(5.0 - 5.2) IVG security guide

Use the following guides to enhance the security of your Interactive Voice Gateway (IVG) installation.

Enable HTTP Strict Transport Security (HSTS) headers in IVG/VIS

For instructions on enabling HSTS to force HTTPS connections for all traffic and requests, see Enabling HTTP Strict Transport Security (HSTS) headers in IVG/VIS.

Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.

After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.

Enabling SSL/TLS in the voice platform

  • Navigate to Configuration > Holly Configuration.
  • Select OpenSSL from the Component dropdown.
  • Select the Pool.
    • TIP: The default pool name is holly.
  • Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
  • In sslciphers, enter the list of SSL ciphers for openssl.
    • For example: "HIGH:DES:MD5:AES256-SHA256"
  • In ssloptions, enter the SSL options to exclude from the following list of options:
    • no_sslv2
    • no_sslv3
    • no_tlsv1
    • no_tlsv1_1
    • no_tlsv1_2

For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1

NOTE

Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:

  • no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
  • Restart IVG for the changes to take effect.

IMPORTANT

Without restarting IVG, the TLS protocol is not enabled.

Configuring SIPS and SRTP in the voice platform

Enabling SIPS/SRTP for IVG Avaya requires:

  • Creating a certificate in Microsoft Management Console (mmc)
  • Copying the IVG certificate to Avaya Session Manager
  • Enabling SIPS/SRTP in the voice platform

Creating the self-signed certificate

Use the following instructions to generate the certificate on the Avaya Session Manager server.

  • Open the mmc console by navigating to Run and typing mmc.
  • In the Windows mmc console, navigate to File > Add/Remove Snap-in.
  • Select Certificates from the Available snap-ins panel, and press Add.
  • On the Certificates snap-in screen, select the Computer account radio button and press Next.
  • On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
  • The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
  • Press Okay.

Enrolling the certificate

  • Expand the Certificates folder.
  • Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
  • Click Next on the Before you begin screen.
  • On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
  • On the Custom request screen, keep the default values selected and press Next.
  • On the Certificate information screen, expand Details and press the Properties button.
  • Enter the following information for Certificate Properties:
TabFieldInstructions
GeneralFriendly nameEnter a friendly name to reflect server and purpose.
(Optional) DescriptionEnter a description of the certificate
SubjectSubject name > TypeSelect Common name from the dropdown.
Subject name > Value
  • Enter the IP address of the server
  • Press Add
Alternative name > TypeSelect DNS from the dropdown.
Alternative name > Value
  • Enter the server name.
  • Press Add.
ExtensionsExtended key usage
  • Select Server Authentication
  • Press Add.
  • Select Client Authentication.
  • Press Add.
Private KeyKey options
  • Select 1024 from the Key options dropdown.
  • Enable the Make private key exportable checkbox.
Select Hash AlgorithmSelect sha1 from the Select Hash Algorithm dropdown.
  • Press Apply and then press OK.
  • Press Next on the Certificate information screen.
  • Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
  • Press Finish.

Verifying the certificate enrollment

  • Expand the Certificates folder.
  • Expand the Certificate Enrollment Requests folder.
  • Select Certificates.
  • Verify the certificate displays in the center panel.

Adding the certificate to Trusted Root Authority

  • Right-click on the certificate and select Copy.
  • Expand Trusted Root Certification Authorities.
  • Right-click Certificates and select Paste.
  • Expand Personal.
  • Right-click Certificates and select Paste.
  • Double-click the certificate.
  • Open the Certification Path tab and verify the Certificate Status is OK.

Enabling SIPS/SRTP in Avaya Session Manager

Copying the voice platform certificate to Session Manager

  • On the home page of the System Manager web console, click Services > Inventory > Manage Elements.
  • Select a Session Manager instance.
  • Click More Actions > Managed Trusted Certificates.
  • On the Trusted Certificates page, click Add.
  • To import a certificate from a file:
    • Select the Import from file radio button.
    • Click Browse and locate the file.
    • Click Retrieve Certificate.
    • Click Commit.
  • To import a certificate in the PEM format:
    • Select the Import as PEM Certificate radio button.
    • Locate the PEM certificate.
    • Open the certificate using Notepad.
    • Copy the entire contents of the file. You must include the start and end tags: "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE----".
    • Paste the contents of the file in the box provided.
    • Click Commit.

