(5.0 - 5.2) IVG security guide
Use the following guides to enhance the security of your Interactive Voice Gateway (IVG) installation.
Enable HTTP Strict Transport Security (HSTS) headers in IVG/VIS
For instructions on enabling HSTS to force HTTPS connections for all traffic and requests, see Enabling HTTP Strict Transport Security (HSTS) headers in IVG/VIS.
Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.
After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.
Enabling SSL/TLS in the voice platform
- Navigate to Configuration > Holly Configuration.
- Select OpenSSL from the Component dropdown.
- Select the Pool.
- TIP: The default pool name is holly.
- Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
- In sslciphers, enter the list of SSL ciphers for openssl.
- For example: "HIGH:DES:MD5:AES256-SHA256"
- In ssloptions, enter the SSL options to exclude from the following list of options:
- no_sslv2
- no_sslv3
- no_tlsv1
- no_tlsv1_1
- no_tlsv1_2
For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1
NOTE
Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:
- no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
- Restart IVG for the changes to take effect.
IMPORTANT
Without restarting IVG, the TLS protocol is not enabled.
Configuring SIPS and SRTP in the voice platform
Enabling SIPS/SRTP for IVG Avaya requires:
- Creating a certificate in Microsoft Management Console (mmc)
- Copying the IVG certificate to Avaya Session Manager
- Enabling SIPS/SRTP in the voice platform
Creating the self-signed certificate
Use the following instructions to generate the certificate on the Avaya Session Manager server.
- Open the mmc console by navigating to Run and typing mmc.
- In the Windows mmc console, navigate to File > Add/Remove Snap-in.
- Select Certificates from the Available snap-ins panel, and press Add.
- On the Certificates snap-in screen, select the Computer account radio button and press Next.
- On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
- The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
- Press Okay.
Enrolling the certificate
- Expand the Certificates folder.
- Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
- Click Next on the Before you begin screen.
- On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
- On the Custom request screen, keep the default values selected and press Next.
- On the Certificate information screen, expand Details and press the Properties button.
- Enter the following information for Certificate Properties:
Tab | Field | Instructions |
---|---|---|
General | Friendly name | Enter a friendly name to reflect server and purpose. |
(Optional) Description | Enter a description of the certificate | |
Subject | Subject name > Type | Select Common name from the dropdown. |
Subject name > Value |
| |
Alternative name > Type | Select DNS from the dropdown. | |
Alternative name > Value |
| |
Extensions | Extended key usage |
|
Private Key | Key options |
|
Select Hash Algorithm | Select sha1 from the Select Hash Algorithm dropdown. |
- Press Apply and then press OK.
- Press Next on the Certificate information screen.
- Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
- Press Finish.
Verifying the certificate enrollment
- Expand the Certificates folder.
- Expand the Certificate Enrollment Requests folder.
- Select Certificates.
- Verify the certificate displays in the center panel.
Adding the certificate to Trusted Root Authority
- Right-click on the certificate and select Copy.
- Expand Trusted Root Certification Authorities.
- Right-click Certificates and select Paste.
- Expand Personal.
- Right-click Certificates and select Paste.
- Double-click the certificate.
- Open the Certification Path tab and verify the Certificate Status is OK.
Enabling SIPS/SRTP in Avaya Session Manager
Copying the voice platform certificate to Session Manager
- On the home page of the System Manager web console, click Services > Inventory > Manage Elements.
- Select a Session Manager instance.
- Click More Actions > Managed Trusted Certificates.
- On the Trusted Certificates page, click Add.
- To import a certificate from a file:
- Select the Import from file radio button.
- Click Browse and locate the file.
- Click Retrieve Certificate.
- Click Commit.
- To import a certificate in the PEM format:
- Select the Import as PEM Certificate radio button.
- Locate the PEM certificate.
- Open the certificate using Notepad.
- Copy the entire contents of the file. You must include the start and end tags: "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE----".
- Paste the contents of the file in the box provided.
- Click Commit.
Enabling SIPS and SRTP in the voice platform
Enable SIPS and SRTP in the voice platform management system.
- Navigate to Configuration > Holly Configuration.
- Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
- Verify the poolPoolNametab is selected.
- Locate the following components and update their values:
Component | Description | Updated value |
---|---|---|
siplistenport | Primary SIP port used for incoming SIP requests over UDP or TCP. | 5060 The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured. |
siplistenport2 | Secondary SIP port used for incoming SIP requests of UDP or TCP. | 5070 Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured. |
siptransport | List of transport protocols enabled by the voice platform. The order of the protocols determines the protocol preference. | tls,tcp,udp |
srtpsupport | Determines SRTP behavior for inbound and outbound calls. VHT engineers recommend using the value of 2 in order to observe the following behavior:
| 2 |
tlslistenport | Primary TLS port used for incoming SIPS requests over TLS. | 5061 The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured. |
tlslistenport2 | Secondary TLS port used for incoming SIPS requests over TLS. | 5071 Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured. |
- Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
- Verify the poolPoolNametab is selected.
- Locate the following components and update their values:
Component | Description | Updated value |
---|---|---|
sslcafile | The file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication. | /export/home/[hollyusername]/etc/VoicePlatformCertificate.pem
|
sslverify | Used to verify the SSL peer. | 1 |
- Navigate to Configuration > Holly Configuration.
- Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
- Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
- Restart IVG for changes to take effect.
IMPORTANT
Without restarting IVG, the SIPS and SRTP protocols are not enabled.
Generating the voice platform self-signed certificates
The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.
The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:
Parameter | Key | Value |
---|---|---|
httpscertificatefilename | certificate.pem | server.cert |
httpsprivatekeyfilename | privatekey.pem | server.key |
IMPORTANT
New IVG installations must add the newly generated voice platform certificate to Session Manager.
Copying and adding the Session Manager certificate file to the voice platform
IMPORTANT
HVP 7.2 introduced a new TLS feature called Server Name Identification (SNI). This new feature adds an extension containing the target server's FQDN into the TLS Client Hello portion of the handshake. HVP 7.2 was first used with IVG 5.0, so the SNI feature is not used in prior versions of IVG.
The new SNI feature in HVP requires that the SIP endpoint parameter in the OCC site.config file must match the name in the CN attribute of the Session Manager identity certificate. This does not apply to any other parameters in the OCC site.config file or any other On-Premise Callback configuration files.
You can verify the name in the certificate in Steps 2 and 3 below. The output of Step 2 should include the Level 0 CN, as in the following example:
If the SIP endpoint parameter configured for OCC and the CN attribute name do not match, Session Manager will return an error during the handshake. You can see the error when running a Session Manager trace with TLS handshake tracing enabled. The error will look similar to the following example:
If the specified FQDN cannot be resolved on the IVG server, you will need to add it to the /etc/hosts file on each server or add it via DNS.
Copy a certificate file created for the contact center environment to the voice platform
- Open a Linux shell script navigate to the /etc folder.
- Run the following command:
openssl s_client -connect <SessionManagerServer>:<SessionManagerTLSPortNumber>
- SessionManagerSIPServer - the IP address of the Session Manager server
- SessionManagerTLSPortNumber - the TLS port number of the Session Manager server
- Copy the contents of the certificate from BEGIN CERTIFICATE to END CERTIFICATE.
- Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
- Run the following command to verify the certificate file was created:
ls -l *.pem
- Run the following command to log in as the holly user:
su - holly
- Run the following command to access the holly user etc directory
cd etc
- Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
- certificate.pem - Name of the IVG voice platform certificate file.
- platform-ca.pem - Name of the contact center certificate file from Step 4.
Disable HTTP and HTTPS ports
Use the following instructions to disable the following ports:
- 2020 - HTTP
- 2021 - HTTPS
Disabling port 2020 (HTTP)
- Open a Linux shell script and log in as the holly user.
- Change the directory to httpd/conf.
- Look for the following entry:
Listen 2020
- Comment out the line Listen 2020.
- Save the file and restart the Holly processes.
Disabling port 2021 (HTTPS)
- Open a Linux shell script and log in as the holly user.
- Change the directory to httpd/conf.
- Look for the following entries in the httpd/conf directory:
# Secure (SSL/TLS) connectionsInclude conf/extra/httpd-ssl.conf
- Comment out the line Include conf/extra/httpd-ssl.conf.
- Save the file and restart the Holly processes.
FIPS compliance
No additional configuration is needed in order to access the HMS user interface from FIPS-compliant workstations or networks. These connections will be accepted by default.
Generate a certificate with Java keytool
Use the Java keytool application for OpenJDK 8 to add the Platform Toolkit (PTK) server certificate to each IVG ca Keystore. This allows the VXML Interaction Server (VIS) to communicate securely over HTTPS with each instance of the PTK.
- Open a Linux shell script on the IVG server, and copy the PTKcertificate using the following command:
- Verify you have the correct name of the certificate .pem file
- Verify whether the CN is set to use the server short name or FQDN
$ echo -n | openssl s_client -connect <ServerName>:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <CertificateName>.pem
- Repeat Step 1 for each PTK instance.
- Add the certificate to the java jm ca keystore using the following command:
/usr/lib/jvm/jre-1.8.0-openjdk/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/jre-1.8.0-openjdk/lib/security/cacerts -storepass changeit -noprompt -alias <ServerName> -file /export/home/holly/etc/<CertificateName>.pem
For complete instructions on configuring HTTPS for IVG, VIS, and PTK using Apache Tomcat, see the Configuring HTTPS for VXML Interaction Server and Platform Toolkit article for your version of VIS.
Generate a new OpenSSL certificate
[insert-question 560652]
Genesys SSL/TLS Setup
Enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) in IVG through the voice platform UI. After enabling SSL/TLS, the SIP Secure (SIPS) and Secure RTP (SRTP) protocols can be configured.
After enabling SSL/TLS in the voice platform, you copy the Session Manager certificate to the voice platform, and copy the voice platform certificate to Session Manager. This facilitates the SSL/TLS handshake between the Session Manager and the voice platform.
Enabling SSL/TLS in the voice platform
- Navigate to Configuration > Holly Configuration.
- Select OpenSSL from the Component dropdown.
- Select the Pool.
- TIP: The default pool name is holly.
- Determine the supported ciphers for the voice platform by running the following Linux command:
openssl ciphers -
- In sslciphers, enter the list of SSL ciphers for openssl.
- For example: "HIGH:DES:MD5:AES256-SHA256"
- In ssloptions, enter the SSL options to exclude from the following list of options:
- no_sslv2
- no_sslv3
- no_tlsv1
- no_tlsv1_1
- no_tlsv1_2
For example, to accept only tlsv1.2, the string would read: no_sslv2\, no_sslv3\, no_tlsv1\, notlsv1_1
IMPORANT
Escape the separator (,) when listing multiple ssloptions using a forward slash (\). For example:
- no_sslv2\, no_sslv3\, no_tlsv1\, no_tlsv1_1\, no_tlsv1_2
- Restart IVG for the changes to take effect.
IMPORTANT
Without restarting IVG, the TLS protocol is not enabled.
Configuring SIPS and SRTP in the voice platform
Enabling SIPS/SRTP for IVG Genesys requires:
- Creating a certificate in Microsoft Management Console (mmc)
- Enabling TLS on the Genesys SIP Server
- Copying the IVG certificate to Genesys
- Enabling SIPS/SRTP in the voice platform
Creating the self-signed certificate
Use the following instructions to generate the certificate on the Genesys SIP Server.
- Open the mmc console by navigating to Run and typing mmc.
- In the Windows mmc console, navigate to File > Add/Remove Snap-in.
- Select Certificates from the Available snap-ins panel, and press Add.
- On the Certificates snap-in screen, select the Computer account radio button and press Next.
- On the Select computer radio button, keep the default Local computer radio button selected and press Finish.
- The certificate displays in the Selected snap-ins column of the Add or Remove Snap-ins screen.
- Press Okay.
Enrolling the certificate
- Expand the Certificates folder.
- Expand the Personal folder, right-click Certificates and select All Tasks > Advanced Options > Create Custom Request.
- Click Next on the Before you begin screen.
- On the Select Certificate Enrollment Policy screen, select Proceed without enrollment policy and press Next.
- On the Custom request screen, keep the default values selected and press Next.
- On the Certificate information screen, expand Details and press the Properties button.
- Enter the following information for Certificate Properties:
Tab | Field | Instructions |
---|---|---|
General | Friendly name | Enter a friendly name to reflect server and purpose. |
(Optional) Description | Enter a description of the certificate | |
Subject | Subject name > Type | Select Common name from the dropdown. |
Subject name > Value |
| |
Alternative name > Type | Select DNS from the dropdown. | |
Alternative name > Value |
| |
Extensions | Extended key usage |
|
Private Key | Key options |
|
Select Hash Algorithm | Select sha1 from the Select Hash Algorithm dropdown. |
- Press Apply and then press OK.
- Press Next on the Certificate information screen.
- Name the file with a .cer file extension, and verify the Base 64 radio button is selected.
- Press Finish.
Verifying the certificate enrollment
- Expand the Certificates folder.
- Expand the Certificate Enrollment Requests folder.
- Select Certificates.
- Verify the certificate displays in the center panel.
Adding the certificate to Trusted Root Authority
- Right-click on the certificate and select Copy.
- Expand Trusted Root Certification Authorities.
- Right-click Certificates and select Paste.
- Expand Personal.
- Right-click Certificates and select Paste.
- Double-click the certificate.
- Open the Certification Path tab and verify the Certificate Status is OK.
Enabling SIPS/SRTP on the Genesys SIP Server
- Update the TLS port in Configuration Manager by navigating to SIP Server and opening Options > TServer.
- Locate tls-mutual and verify it is set to False.
- Locate sip-tls-certand enter the certificate thumbprint.
- Locate the thumbprint in mmc under the Details tab of the certificate
- Locate the sip-port-tls and update the value to the TLS port number. The IVG installer automatically opens port 5061. If another port is used, it will need to be opened manually.
NOTE
The sip-tls-cipher-list should be supplied by the client.
- Locate the IVG Trunk in the Genesys strategy.
- Navigate to Annex >TServer > Options
- In the Contact field, add FQDN:Port:transport=tls
- Navigate to Annex >TServer > Options
Copying the voice platform certificate to SIP Server
The IVG installer generates a self-signed certificate for IVG named certificate.pem and places it in the /home/holly/etc directory.
To copy the IVG certificate to the Genesys SIP Server:
- Copy IVG certificate from home/holly/etc, and rename with the .crt file extension.
- Import the certificate to the Genesys SIP Server using mmc.
- Navigate to Certificates (Local Computer) > Trusted Root Certification Authorities > Vertificates.
- Right-click Certificates and navigate to All tasks > Import.
- Click Next to open the File to Import screen where you can browse for the location where the IVG certificat.crt was saved.
- Finish the Certificate Import Wizard, and verify the certificate displays in the Trusted Root Authority > Certificates folder.
Enabling SIPS and SRTP in the voice platform
After adding a certificate file, enable SIPS and SRTP in the voice platform management system.
- Navigate to Configuration > Holly Configuration.
- Select Audio Provider SIP from the Component dropdown menu, and select the Pool for the IVG deployment.
- Verify the poolPoolNametab is selected.
- Locate the following components and update their values:
Component | Description | Updated value |
---|---|---|
siplistenport | Primary SIP port used for incoming SIP requests over UDP or TCP. | 5060 The IVG installer process automatically configures port 5060. Using a different port requires the port to be manually configured. |
siplistenport2 | Secondary SIP port used for incoming SIP requests of UDP or TCP. | 5070 Port 5070 is a recommended port number, but any available port number can be used. The port used must be manually configured. |
siptransport | List of transport protocols enabled by the voice platform. The order of the protocols determines the protocol preference. | tls,tcp,udp |
srtpsupport | Determines SRTP behavior for inbound and outbound calls. VHT engineers recommend using the value of 2 in order to observe the following behavior:
| 2 |
tlslistenport | Primary TLS port used for incoming SIPS requests over TLS. | 5061 The IVG installer process automatically configures port 5061. Using a different port requires the port to be manually configured. |
tlslistenport2 | Secondary TLS port used for incoming SIPS requests over TLS. | 5071 Port 5071 is a recommended port number, but any available port number can be used. The port used must be manually configured. |
- Select OpenSSL from the Component dropdown menu, and select the Pool for the IVG deployment.
- Verify the poolPoolNametab is selected.
- Locate the following components and update their values:
Component | Description | Updated value |
---|---|---|
sslcafile | The file path for the voice platform certificate. This file is read in when the voice platform processes start, and its contents are used in two-way mutual authentication. | /export/home/[hollyusername]/etc/VoicePlatformCertificate.pem
|
sslverify | Used to verify the SSL peer. | 1 |
- Navigate to Configuration > Holly Configuration.
- Select Holly Call Control from the dropdown menu, and select the Pool for the IVG deployment.
- Locate the hvpendpoint parameter and enter the value !(sipbindhost.sip_ap).
