Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1424
Views
0
Helpful
1
Replies

Managing Certificates in a UCCE solution (12.5)

Dennis Hackenbracht
Level 1
Level 1

‎09-22-2021 11:00 PM

Hi folks,

 

I have some questions about the certificate management in a UCCE solution.

In Install/Upgrade Guide is written that all self signed (if not signed by a ca) certificates have to be imported to principal AW's Java keystore.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_12_5_1/installation/guide/ucce_b_12_5_Install_upgrade_guide_ucce/ucce_b_cisco-unified-contact-center-enterprise12_5_chapter_01000.html#task_...

 

But I did not find any explanation or reason why.

One reason came up when trying to connect the RouterA to our smart licensing satellite. Without the certificate of RouterA in truststore of AW it is not possible to configure the connection to the smart licensing in CCEAdmin on AW.

How about the other components (RouterB, 2nd AW, PGs)?

We are not using secure connections within the CCE (CTI Server, etc).

My questions:

- Is this mandatory or only useful and if so, why?

- When chaning from Oracle Java to OpenJDK do we need to redo this for the new OpenJDK keystore? (I think so, but not for sure)

- Will the certificates be preserved after common ground upgrade? (We are planning Upgrade to 12.6)

- Is there any problem when using either self signed and CA signed (eg for Finesse, CCE Admin and CUIC) certificates in one deployment? Issuing and Root CA is present on all servers in the corresponding folders.

 

Thanks for replies,

 

Dennis

 

Labels:
0 Helpful
1 Reply 1

ritdesai
Cisco Employee
Cisco Employee

‎10-13-2021 07:08 PM - edited ‎10-13-2021 07:09 PM

hi @Dennis Hackenbracht 

 

response below...

 

- Is this mandatory or only useful and if so, why?

SPOG URL resides on AW. after introduction of SPOG and to enable the trust relationships among UCCE components, the AW must have all the server certificates and all the certificates exchange is mandatory process. you can refer below URL for self signed.

https://www.cisco.com/c/en/us/support/docs/contact-center/packaged-contact-center-enterprise-1201/214845-manage-pcce-components-certificate-for-s.html#anc18

 

you can refer https://www.cisco.com/c/en/us/support/docs/contact-center/packaged-contact-center-enterprise/215664-implement-ca-signed-certificates-in-a-cc.html for CA signed certificates.

 

- When chaning from Oracle Java to OpenJDK do we need to redo this for the new OpenJDK keystore? (I think so, but not for sure)  - Yes.

 

- Will the certificates be preserved after common ground upgrade? (We are planning Upgrade to 12.6) - no. the certificate keystore changes for 12.5.1, 12.5.1a and 12.6.1.

 

 

In UCCE 12.5.1a or CCE 12.5.1 ES 55 changes the keystore from oracle JAVA keystore to openJDK keystore (C:\Program Files (x86)\OpenJDK\jre-8.0.272.10-hoptspot\lib\security\cacerts).

In UCCE 12.6.1, keystore is changed to <ICM install directory>\ssl\cacerts

 

- Is there any problem when using either self signed and CA signed (eg for Finesse, CCE Admin and CUIC) certificates in one deployment? Issuing and Root CA is present on all servers in the corresponding folders. - no issues subject to organisation policies and VA.

 

hope this helps.

regards,

Ritesh.

thanks and regards,
Ritesh Desai
Please mark useful if it helps you. Mark answered if it is answered.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents