Jump to: navigation, search

Configuring System Security

GAX has many features that enhance your system security. This section discusses GAX security features and describes how to configure and/or use them.

Default Account Support

Genesys uses a default user account. This is a special account that always has full privileges to all objects and can perform any action. This account ensures that there is always at least one account that enables the administrator to correct permissions and access issues if other administrative accounts are deleted, disabled, or otherwise compromised.

GAX supports the default user account. The default user account always has full access to all the functions that are specified for the GAX role, even if this account does not have any role privileges or explicit permissions specified. When the default account is created during the installation of Configuration Server, it has full control over all configuration objects; however, this account might be deleted or its permissions on objects might be revoked. If this happens, GAX cannot work around the permissions. The default account must have the permissions set to write objects in the Configuration Server.

Use the default_account_dbid option to configure the actual account to be used, and that has all privileges assigned, in case the original default user account is disabled for security reasons or has been deleted.

Transport Layer Security (TLS)

GAX employs Transport Layer Security (TLS), a cryptographic protocol that provides security and data integrity for communications over networks such as the Internet. TLS encrypts the segments of network connections at the transport layer from end to end.

GAX supports TLS-enabled connections to the following Genesys servers:

  • Configuration Server
  • Solution Control Server
  • Message Server
  • Genesys Deployment Agent

GAX also supports TLS-enabled connections to the GAX database and the LRM database.

For the GAX database connection (either Oracle, Microsoft SQL Server, or PostgreSQL), the database driver and database must also support TLS. For information about configuring your GAX database, refer to the documentation that is specific to the database that you are using:

For information about TLS and detailed instructions about configuring secure connections, and creating and managing certificates, refer to the TLS section of the Genesys Security Deployment Guide.

Follow the instructions to create a certificate, assign that certificate to a Host object (which is required for Genesys Server to run in TLS mode), and configure the use of a secured port for the GAX application.

Next, import the server certificate to the trust storage for GAX to enable authentication for TLS connections.

Cipher Lists

Starting in GAX release 8.5.25x, you can customize Jetty SSL configuration to meet customer security requirements by setting supported ciphers for HTTPS. This is done by specifying either the cipher lists used or not used in the gax.properties file, adding new parameters to the file as necessary.

You must configure the parameters in the gax.properties file before startup of the GAX server. During the GAX startup, all these configurations are read from gax.properties and set in the embedded Jetty configuration. If they are not configured, default values will be passed to the Jetty server.

The new parameters are described in the following table:

Parameter Description
setIncludeProtocols Specifies one or more protocols to be supported.
setIncludeCipherSuites Specifies one or more cipher suites to be used for encoding data.
setExcludeProtocols Specifies one or more protocols that are not to be supported.
setExcludeCipherSuites Specifies one or more cipher suites that are not to be used for encoding data.
addExcludeProtocols Specifies additional protocols that are not to be supported.
addExcludeCipherSuites Specifies additional cipher suites that are not to be used for encoding data.

Each parameter is a comma-separated list of values, using the same syntax conventions as the Jetty XML descriptor.

For example, the gax.properties file might contain something like this::

port=2020
host=ca-to-dove
app=GAX_Rob
... 
addExcludeCipherSuites=SSL_RSA_WITH_NULL_MD5,SSL_RSA_EXPORT_WITH_RC4_40_MD5
...

Note: Regular expressions for ciphers and protocols are not currently supported because OpenSSL accepts only an exact match.

Trust Store

By default, trust storage is in the JRE folder at the following location:
     C:\Program Files\Java\jre6\lib\security\cacerts

Important
Support for JDK 1.6 is withdrawn starting from release 8.5.260.11 and JDK 1.7 is mandatory to install GAX 8.5.260.11. However, JDK 1.6 is still supported for releases prior to GAX 8.5.260.11.

The default password is "changeit".

Genesys recommends that you create a separate trust store for GAX.

[+] Create a trust store and import the certificates
Important
Most systems have multiple trusted stores. You must always use the same store for GAX.

The following options must be set to configure the trust store location for GAX. The options also enable authentication on a global level for all connections that use a secured port. On Linux or Windows, set these options by adding the following lines to the setenv.sh or setenv.bat script, respectively.

set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore="D:\certificates\trusted.keystore"
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit

If you have configured GAX to start as a service, add the following arguments in the JavaServerStarter.ini file:

-Djavax.net.ssl.trustStore="D:\certificates\trusted.keystore"
-Djavax.net.ssl.trustStorePassword=changeit
Important
GAX does not support Client Authentication. GAX will not authenticate itself by sending a certificate to the server.

Secure Use of the Auto Detect Port

When GAX connects to the Auto Detect (Upgrade) port, the trustStore set by the setenv.sh or setenv.bat script is ignored. You must configure the trust store based on the settings of the Auto Detect port. In addition, you usually must import the GAX certificate into the trust store.

[+] Set up secure connection to Auto Detect port on Windows

Secure Socket Layer (SSL) Security

Genesys Administrator Extension supports Secure Socket Layer (SSL) communications between the GAX server and client-side connections using the web browser interface.

GAX can support connections through HTTP or HTTPS simultaneously. This is defined through configuration of the supported_protocol parameter in the gax.properties file, which can be found in the conf directory of your GAX installation.

GAX is HTTP Strict Transport Security (HSTS) compliant starting from the release 8.5.260.11. HSTS is disabled by default and you can enable it by configuring enable_hsts=true in the gax.properties file. This is a static change. Once HSTS is enabled, GAX prevents downgrading of encrypted HTTPS connection to unencrypted HTTP. It is implemented by sending a response header record from the server indicating that compliant Web browsers or other HTTP client programs must use HTTPS and they must display the appropriate confirmation message or error message in the browser console.

[+] Set up HTTPS for use with GAX

TLS: Preparing Genesys Management Framework

To enable GAX to connect securely to Genesys servers, you must configure the Genesys Framework as described in the Genesys Security Deployment Guide. Follow the instructions in this guide to create and manage certificates and make them usable within Genesys Framework.

Configuration Server

You must meet the following conditions to create a secure connection to Configuration Server:

  1. Create a an Auto Detect listening port for your Configuration Server with a certificate configured.
  2. Configure the GAX Server to connect when it starts up to the Configuration Server Auto Detect port by setting the GAX Server -port property. In the Start Info tab of the GAX_Server Properties dialog box, enter the following settings:
    • Working Directory: /path/gax
    • Command Line: ./startup.sh
    • Command Line Arguments: -host <host name> -port <auto detect port number> -app GAX_Server

Message Server and Solution Control Server

Both Message Server and Solution Control Server are configured the same way.

  1. Create a Secured port for Message Server and Solution Control Server.
  2. Configure the GAX Server to connect to Message Server and Solution Control Server by using the specific Secured ports that you have created. In the Properties dialog box for the server and in the Connections tab of the GAX_Server dialog box, secured ports are displayed with a key symbol icon.
  3. Restart GAX Server to connect over an encrypted session by using the secure ports.

Genesys Deployment Agent

Genesys Deployment Agent (GDA) does not read its configuration from Configuration Server. TLS for GDA is activated by accessing the [security] section of the local gda.cfg file and setting the gda-tls option to a value of 1.

The Application Options tab of the related Host must also have a corresponding [security] section that contains the gda-tls option with the same value. The gda-tls option is not relevant for GDA runtime; it is read during the installation of LCA and GDA only. GAX reads the value of gda-tls to determine in what mode GDA is running, and to determine whether it should connect using TLS or not.

Therefore, these values must be kept synchronized. If the system administrator changes one of the values in the local file or in the Host Application Options tab, the other option must also be changed to enable GAX to connect correctly.

Warning
Genesys strongly recommends that you use GDA version 8.5.x or higher. Earlier versions are not able to handle certificates that do not have CPD information.

Configuring mutual TLS between GAX and GDA

In mutual TLS, GAX and GDA each have a Certificate Authority (CA) configured, and exchange certificates which are authenticated by the other CA. The authentication occurs when a connection between GAX and GDA is established.

To support mutual TLS connection between GAX and GDA, you must do the following:

  1. Configure the GDA Application object with mutual TLS enabled, by adding the certificate, certificate-key, and trusted-ca parameters to the [security] section of the gda.cfg file. Refer to the following documents for additional information:
    • The "Configuring Secure Connections Between Genesys Deployment Agent and its Clients" section of the Genesys Security Deployment Guide for information about configuring TLS for GDA and an example of a gda.cfg file.
    • The TLS sections of the Genesys Security Deployment Guide for information about installing certificates on Windows and UNIX hosts.
  2. Enable TLS on the Host object on which GDA is running, by setting gda-tls to 1 in the [security] section in the Annex of the Host object. GAX reads this option to determine if GDA is running in mutual-TLS mode.
  3. Configure GAX to support TLS, as described in Transport Layer Security (TLS), above.
  4. Configure a certificate and its private key for GAX in the GAX trusted store to add GAX authentication to GDA. Store these files in PKCS#12 format. This format defines an archive name, and is commonly used to bundle a private key with its certificate. GAX should store its Certificate Authority, certificate, and certificate key in the same trusted store as configured in step 3.
    1. Create an archived file of the GAX certificate and its private key in the GAX keystore. For example:
      openssl pkcs12 -inkey 04_test_priv_key.pem -in 04_test_cert.pem -export -out gaxcert.pfx
    2. Import the archived file into the GAX keystore. For example:
      keytool -importkeystore -destkeystore gax.keystore –srckeystore "C:\GAX\TLS\Certificates\test.us.genesyslab.com-HOST\repository\gaxcert.pfx" -deststoretype JKS -srcstoretype pkcs12

Configuring mutual TLS between GAX and Configuration Server

To support mutual TLS connection between GAX and Configuration Server, you must do the following:

  1. Download OpenSSL
  2. Add environmental variable
    1. Set path = C:\OpenSSL-0.9.8\bin\
    2. Set OPENSSL_CONF=C:\openssl-0.9.8\OpenSSL.cnf
  3. Prepare certificate
    1. Go to OpenSSL location.
    2. Run Openssl>req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 5000 -config "c:\openssl-0.9.8\openssl.cnf
    3. Set passphrase = changeit (password that will be used later)
    4. Openssl> x509 -outform der -in cert.pem -out cert.der
    5. Copy cert.der cert.cer in a folder, which will be used later (optional)
    6. Remove password:
      OpenSSL rsa -in key.pem -out keynopass.pem
    7. Combine certificate and key in 1 file:
      openssl pkcs12 -inkey keynopass.pem -in cert.pem -export -out cert.pfx
  4. Configure certificate
    1. In the Configuration Server machine, configure Configuration Server certificates by using the mmc utility.
    2. Import your cert.pfx from CME-certs directory into Personal > Certificates.
    3. Import cert.der (or .cer or .pem, as per UI) into Trusted Root certification > certificates.
    4. In the GAX machine, create a directory c:\install\openssl\GAX-certs.
    5. Copy the Certificates folder from the Configuration Server machine to c:\install\openssl\GAX-certs.
    6. Type changeit if prompted for password.
    7. Repeat step 1 and 2.
    8. Navigate to the location c:\install\OpenSSL\GAX-certs and open OpenSSL.
    9. Openssl>pkcs12 -export -in cert.pem -inkey keynopass.pem -certfile cert.pem -out cert-and-key.p12.
    10. Open cmd and navigate to c:\install\openssl\GAX-certs in cmd.
    11. Run keytool -importkeystore -srckeystore cert-and-key.p12 -srcstoretype pkcs12 -destkeystore gax.jks -deststoretype JKS.
    12. Run keytool -list -v -keystore gax.jks.
    13. Run keytool -importcert -alias CMEcert -file c:\install\openssl\CME-certs\cert.der -keystore gax.jks -storepass changeit.
  5. Configure confserv application in Configuration Server
    1. Select Confserv and create port 3040 as auto detect.
    2. Open Port > Certificate tab and click Import Certificate and then choose self-signed certificate for Configuration Server machine (the machine that you configured and not the existing machine).
    3. Add thumb print copied from mmc.
    4. In the Advanced tab of port, add tls-mutual=1, so that the output is similar to: upgrade=1;tls-mutual=1;certificate=01 11 A2 B0 42 D6 99 C8 C7 F8 C6 21 58 DD AF E4 2D FF 51 FD.
  6. Configure in GAX application
    1. Go to GAX installed path.
    2. Edit gax start up file with the following options:
    3. set JAVA_OPTS=-server -XX:MaxPermSize=512m -XX:+CMSClassUnloadingEnabled -XX:+UseConcMarkSweepGC -XX:+HeapDumpOnOutOfMemoryError
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.genesyslab.platform.commons.log.loggerFactory=com.genesyslab.platform.commons.log.Log4JLoggerFactoryImpl
      set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=all
      set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl:handshake
      set DEBUG_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,address=9002,server=y,suspend=n
      set SECURITY_OPTS=-Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=C:\install\openssl\GAX-certs\gax.jks
      set JAVA_OPTS=%JAVA_OPTS% %SECURITY_OPTS%
      java %JAVA_OPTS% %DEBUG_OPTS% -jar gax.war
    4. Add line mf_tls_mutual=true in the gax.properties file.
    5. Change port from 2020 to 3040 in gax.properties file.
    6. Restart Configuration Server and GAX.

