Jump to: navigation, search

Configuration of TLS Connections

TLS Connections to Configuration Server

LFMT Indexer and LFMT Collector both support secure connections to Configuration Server's Auto-Detect port. This section describes how to configure these secure connections. It is assumed that the person configuring the secure connection has already become familiar with the Genesys Security Deployment Guide and configured the Configuration Server Auto-Detect port.

Important
When creating certificates using OpenSSL as described in the Genesys Security Deployment Guide ensure the default Secure Hash Algorithm is at minimum SHA-2. This can be done by editing the .\ca_conf\ca.conf file created by the create_ca.sh script so default_md = sha256 prior to creating certificates.
Important
If LFMT Indexer and LFMT Collector are to be deployed on a Linux host, ensure the private key is in PKCS #8 format. For more information on converting keys to PKCS #8 for use with Java based Genesys PSDK applications, refer to the Genesys Security Deployment Guide.

Installing Certificates and Certificate Authorities on the LFMT Server Host

This section describes how to install the certificates and certificate authorities used for secure connections on the LFMT Server Host.

On Linux

  1. If not already completed, install the Genesys Security on UNIX package and configure the system environment variable LD_LIBRARY_PATH as per the Genesys Security Deployment Guide.
  2. Copy the certificate, the certificate key, and the certificate authority file to a location on the LFMT Server Host.
  3. Ensure the certificate, the certificate key, and the certificate authority file are readable by the user that starts LFMT Indexer and LFMT Collector.

On Windows

  1. Copy the certificate, the certificate key, and the certificate authority file to a location on the LFMT Server Host.
  2. Ensure the certificate, the certificate key, and the certificate authority file are readable by the user that starts LFMT Indexer and LFMT Collector.
  3. From the Windows Start menu, select Run, and then execute the mmc command to start the Microsoft Management Console (MMC).
  • The Microsoft Management Console should be opened under the user who starts LFMT Indexer and LFMT Collector. If this is the Local System account, you will need to open the console as the Local System user. This can be done using the PSTools psexec application with the following command:
    psexec.exe –i –s mmc.exe
  • PSTools can be downloaded from http://technet.microsoft.com/en-US/sysinternals.
  • Select File > Add/Remove Snap-in.
  • In the left pane choose Certificates. Click the Add button.
  • Add a Certificates snap-in for Computer account. Click Finish.
  • As above, add an additional Certificates snap-in for My user account.
  • In the Computer Account snap-in right-click the Trusted Root Certification Authorities folder, and select All Tasks > Import from the shortcut menu. This starts the Certificate Import Wizard.
  • On the first Wizard page, click Next.
  • On the File to Import page, browse to the certificate authority file (Ex. ca_cert.pem), and then click Next.
  • On the Certificate Store page, select Place all certificates in the following store. Make sure that the Certificate store text box is set to Trusted Root Certification Authorities. Click Next.
  • Click Finish.
  • In the My user account snap-in open the Certificates folder.
  • Right-click the Personal folder, and select All Tasks > Import from the shortcut menu. This starts the Certificate Import Wizard.
  • On the first Wizard page, click Next.
  • On the File to Import page, browse to the certificate file (Ex. collector_host.pfx). Click Next.
  • On the Password page, click Next. No password is needed.
  • On the Certificate Store page, select Place all certificates in the following store. Make sure that the Certificate store text box is set to Personal. Click Next.
  • Click Finish.
  • Press F5 to update the MMC view.
  • On the left pane, select Certificates > Personal > Certificates.
  • On the right pane, locate the imported certificate in the list, and double-click it.
  • In the Certificate dialog box, click the Details tab.
  • To view the certificate thumbprint, select Thumbprint from the list. The thumbprint, consisting of a string of hexadecimal digits, appears in the lower part of the dialog box. The same process can be used to view the thumbprint for the certificate authority.
  • Certificate8.5.png

    Provisioning LFMT Indexer/Collector for Secure Connections

    This section describes how to provision LFMT Indexer/Collector for secure connections to the Auto-Detect port of Configuration Server. Use this procedure for both simple and mutual TLS connections.

    1. Log into GAX, and navigate to Configuration Manager.
    2. From the Environment section, select Applications.
    3. In the Applications section, locate and open the LFMT Indexer/Collector application.
    4. In the General tab, specify the Auto-Detect port of the primary and backup Configuration Server for the port and backupport arguments in the Command Line Arguments respectively.
    5. In the Connections tab, select Add. Add a connection to the primary Configuration Server being sure to select the Auto-Detect port in the Port ID drop-down.
    6. In the Connections tab, select Add. Add a connection to the backup Configuration Server being sure to select the Auto-Detect port in the Port ID drop-down.
    7. In the General tab, specify the Certificate, Certificate Key, and the Trusted CA installed on the LFMT Server Host.
      • Certificate: For Windows this will be the thumbprint of the certificate shown in the Properties of the certificate in MMC Certificates snap-in. For Linux, this will be the complete path to the certificate file. Ex. /home/genesys/certs/collector_host.pem
      • Certificate Key: For Windows this will be the thumbprint of the certificate shown in the Properties of the certificate in MMC Certificates snap-in (this normally the same value as used in the Certificate field). For Linux, this will be the complete path to the certificate key file. Ex. /home/genesys/certs/collector_host_java_priv_key.pem
      • Trusted CA: For Windows this will be the thumbprint of the Trusted Root Certificate Authority shown in the Properties of the certificate authority in MMC Certificates snap-in. For Linux, this will be the complete path to the certificate authority file. Ex. /home/genesys/certs/ca_cert.pem
    8. Click Save to commit the changes.
    Tip
    As an alternative to configuring the Certificate, Certificate Key, and the Trusted CA for the LFMT Indexer and Collector at the application level, certificates and certificate authorities can be assigned on the LFMT Server Host Object in GAX.

    Feedback

    Comment on this article:

    blog comments powered by Disqus
    This page was last modified on March 15, 2016, at 07:04.