Jump to: navigation, search

Introduction to Genesys Transport Layer Security

Genesys supports the optional use of the Transport Layer Security (TLS) protocol to secure data exchange between its components. TLS is an industry-standard protocol for secure communications on the Internet, and it is the successor of Secure Sockets Layer (SSL) 3.0.

Security Benefits

TLS provides strong authentication, message privacy, and integrity capabilities. TLS secures data transmission by using a variety of encryption options. TLS authenticates servers to prove the identities of the parties engaged in secure communication. It also provides data integrity through an integrity check value. In addition to protecting against data disclosure, the TLS protocol can be used to help protect against masquerade attacks, man-in-the-middle attacks, bucket brigade attacks, rollback attacks, and replay attacks. TLS, as implemented by Genesys, is considered to be compliant with Federal Information Processing Standards (FIPS).

Supporting Components

This section lists the Genesys components that currently support TLS and on what connections. For detailed information about TLS support by Genesys components, see the corresponding product documentation.

[+] Show supporting components

Feature Description

TLS secures connections through the exchange of authentication digital certificates during a handshake process which negotiates ciphers and key lengths used to encrypt exchanged data.

TLS can be configured in two ways, as described in the following sections:

See Supporting Components for the list of components and connections that support TLS.

Simple TLS

In simple TLS, only the Server has a security certificate. It sends this certificate to the Client, which checks the certificate against its own Certificate Authority (CA). In effect, this authenticates the identity of only the Server.

Basic steps of this authentication are as follows:

  1. TLS Client connects as anonymous.
  2. TLS Server sends to TLS Client its certificate, containing a certificate chain that begins with the server’s public key certificate and ends with the CA’s root certificate. See Certificate Generation and Installation.
  3. TLS Client checks the CA certificate in its trusted CA list.
  4. TLS Client compares the TLS Server host name and the certificate’s subject field, which must be identical (tls-target-name-check=host). See Check for Certificate-Host Matching.
  5. TLS Client is satisfied that the server certificate is not expired and has not been revoked. See Certificate Revocation Lists.

Mutual TLS

In mutual TLS, both the Server and the Client have security certificates. They exchange their certificates, then each checks the other’s certificate against its own CA. This authenticates the identities of both the Server and the Client.

Basic steps of this authentications are as follows:

  1. TLS Server and TLS Client exchange their certificates and check the root CA in the list of trusted CAs. See Certificate Generation and Installation.
  2. TLS Client compares the TLS Server host name and the certificate’s subject field, which must be identical (tls-target-name-check=host). See Check for Certificate-Host Matching.
  3. TLS Client is satisfied that the server certificate is not expired and has not been revoked. See Certificate Revocation Lists.
  4. TLS Server is satisfied that the client certificate is not expired and has not been revoked. See Certificate Revocation Lists.

You can upgrade to mutual TLS by setting the tls-mutual option in the [security] section to 1, as follows:

tls-mutual
Default Value: 0
Valid Values: 0, 1
Changes Take Effect: Immediately

Specifies if mutual TLS is used for secure data transfer. If set to 1, TLS certificates must be configured on both the server and client applications. If set to 0 (the default), client certificates are not required, and either simple TLS or data encryption (if client-auth=0) is used.

Evolution of Genesys TLS

Prior to 8.1.3, secure data exchange was accomplished by encrypting the data, using the TLS server certificate.

Starting in 8.1.3, simple TLS is the default method of secure data exchange. On the Windows platform, Configuration Server enables automatic authentication of a server’s security certificate by the Windows TLS client socket. However, this might cause the failure of existing TLS connections for which server certificates were not configured or CAs were not configured on the clients. Genesys recommends that to prevent authentication errors on those existing TLS connections, make sure that server certificates are used and/or CAs are configured on the client applications. Alternatively, you can set the client-auth option to zero (0) to disable the default behavior and restore pre-8.1.3 behavior. This option can be set at the connection, application, or host level, with the same order of precedence.

Environment Prerequisites

The instructions in this document assume that you are adding Genesys TLS to existing connections of your Genesys configuration—that is, that your applications have already been installed, properly configured, and associated with hosts and with each other. See product-specific deployment guides for instructions about, and deployment instructions for, these components.

Supported Platforms

Important
Genesys TLS is not supported on all operating systems that Genesys products support. For UNIX-based operating systems, see Setting the Environment Variables for more information.

Refer to the Genesys Supported Operating Environment Reference Guide for a list of operating systems and database systems supported in Genesys releases 7.6 and later.

Supported Versions of TLS

Genesys TLS supports the following versions of TLS:

  • TLS 1.1
  • TLS 1.0
  • SSL v3
  • SSL v2

However, the version of TLS that is actually supported depends on the involved components and the software they are running. Refer to product documentation for TLS version information.

Specifying the TLS Protocol

Starting with Security Pack 8.5, an application can specify the lowest compatible protocol used by Security Pack on UNIX to send and accept secure connection requests on one or more of its connections, thereby limiting the use of obsolete protocols. To enable this, use the following option:

sec-protocol
Default Value: SSLv23
Valid Values: SSLv23, SSLv3, TLSv1, TLSv11
Changes Take Effect: Immediately

Specifies the protocol used by the component to set up secure connections.

This option is configured on one of three levels:

  • Host-level (the application host): In the [security] section of the annex of the Host object.
  • Application-level: In the [security] section of the options of the Application object.
  • Port-level (connection-level): As a transport parameter of the application's connection.
Important
If the component reads its configuration information solely from its configuration file, such as LCA or Genesys Deployment Agent, set this option in the [security] section of the appropriate configuration file (such as lca.cfg for LCA or gda.cfg for Genesys Deployment Agent).

On a single component, this option must be configured at the same level where the certificate is configured. Across a network, if this option is configured at multiple levels (connection, application, host), the value set at the lowest level takes precedence. That is:

  • The value set at the connection level takes precedence over the value set at the application and host levels.
  • The value set at the application level takes precedence over the value set at the host level.

Feature Configuration

All Genesys components are configured in Genesys Administrator. To enable secure data exchange between the components, you must configure additional parameters in the Host objects, and in the Application objects that represent these components.

To use Genesys TLS functionality, you must complete the following steps:

  1. For UNIX, install the Security Pack on each host computer where Genesys components run. See Security Pack on UNIX.
  2. Set up a Certificate Authority (CA) on all server and client hosts that will be using TLS. See Certificate Generation and Installation.
  3. Create and install security certificates on UNIX and/or Windows platforms, as follows:
    • For simple TLS, install the certificates on only those hosts where the Server applications are running.
    • For mutual TLS, install the certificates as follows:
      • On those hosts on which the Server applications are running.
      • On other hosts that are not running Server applications but are running Client applications.

    See Certificate Generation and Installation.

  4. Complete application-specific and/or host-specific configuration procedures in Genesys Administrator. See Genesys TLS Configuration.

You can create and manage certificates and the corresponding private keys by using the OpenSSL toolkit and Windows Certification Services.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on 21 April 2016, at 13:09.