Configuring mutual TLS between GAX and Solution Control Server

To support mutual TLS connection between GAX and Solution Control Server (SCS), you must do the following:

  1. Download OpenSSL
  2. Add environmental variable
    1. Set path = C:\OpenSSL-0.9.8\bin\
    2. Set OPENSSL_CONF=C:\openssl-0.9.8\OpenSSL.cnf
  3. Prepare certificate
    1. Go to OpenSSL location.
    2. Run Openssl>req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 5000 -config "c:\openssl-0.9.8\openssl.cnf
    3. Set passphrase = changeit (password that will be used later)
    4. Openssl> x509 -outform der -in cert.pem -out cert.der
    5. Copy cert.der cert.cer in a folder, which will be used later (optional)
    6. Remove password:
      OpenSSL rsa -in key.pem -out keynopass.pem
    7. Combine cert and key in 1 file:
      openssl pkcs12 -inkey keynopass.pem -in cert.pem -export -out cert.pfx
  4. Configure certificate
    1. In SCS machine, configure certificates by using the mmc utility.
    2. Import your cert.pfx from CME-certs directory into Personal > Certificates.
    3. Import cert.der (or .cer or .pem, as per UI) into Trusted Root certification > certificates.
    4. In the GAX machine, create a directory c:\install\openssl\GAX-certs.
    5. Copy the Certificates folder from SCS machine to c:\install\openssl\GAX-certs.
    6. Type changeit if prompted for password.
    7. Repeat step 1 and 2.
    8. Navigate to the location c:\install\OpenSSL\GAX-certs and open OpenSSL.
    9. Run Openssl>pkcs12 -export -in cert.pem -inkey keynopass.pem -certfile cert.pem -out cert-and-key.p12.
    10. Open cmd and navigate to c:\install\openssl\GAX-certs in cmd.
    11. Run keytool -importkeystore -srckeystore cert-and-key.p12 -srcstoretype pkcs12 -destkeystore gax.jks -deststoretype JKS.
    12. Run keytool -list -v -keystore gax.jks.
    13. Run keytool -importcert -alias CMEcert -file c:\install\openssl\CME-certs\cert.der -keystore gax.jks -storepass changeit.
  5. Configure SCS application in Configuration Server
    1. Select Confserv and create port 3045 as auto.
    2. Open Port > Certificate tab and click Import Certificate and then choose self-signed certificate for SCS machine (the machine that you configured and not the existing machine).
    3. Add thumb print copied from mmc.
    4. In the Advanced tab of port, add tls-mutual=1, so that the output is similar to: upgrade=1;tls-mutual=1;certificate=01 11 A2 B0 42 D6 99 C8 C7 F8 C6 21 58 DD AF E4 2D FF 51 FD.
  6. Configure in GAX application
    1. Go to GAX installed path.
    2. Edit gax start up file with the following options:
    3. set JAVA_OPTS=-server -XX:MaxPermSize=512m -XX:+CMSClassUnloadingEnabled -XX:+UseConcMarkSweepGC -XX:+HeapDumpOnOutOfMemoryError
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.genesyslab.platform.commons.log.loggerFactory=com.genesyslab.platform.commons.log.Log4JLoggerFactoryImpl
      set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=all
      set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.debug=ssl:handshake
      set DEBUG_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,address=9002,server=y,suspend=n
      set SECURITY_OPTS=-Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=C:\install\openssl\GAX-certs\gax.jks
      set JAVA_OPTS=%JAVA_OPTS% %SECURITY_OPTS%
      java %JAVA_OPTS% %DEBUG_OPTS% -jar gax.war
    4. Add line mf_tls_mutual=true in the gax.properties file.
    5. Go to Configuration Server, select GAX, and then in the Connections tab, add SCS.
    6. Go to Port and change port to the secured port (auto).
    7. Restart SCS and GAX.


Disabling Authentication for Certain Connections

The configuring steps outlined above engage authentication for Configuration Server, Message Server, and Solution Control Server. If GAX uses the secure ports to connect to Message Server and Solution Control Server, both server-side certificates will automatically be validated against the trust storage.

In certain rare cases you might want to disable authentication for one of the connections. To do this, add the following line to the Advanced tab of the Properties dialog box for the connections:

"disableAuthentication=1"

Do not use white spaces. To separate this option from other options, use a semi-colon.

