- 1 Configuration Server
If you want Configuration Server to operate with the Configuration Database, you must install Configuration Server in Master mode. This Configuration Server must be configured through a local configuration file.
- The procedures given in this section are for deploying a primary Configuration Server. To deploy a Configuration Server Proxy, refer to Configuration Server Proxy for relevant installation instructions. To install a backup Configuration Server, refer to Redundant Configuration Servers.
- Refer to the Framework External Authentication Reference Manual for information about Configuration Server's External Authentication feature and for relevant deployment instructions.
Deploying Configuration Server
For more information about the Configuration Server configuration file, see Configuration Server Configuration File. For information about Configuration Server configuration options and their values, refer to the Framework Configuration Options Reference Manual.
|1. Install Configuration Server. [+] Show steps|
|2. Configure Configuration Server. If you manually installed Configuration Server on Windows, it was configured automatically during the installation process; you can skip this step. If you manually installed Configuration Server on UNIX and chose not to configure it during the installation process, you must configure it now. [+] Show steps|
|3. If required, configure Configuration Server for multi-language environment support. [+] Show steps|
|4. If required, configure Windows Authentication with an MS SQL Server by doing the following:
Refer to "Windows Authentication with MS SQL Server" in the Microsoft SQL Server Databases section of the Framework Database Connectivity Guide for details.
|5. Start Configuration Server. [+] Show steps|
Configuration Server Configuration File
At a minimum, the configuration file contains the Configuration Server, Configuration Database, and Log sections.
The Configuration Server section contains the configuration options that define Configuration Server. The name of the section corresponds to the name of the Configuration Server Application object. For the initial installation of Configuration Server, it is called [confserv] by default. You can choose to rename this Configuration Server later. In all other cases, or if you rename the initial Configuration Server, the name of this section will be different. The server configuration option in this section specifies the name of the Configuration Database section.
By default, the Configuration Database section does not have a name. The section name must be the same as the value of the server configuration option that you specified in the Configuration Server section. The Configuration Database section contains information about the Configuration Database.
The name of the Log section is [log]. This section contains configuration information about the logging to be done by Configuration Server.
You can find a sample Configuration Server configuration file in the Framework Configuration Options Reference Manual.
Configuring a Dedicated Port for Client User Interface Applications
- Genesys strongly recommends that you do not restrict the default port to accept only client UI applications. Because the backup Configuration Server communicates with Configuration Server via the default port, and because many other Genesys Server applications cannot operate properly with being connected to the default port, restricting the default port would disable you from using these additional beneficial components.
- Ports that have been dedicated as HA sync (in the Server Info section of the port's Configuration tab in Genesys Administrator) cannot be provisioned to accept only client UI applications.
Starting in release 8.5.1, you can configure additional ports to which only client UI applications can connect. To configure this port, do the following:
|1. Set up a firewall between client UI applications deployed in a less secure area of your network, for whom authorization is required, and applications, including Configuration Server, deployed in a more secured (restricted) area. The firewall directs all "outside" client UI applications to the dedicated port of Configuration Server, where they are authorized. Other "inside" applications continue to use their assigned ports.
The following diagram illustrates a dedicated port within the firewall.
|2. After you have the firewall in place, configure the port to use as a dedicated port. You can use an existing port (not the default port) or create a new one. [+] Show steps|
Configuring Configuration Server Logging
If you plan to use the centralized logging and auditing functionality of the Management Layer, specify appropriate log options in the Configuration Server configuration file before you start using Configuration Server. Most importantly, enable the network log output (for example, create a new option called standard and set its value to network). Refer to the Framework Configuration Options Reference Manual for more information.
Changing Configuration Server Port Assignments
When you install Configuration Server, you specify values for the listening and management ports in the configuration file. You can change these values at any time.
Changing these port assignments depends on the type of port. To change the value of the management port, you must update the configuration file with the revised information, and restart Configuration Server.
Changing the value of the listening port is more complex. As described in Multiple Ports on Configuration Server, Configuration Server reads its listening port assignment from the configuration file once, at initial startup. For subsequent startups, it reads the port value from the Configuration Database. Therefore, you must change the value in the Configuration Database by modifying the Port property of the Configuration Server Application object.
Encrypting the Configuration Database Password
You can use Configuration Server to encrypt your password for accessing the Configuration Database so that it does not appear in plain text in Configuration Server logs. This improves the security of your configuration data.
You can encrypt the password at any time, either during installation, or later. However, keep in mind that Configuration Server must be stopped during the encryption process.
In release 8.5.0 and earlier, the password was encrypted using an asymmetric encryption algorithm TEA with a hardcoded encryption/decryption key. For instructions on encrypting the Configuration Database password in release 8.5.0 or earlier, refer to the Genesys Security Deployment Guide.
Starting in release 8.5.1, the Configuration Server configuration file optionally supports an asymmetric encryption algorithm using separate encryption and decryption (private) keys that are not hardcoded. In this case, the keys are generated by Configuration Server and stored in separate files. The password is encoded using the key in the encryption file. Upon subsequent restarts of Configuration Server, it uses the key in the decryption file to decrypt and the password.
To encrypt the Configuration Database password in release 8.5.1 or later, do the following:
For Configuration Servers that are part of an HA pair, update each server's configuration file individually. However, they can use the same pair of encryption and decryption keys by specifying the same key file names when configuring encryption for the second server as the first server.
This enhanced encryption capability does not apply to Configuration Server Proxy.
Configuration Server might accept encryption and decryption keys generated by tools or components other than Configuration Server. These keys and their format must be compatible with the cryptography engine used by Configuration, specified in the following table:
|Key Length||1024 (when keys are generated internally by Configuration Server)|
|Embedded Key Generation||default open openssl modulus and RSA_F4 exponent parameters|
|File Usage||PEM files, that store the RSA key used for encryption or decryption. Both can be produced by Configuration Server.|