Enabling SIPS and SRTP in the voice platform

Enable SIPS and SRTP in the voice platform management system.

  • Navigate to Configuration > Holly Configuration.
  • Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
siplistenportPrimary SIP port used for incoming SIP requests over UDP or TCP.

5060

The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured.

siplistenport2Secondary SIP port used for incoming SIP requests of UDP or TCP.

5070

Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured.

siptransport

List of transport protocols enabled by the voice platform.

The order of the protocols determines the protocol preference.

tls,tcp,udp
srtpsupport

Determines SRTP behavior for inbound and outbound calls.

VHT engineers recommend using the value of 2 in order to observe the following behavior:

  • Allows inbound calls using SRTP.
  • Enables SRTP on outbound calls using TLS.
2
tlslistenportPrimary TLS port used for incoming SIPS requests over TLS.

5061

The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured.

tlslistenport2Secondary TLS port used for incoming SIPS requests over TLS.

5071

Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured.

  • Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
sslcafileThe file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication.

/export/home/[hollyusername]/etc/VoicePlatformCertificate.pem

  • hollyusername - holly user name configured in the IVG installer.
  • VoicePlatformCertificate.pem - Name of the voice platform certificate file.
sslverifyUsed to verify the SSL peer. 1
  • Navigate to Configuration > Holly Configuration.
  • Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
  • Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
  • Restart IVG for changes to take effect.

IMPORTANT

Without restarting IVG, the SIPS and SRTP protocols are not enabled.

Generating the voice platform self-signed certificates

The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.

The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:

ParameterKeyValue
httpscertificatefilenamecertificate.pemserver.cert
httpsprivatekeyfilenameprivatekey.pemserver.key

IMPORTANT

New IVG installations must add the newly generated voice platform certificate to Session Manager.

Copying and adding the Session Manager certificate file to the voice platform

IMPORTANT

HVP 7.2 introduced a new TLS feature called Server Name Identification (SNI). This new feature adds an extension containing the target server's FQDN into the TLS Client Hello portion of the handshake. HVP 7.2 was first used with IVG 5.0, so the SNI feature is not used in prior versions of IVG.

The new SNI feature in HVP requires that the SIP endpoint parameter in the OCC site.config file must match the name in the CN attribute of the Session Manager identity certificate. This does not apply to any other parameters in the OCC site.config file or any other On-Premise Callback configuration files.

You can verify the name in the certificate in Steps 2 and 3 below. The output of Step 2 should include the Level 0 CN, as in the following example:

example record

If the SIP endpoint parameter configured for OCC and the CN attribute name do not match, Session Manager will return an error during the handshake. You can see the error when running a Session Manager trace with TLS handshake tracing enabled. The error will look similar to the following example:

example TLS record

If the specified FQDN cannot be resolved on the IVG server, you will need to add it to the /etc/hosts file on each server or add it via DNS.

Copy a certificate file created for the contact center environment to the voice platform

  • Open a Linux shell script navigate to the /etc folder.
  • Run the following command:
openssl s_client -connect <SessionManagerServer>:<SessionManagerTLSPortNumber>
  • SessionManagerSIPServer - the IP address of the Session Manager server
  • SessionManagerTLSPortNumber - the TLS port number of the Session Manager server
  • Copy the contents of the certificate from BEGIN CERTIFICATE to END CERTIFICATE.
  • Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
  • Run the following command to verify the certificate file was created:
ls -l *.pem
  • Run the following command to log in as the holly user:
su - holly
  • Run the following command to access the holly user etc directory
cd etc
  • Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
  • certificate.pem - Name of the IVG voice platform certificate file.
  • platform-ca.pem - Name of the contact center certificate file from Step 4.

Disable HTTP and HTTPS ports

Use the following instructions to disable the following ports:

  • 2020 - HTTP
  • 2021 - HTTPS

Disabling port 2020 (HTTP)

  • Open a Linux shell script and log in as the holly user.
  • Change the directory to httpd/conf.
  • Look for the following entry:
Listen 2020
  • Comment out the line Listen 2020.
  • Save the file and restart the Holly processes.