To disable TLS authentication for Configuration Server, add the following line to the following files:

  • (Linux) setenv.sh:

JAVA_OPTS="$JAVA_OPTS -Dgax.configserver.validate.cert=off"

  • (Windows) setenv.bat:

set JAVA_OPTS=%JAVA_OPTS% -Dgax.configserver.validate.cert=off

Important
  • Connections to Message Server and Solution Control Server fail if GAX does not find the received certificate in the trust store, or if Message Server and Solution Control Server do not send a certificate.
  • Connections also fail to Configuration Server and databases if they are configured for authentication and the certificate is not in the trust store.

TLS: Configuring the GAX Database

You must configure your Oracle, Microsoft SQL, or PostgreSQL server to use TLS. In addition to the appropriate procedure below, refer to the documentation that came with your database for information on how to use TLS security.

[+] Configuring the GAX Oracle Database for TLS
[+] Configuring the GAX MS SQL Database for TLS
[+] Configuring the GAX PostgreSQL Database for TLS

Cross-site Scripting and Cookies

You can configure your system to improve the protection of Genesys Administrator Extension against Cross-site Scripting (XSS) attacks by configuring the HttpOnly and Secure flags on your HTTP server to further enhance the existing GAX security. These flags tell browsers how to handle cookies.

Server-side cookies can be tagged with HttpOnly and Secure flags to tell the browser how to deal with them. To achieve a maximum level of security, administrators must make this configuration on the Application Server.

Securing Server-side Cookies

HttpOnly Flag

Setting the HttpOnly flag on cookies forces the browser to prevent (disallow) scripts from accessing the cookies. This prevents JavaScript that might be introduced through an XSS attack into a browser page to access cookie data and send it to a different person. Stolen cookie data can also be used to hijack a browser session.

When GAX is running on an embedded Jetty system, GAX automatically sets the HttpOnly flag on the JSESSIONID session cookie. You can turn off this flag by adding the following line in the gax.properties file:

session_httponly = false

If GAX is using an external Tomcat web server, open and edit the $CATALINA_HOME/conf/context.xml file.

To set the HttpOnly flag, add the following attribute:

useHttpOnly="true"

The main tag should be:

<Context useHttpOnly="true">

Secure Flag

With the Secure flag set, cookies are transmitted only from the browser to the server when the connection is secured by using the HTTPS protocol. This setting is applicable to HTTPS connections only. Therefore, you must configure GAX to use an HTTPS connector, not an HTTP connector.

When GAX is running on an embedded Jetty system and supported_protocol is set to https in gax.properties, GAX automatically sets the Secure flag on the JSESSIONID session cookie. You can turn off this flag by adding the following line to the gax.properties file:

session_securecookies = false

If GAX is using an external Tomcat web server, open and edit the $CATALINA_HOME/conf/server.xml file.

To set the Secure flag, add the following attribute to the HTTPS connector:

secure="true"

The flag must not be applied to any non-HTTPS connectors. If you apply the flag to an HTTP connection, it will become unusable for Genesys Administrator Extension.

The following is an example of a valid connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/home/gcti/keystore.key" keystorePass="genesys"
clientAuth="false" sslProtocol="TLS" />

Content Security Policy

GAX supports Content Security Policy (CSP) starting from the release 8.5.260.11. CSP helps users in mitigating Cross-Site Scripting, man-in-the-middle attacks, and data ex-filtration. You can limit the trusted external resources using your CSP.

You can frame your own CSP and configure the CSP headers for GAX using the content_security_policy option in the gax.properties file. This is a static change. Once CSP is configured, GAX adds the Content-Security-Policy header in the response with the configured policy.

Important
Micorsoft Internet Explorer does not support Content Security Policy.

Inactivity Timeout

For security purposes, GAX can be configured to lock the application if an administrator has not used the keyboard or mouse for a period that you specify. All user input is blocked until the administrator provides login information to unlock the application. This feature ensures that no unauthorized user can access an unattended terminal that is running GAX.

Use the inactivity_timeout option to specify the amount of time in minutes of administrator inactivity (no mouse or keyboard usage) that triggers application locking. If the administrator has been inactive longer than the number of minutes that are specified by the inactivity_timeout option, the administrator must re-authenticate to be able to use the GAX application. A value of 0 disables this functionality.

GAX employs a keep-alive strategy to prevent session timeout; this ensures that GAX maintains your session even if the inactivity timeout feature locks the application and requires you to log in.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on 3 September 2018, at 02:22.