cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
607
Views
0
Helpful
1
Replies

Managing Certificates in a UCCE solution (12.5)

Hi folks,

 

I have some questions about the certificate management in a UCCE solution.

In Install/Upgrade Guide is written that all self signed (if not signed by a ca) certificates have to be imported to principal AW's Java keystore.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_12_5_1/installation/guide/ucce_b_12_5_Install_upgrade_guide_ucce/ucce_b_cisco-unified-contact-center-enterprise12_5_chapter_01000.html#task_...

 

But I did not find any explanation or reason why.

One reason came up when trying to connect the RouterA to our smart licensing satellite. Without the certificate of RouterA in truststore of AW it is not possible to configure the connection to the smart licensing in CCEAdmin on AW.

How about the other components (RouterB, 2nd AW, PGs)?

We are not using secure connections within the CCE (CTI Server, etc).

My questions:

- Is this mandatory or only useful and if so, why?

- When chaning from Oracle Java to OpenJDK do we need to redo this for the new OpenJDK keystore? (I think so, but not for sure)

- Will the certificates be preserved after common ground upgrade? (We are planning Upgrade to 12.6)

- Is there any problem when using either self signed and CA signed (eg for Finesse, CCE Admin and CUIC) certificates in one deployment? Issuing and Root CA is present on all servers in the corresponding folders.

 

Thanks for replies,

 

Dennis

 

1 REPLY 1
ritdesai
Cisco Employee

hi @Dennis Hackenbracht 

 

response below...

 

- Is this mandatory or only useful and if so, why?

SPOG URL resides on AW. after introduction of SPOG and to enable the trust relationships among UCCE components, the AW must have all the server certificates and all the certificates exchange is mandatory process. you can refer below URL for self signed.

https://www.cisco.com/c/en/us/support/docs/contact-center/packaged-contact-center-enterprise-1201/214845-manage-pcce-components-certificate-for-s.html#anc18

 

you can refer https://www.cisco.com/c/en/us/support/docs/contact-center/packaged-contact-center-enterprise/215664-implement-ca-signed-certificates-in-a-cc.html for CA signed certificates.

 

- When chaning from Oracle Java to OpenJDK do we need to redo this for the new OpenJDK keystore? (I think so, but not for sure)  - Yes.

 

- Will the certificates be preserved after common ground upgrade? (We are planning Upgrade to 12.6) - no. the certificate keystore changes for 12.5.1, 12.5.1a and 12.6.1.

 

 

In UCCE 12.5.1a or CCE 12.5.1 ES 55 changes the keystore from oracle JAVA keystore to openJDK keystore (C:\Program Files (x86)\OpenJDK\jre-8.0.272.10-hoptspot\lib\security\cacerts).

In UCCE 12.6.1, keystore is changed to <ICM install directory>\ssl\cacerts

 

- Is there any problem when using either self signed and CA signed (eg for Finesse, CCE Admin and CUIC) certificates in one deployment? Issuing and Root CA is present on all servers in the corresponding folders. - no issues subject to organisation policies and VA.

 

hope this helps.

regards,

Ritesh.

Create
Recognize Your Peers
Content for Community-Ad