Disabling port 2021 (HTTPS)

  • Open a Linux shell script and log in as the holly user.
  • Change the directory to httpd/conf.
  • Look for the following entries in the httpd/conf directory:
# Secure (SSL/TLS) connectionsInclude conf/extra/httpd-ssl.conf
  • Comment out the line Include conf/extra/httpd-ssl.conf.
  • Save the file and restart the Holly processes.

FIPS compliance

No additional configuration is needed in order to access the HMS user interface from FIPS-compliant workstations or networks. These connections will be accepted by default.

Generate a certificate with Java keytool

Use the Java keytool application for OpenJDK 8 to add the Platform Toolkit (PTK) server certificate to each IVG ca Keystore. This allows the VXML Interaction Server (VIS) to communicate securely over HTTPS with each instance of the PTK.

  • Open a Linux shell script on the IVG server, and copy the PTKcertificate using the following command:
  • Verify you have the correct name of the certificate .pem file
  • Verify whether the CN is set to use the server short name or FQDN
$ echo -n | openssl s_client -connect <ServerName>:443 |    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <CertificateName>.pem
  • Repeat Step 1 for each PTK instance.
  • Add the certificate to the java jm ca keystore using the following command:
/usr/lib/jvm/jre-1.8.0-openjdk/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/jre-1.8.0-openjdk/lib/security/cacerts -storepass changeit -noprompt -alias <ServerName> -file /export/home/holly/etc/<CertificateName>.pem

For complete instructions on configuring HTTPS for IVG, VIS, and PTK using Apache Tomcat, see the Configuring HTTPS for VXML Interaction Server and Platform Toolkit article for your version of VIS.

Generate a new OpenSSL certificate

[insert-question 560652]

Genesys SSL/TLS Setup

Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.

After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.

Enabling SSL/TLS in the voice platform

  • Navigate to Configuration > Holly Configuration.
  • Select OpenSSL from the Component dropdown.
  • Select the Pool.
    • TIP: The default pool name is holly.
  • Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
  • In sslciphers, enter the list of SSL ciphers for openssl.
    • For example: "HIGH:DES:MD5:AES256-SHA256"
  • In ssloptions, enter the SSL options to exclude from the following list of options:
    • no_sslv2
    • no_sslv3
    • no_tlsv1
    • no_tlsv1_1
    • no_tlsv1_2

For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1

IMPORANT

Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:

  • no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
  • Restart IVG for the changes to take effect.

IMPORTANT

Without restarting IVG, the TLS protocol is not enabled.

Configuring SIPS and SRTP in the voice platform

Enabling SIPS/SRTP for IVG Genesys requires:

  • Creating a certificate in Microsoft Management Console (mmc)
  • Enabling TLS on the Genesys SIP Server
  • Copying the IVG certificate to Genesys
  • Enabling SIPS/SRTP in the voice platform

Creating the self-signed certificate

Use the following instructions to generate the certificate on the Genesys SIP Server.

  • Open the mmc console by navigating to Run and typing mmc.
  • In the Windows mmc console, navigate to File > Add/Remove Snap-in.
  • Select Certificates from the Available snap-ins panel, and press Add.
  • On the Certificates snap-in screen, select the Computer account radio button and press Next.
  • On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
  • The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
  • Press Okay.

Enrolling the certificate

  • Expand the Certificates folder.
  • Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
  • Click Next on the Before you begin screen.
  • On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
  • On the Custom request screen, keep the default values selected and press Next.
  • On the Certificate information screen, expand Details and press the Properties button.
  • Enter the following information for Certificate Properties:
TabFieldInstructions
GeneralFriendly nameEnter a friendly name to reflect server and purpose.
(Optional) DescriptionEnter a description of the certificate
SubjectSubject name > TypeSelect Common name from the dropdown.
Subject name > Value
  • Enter the IP address of the server
  • Press Add
Alternative name > TypeSelect DNS from the dropdown.
Alternative name > Value
  • Enter the server name.
  • Press Add.
ExtensionsExtended key usage
  • Select Server Authentication
  • Press Add.
  • Select Client Authentication.
  • Press Add.
Private KeyKey options
  • Select 1024 from the Key options dropdown.
  • Enable the Make private key exportable checkbox.
Select Hash AlgorithmSelect sha1 from the Select Hash Algorithm dropdown.
  • Press Apply and then press OK.
  • Press Next on the Certificate information screen.
  • Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
  • Press Finish.

