbc_url=jdbc:sqlserver://<Database host>:<Database port>;databaseName=<Database name>;encrypt=true;trustServerCertificate=false

PostgreSQL

  1. Set up the Genesys Pulse database (for PostgreSQL).
  2. Configure PostgreSQL as described in the related database guides. See Management Framework documentation for more information.
  3. Configure the jdbc_url option in the [pulse] section of your Genesys Pulse DAP application object:
    jdbc_url=jdbc:postgresql://<Database host>:<Database port>/<Database name>?ssl=true&sslcert=<path to certificate>&sslkey=<path to key>&sslrootcert=<path to root cerificate>&sslmode=verify-full
Important
The certificate key must be in the pkcs8 format. You can use the openssl utility to convert the key:
openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in <server.key> -out <server-key.pk8>

Secure Socket Layer (SSL) Encryption

Genesys Pulse supports Secure Socket Layer (SSL) communications between Genesys Pulse server and client-side connections using the web browser interface.

Genesys Pulse can support connections through HTTP or HTTPS simultaneously. This is controlled by the supported_protocol parameter (valid values are http, https, or both) in the pulse.properties file, located in the conf directory of your Genesys Pulse installation.

Important
Starting with release 9.0.006, Genesys Pulse does not support hard-coded encryption keys for passwords:
  • Genesys Pulse no longer supports the encrypted form of the keystore_password property for the unofficial HTTPS activation workaround. The keystore_password property is not encrypted and can be passed as an environment variable or command line argument.
  • Genesys Pulse no longer sends user passwords in encoded form. Genesys Pulse must be used with HTTPS enabled or behind HTTPS-enabled proxy or load balancer to protect users credentials.

Starting with Genesys Pulse release 9.0.006, use the following steps to set up HTTPS:

  1. Create a keystore file to store the private key and certificate for the Genesys Pulse server.
    Execute the following command to create a self-signed certificate:
    keytool -keystore <full path of the location of keystore> -alias pulse -genkey -keyalg RSA
    and enter the required information as prompted.
  2. Define the https_port, supported_protocol, and keystore_path parameters in the pulse.properties file. The default https_port is 443.
    • https_port=8443
    • supported_protocol=https or both
    • keystore_path=full path to the location of the keystore
  3. Choose how the keystore password is provided to Genesys Pulse. Genesys Pulse application supports the following options:
    • Add the command line argument to java command (by changing the pulse_startup.sh (on Linux) or pulse_startup.bat (on Windows) file or by adding this option to the JAVA_OPTS environment variable):
      -Dcom.genesys.pulse.keystore.password=<password>
    • Set the password as a value of the KEYSTORE_PASSWORD environment variable.
    • Add the keystore_password property with your password to the pulse.properties file.
    [+] Example. How to obscure password with base64 encoding
  4. Start Genesys Pulse.

HTTP Strict Transport Security (HSTS)

HSTS is disabled by default and you can enable it by setting the enable_hsts option in the pulse.properties file to true. Once HSTS is enabled, Genesys Pulse prevents downgrading of encrypted HTTPS connection to unencrypted HTTP. It is implemented by sending a response header record from the server indicating that compliant Web browsers or other HTTP client programs must use HTTPS and they must display the appropriate confirmation message or an error message in the browser console.

This page was last edited on July 14, 2021, at 21:38.
blog comments powered by Disqus