Verifying the certificate enrollment

  • Expand the Certificates folder.
  • Expand the Certificate Enrollment Requests folder.
  • Select Certificates.
  • Verify the certificate displays in the center panel.

Adding the certificate to Trusted Root Authority

  • Right-click on the certificate and select Copy.
  • Expand Trusted Root Certification Authorities.
  • Right-click Certificates and select Paste.
  • Expand Personal.
  • Right-click Certificates and select Paste.
  • Double-click the certificate.
  • Open the Certification Path tab and verify the Certificate Status is OK.

Enabling SIPS/SRTP on the Genesys SIP Server

  • Update the TLS port in Configuration Manager by navigating to SIP Server and opening Options > TServer.
    • Locate tls-mutual and verify it is set to False.
    • Locate sip-tls-certand enter the certificate thumbprint.
      • Locate the thumbprint in mmc under the Details tab of the certificate
    • Locate the sip-port-tls and update the value to the TLS port number. The IVG installer automatically opens port 5061. If another port is used, it will need to be opened manually.

NOTE

The sip-tls-cipher-list should be supplied by the client.

  • Locate the IVG Trunk in the Genesys strategy.
    • Navigate to Annex >TServer > Options
      • In the Contact field, add FQDN:Port:transport=tls

Copying the voice platform certificate to SIP Server

The IVG installer generates a self-signed certificate for IVG named certificate.pem and places it in the /home/holly/etc directory.

To copy the IVG certificate to the Genesys SIP Server:

  • Copy IVG certificate from home/holly/etc, and rename with the .crt file extension.
  • Import the certificate to the Genesys SIP Server using mmc.
  • Navigate to Certificates (Local Computer) > Trusted Root Certification Authorities > Vertificates.
  • Right-click Certificates and navigate to All tasks > Import.
  • Click Next to open the File to Import screen where you can browse for the location where the IVG certificat.crt was saved.
  • Finish the Certificate Import Wizard, and verify the certificate displays in the Trusted Root Authority > Certificates folder.

Enabling SIPS and SRTP in the voice platform

After adding a certificate file, enable SIPS and SRTP in the voice platform management system.

  • Navigate to Configuration > Holly Configuration.
  • Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
siplistenportPrimary SIP port used for incoming SIP requests over UDP or TCP.

5060

The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured.

siplistenport2Secondary SIP port used for incoming SIP requests of UDP or TCP.

5070

Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured.

siptransport

List of transport protocols enabled by the voice platform.

The order of the protocols determines the protocol preference.

tls,tcp,udp
srtpsupport

Determines SRTP behavior for inbound and outbound calls.

VHT engineers recommend using the value of 2 in order to observe the following behavior:

  • Allows inbound calls using SRTP.
  • Enables SRTP on outbound calls using TLS.
2
tlslistenportPrimary TLS port used for incoming SIPS requests over TLS.

5061

The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured.

tlslistenport2Secondary TLS port used for incoming SIPS requests over TLS.

5071

Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured.

  • Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
  • Verify the poolPoolNametab is selected.
  • Locate the following components and update their values:
ComponentDescriptionUpdated value
sslcafileThe file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication.

/export/home/[hollyusername]/etc/VoicePlatformCertificate.pem

  • hollyusername - holly user name configured in the IVG installer.
  • VoicePlatformCertificate.pem - Name of the voice platform certificate file.
sslverifyUsed to verify the SSL peer. 1
  • Navigate to Configuration > Holly Configuration.
  • Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
  • Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
  • Restart IVG for changes to take effect.

IMPORTANT

Without restarting IVG, the SIPS and SRTP protocols are not enabled

Generating the voice platform self-signed certificates

The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.

The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:

ParameterKeyValue
httpscertificatefilenamecertificate.pemserver.cert
httpsprivatekeyfilenameprivatekey.pemserver.key

Copying and adding the SIP Server certificate file to the voice platform

Copy a certificate file created for the contact center environment to the voice platform

  • Open a Linux shell script navigate to the /etc folder.
  • Run the following command:
openssl s_client -connect ContactCenterServer:ContactCenterPortNumber
  • ContactCenterSIPServer - the IP address of the SIP Server
  • ContactCenterPortNumber - the port number of the contact center server
  • Copy the contents of certificate from BEGIN CERTIFICATE to END CERTIFICATE.
  • Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
  • Run the following command to verify the certificate file was created:
ls -l *.pem
  • Run the following command to log in as the holly user:
su - holly
  • Run the following command to access the holly user etc directory
cd etc
  • Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
  • certificate.pem - Name of the IVG voice platform certificate file.
  • platform-ca.pem - Name of the contact center certificate file from Step 4.

IVG installer commands

The following can serve as a reference when preparing your Linux environment for the IVG installer.

[insert-question 675685]

IVG ports

The IVG installer process opens the following ports which are used by IVG voice platform:

ProcessPortDescription
browser4080MONAPI port
browser5080Outbound call request port
callcontrol4081MONAPI port
call control8040HTTP listen port
callcontrol8041HTTPS listen port
callredux4095Callredux listen port
configserver6399Listen port
ctimgr20000ICM listen port
foreman8333Trap port
foreman8400Supervise port
hinge7399Listen port
hlm9333Listen port
hlm9400Supervise port
hmspageserver2080Listen port
hmsweb2020HTTP listen port
hmsweb2021HTTPS listen port
hotts4088MONAPI port
hotts32330TTS interaction port
hvg8050HTTP listen port
hvg8051HTTPS listen port
hvg8062MRCP v2 ASR listen port
hvg9876Listen port
hvg9999Supervise port
hvss8030HTTP listen port
hvss8443HTTPS listen port
logmgr7333Listen port
SIP/RTP5060Primary SIP listen port
SIP/RTP5061Secondary SIP listen port
TLS/SSL5070Primary TLS port
TLS/SSL5071Secondary TLS port
SIP/RTP11000-15000RTP ports used for calls
SIP/RTP11000-15000RTP ports used for MRCP v2 interaction
subagent8161Listen port
SNMP Agent705Third-party software
tts_hum8066MRCP v2 TTS port
tts_hum32331Listen port for TTS (MRCP v2) interaction

Third party IVG ports

The IVG installer process opens the following ports for third party components in addition to the voice platform ports:

ProcessPortDescription
ICM CTI listen port5000

Port that runs the ICM CTI worker.

  • This port is only used for IVG Cisco UCCE integrations.
  • This port number can be designated during IVG installation.
Mountd892Port used by the NFS client in a multiple IVG environment.
NFS111Port used by the NFS server if NFS is enabled.
20143Port used by the NFS client if NFS is enabled.
PostgreSQL 5432

PostgreSQL port number.

This port number can be designated during IVG installation.

Tomcat8009Ports used by Tomcat (VIS and CCIS)
8005
8080

Secure connection between CTI Event Consumer and RabbitMQ

In an IVG solution, the CTI Event Consumer worker can be configured to communicate via SSL with the RabbitMQ application. Configuration only needs to be performed for CTI Event Consumer, as RabbitMQ is ready to handle secure connections by default.

NOTES

  • You must also enable secure communication for RabbitMQ on your On-Premise Callback servers. See the Securing your RabbitMQ connection for High Availability solutions section in the Securing your Callback installation article for instructions.
  • This guide presents a configuration example for a high-availability solution with two instances of CTI Event Consumer and RabbitMQ deployed across two servers. For a standalone solution, leave the Core Server 2 configuration blank.

Step 1: Update the consumer.cfg file

Edit the consumer.cfg configuration file, which is located at /export/home/VirtualHold/CTIEventConsumer by default. Save a backup copy of the file before making changes.

Sample consumer.cfg file

Use the following example configuration file and parameter definitions as a guide to update the consumer.cfg file for CTI Event Consumer.

#User credentialscore_server1 = localhostcore_server2 = localhostrabbitmq_username = userrabbitmq_password = <encrypted password>rabbtimq_connection_retry_period = 2000cti_eventconsumer_installpath=/export/home/VirtualHold/CTIEventConsumer#Secured connectioncti_eventconsumer_installpath=/export/home/VirtualHold/CTIEventConsumerrabbtimq_connection_retry_period=2000core_server1=IVG01core_server2=IVG02rabbitmq_username=IVG01sslEnabled=truesslVersion=TLSv1.2vHost=/port=5671#core_server1 configcore_server1=IVG01rabbitmq_username_server1=IVG01certPathP12_server1=/export/home/VirtualHold/CTIEventConsumer/certs/server1/server_key.p12keyFileP12_server1=/export/home/VirtualHold/CTIEventConsumer/certs/server1/client_key.p12#core_server2 configcore_server2=IVG02rabbitmq_username_server2=IVG02certPathP12_server2=/export/home/VirtualHold/CTIEventConsumer/certs/server2/server_key.p12keyFileP12_server2=/export/home/VirtualHold/CTIEventConsumer/certs/server2/client_key.p12
ParameterDescriptionDefault value
rabbitmq_usernameUsername for RabbitMQuser
rabbitmq_passwordencrypted RabbitMQ password
rabbtimq_connection_retry_periodNumber of milliseconds to wait before retrying a failed connection2000
sslEnabledSpecifies whether a secure connection should be establishedfalse
sslVersionVersion of SSL to useTLSv1.2
vHostVirtual host of RabbitMQ service/
portRabbitMQ service port5672/5671(SSL)
rabbitmq_username_server1RabbitMQ username on Core Server 1Short name of the server on which RabbitMQ is installed
core_server1Core Server 1 shortnameShort name of Core Server 1
certPathP12_server1Path to the server key file on Core Server 1 (server_key.p12)
keyFileP12_server1Path to the client key file on Core Server 1 (client_key.p12)
rabbitmq_username_server2RabbitMQ username on Core Server 2Short name of the server on which RabbitMQ is installed
core_server2Core Server 2 shortnameShort name of Core Server 2
certPathP12_server2Path to the server key file on Core Server 2 (server_key.p12)
keyFileP12_server2Path to the client key file on Core Server 2 (client_key.p12)

Step 2: Deploy SSL certificates

  • On each server hosting an instance of CTI Event Consumer, place your SSL certificate in the /export/home/VirtualHold/CTIEventConsumer/certs directory.
  • Update the certPathP12_server1 and certPathP12_server2 keys in consumer.cfg to reflect the location of the certificates, if needed.

BEST PRACTICE

In a high-availability solution, create uniquely named subfolders within the certs folder to store each server's certificate. For example:

  • Server 1: /export/home/VirtualHold/CTIEventConsumer/certs/Server1
  • Server 2: /export/home/VirtualHold/CTIEventConsumer/certs/Server2

Step 3: Restart CTI Event Consumer

Restart the CTI Event Consumer worker for the configuration changes to take effect. There are two options available to restart the worker.

Option 1: Restart the holly service, which will also restart the ctieventconsumer worker:

service holly restart

Option 2: Alternatively, you can restart only the ctieventconsumer worker:

su - holly-ivgfm restart ctieventconsumer

Virus scanning exclusions

To prevent file locks and other file access issues, exclude the following directories from virus scanning on all IVG servers. The default locations are listed, but they could be different depending on the configuration chosen when installing the system.

IVG directories to exclude

ExclusionDefault location
Holly installation directory/export/home/holly
PostgreSQL installation directory/export/home/postgres
CTI Event Consumer directory/export/home/VirtualHold

VIS directories to exclude

On IVG servers that also host VIS in Apache Tomcat, exclude the following directories, as well.

ExclusionDefault location
Tomcat installation directory/export/home/tomcat<version>
VIS backup and configuration files/etc/VirtualHold

Vulnerability reductions

The IVG installer process excludes installing the Tomcat examples/ and tomcat-docs/ directories in order to reduce security vulnerabilities.