- Restart IVG for changes to take effect.
IMPORTANT
Without restarting IVG, the SIPS and SRTP protocols are not enabled
Generating the voice platform self-signed certificates
The IVG installer process generates a private key, self-signed certificates, and public key for the voice platform, and stores them in the /export/home/holly/etc directory.
The certificate and key file names are generated from /export/home/holly/httpd/conf. The following values generate the certificate.pem and privatekey.pem values:
Parameter | Key | Value |
---|---|---|
httpscertificatefilename | certificate.pem | server.cert |
httpsprivatekeyfilename | privatekey.pem | server.key |
Copying and adding the SIP Server certificate file to the voice platform
Copy a certificate file created for the contact center environment to the voice platform
- Open a Linux shell script navigate to the /etc folder.
- Run the following command:
openssl s_client -connect ContactCenterServer:ContactCenterPortNumber
- ContactCenterSIPServer - the IP address of the SIP Server
- ContactCenterPortNumber - the port number of the contact center server
- Copy the contents of certificate from BEGIN CERTIFICATE to END CERTIFICATE.
- Paste the contents of the certificate in a text editor, and save the certificate with a .pem file extension. For example, platform-ca.pem.
- Run the following command to verify the certificate file was created:
ls -l *.pem
- Run the following command to log in as the holly user:
su - holly
- Run the following command to access the holly user etc directory
cd etc
- Run the following command to add the contact center certificate to the voice platform certificate file.
cat certificate.pem >> platform-ca.pem
- certificate.pem - Name of the IVG voice platform certificate file.
- platform-ca.pem - Name of the contact center certificate file from Step 4.
IVG installer commands
The following can serve as a reference when preparing your Linux environment for the IVG installer.
[insert-question 675685]
IVG ports
The IVG installer process opens the following ports which are used by IVG voice platform:
Process | Port | Description |
---|---|---|
browser | 4080 | MONAPI port |
browser | 5080 | Outbound call request port |
callcontrol | 4081 | MONAPI port |
call control | 8040 | HTTP listen port |
callcontrol | 8041 | HTTPS listen port |
callredux | 4095 | Callredux listen port |
configserver | 6399 | Listen port |
ctimgr | 20000 | ICM listen port |
foreman | 8333 | Trap port |
foreman | 8400 | Supervise port |
hinge | 7399 | Listen port |
hlm | 9333 | Listen port |
hlm | 9400 | Supervise port |
hmspageserver | 2080 | Listen port |
hmsweb | 2020 | HTTP listen port |
hmsweb | 2021 | HTTPS listen port |
hotts | 4088 | MONAPI port |
hotts | 32330 | TTS interaction port |
hvg | 8050 | HTTP listen port |
hvg | 8051 | HTTPS listen port |
hvg | 8062 | MRCP v2 ASR listen port |
hvg | 9876 | Listen port |
hvg | 9999 | Supervise port |
hvss | 8030 | HTTP listen port |
hvss | 8443 | HTTPS listen port |
logmgr | 7333 | Listen port |
SIP/RTP | 5060 | Primary SIP listen port |
SIP/RTP | 5061 | Secondary SIP listen port |
TLS/SSL | 5070 | Primary TLS port |
TLS/SSL | 5071 | Secondary TLS port |
SIP/RTP | 11000-15000 | RTP ports used for calls |
SIP/RTP | 11000-15000 | RTP ports used for MRCP v2 interaction |
subagent | 8161 | Listen port |
SNMP Agent | 705 | Third-party software |
tts_hum | 8066 | MRCP v2 TTS port |
tts_hum | 32331 | Listen port for TTS (MRCP v2) interaction |
Third party IVG ports
The IVG installer process opens the following ports for third party components in addition to the voice platform ports:
Process | Port | Description |
---|---|---|
ICM CTI listen port | 5000 | Port that runs the ICM CTI worker.
|
Mountd | 892 | Port used by the NFS client in a multiple IVG environment. |
NFS | 111 | Port used by the NFS server if NFS is enabled. |
20143 | Port used by the NFS client if NFS is enabled. | |
PostgreSQL | 5432 | PostgreSQL port number. This port number can be designated during IVG installation. |
Tomcat | 8009 | Ports used by Tomcat (VIS and CCIS) |
8005 | ||
8080 |
Secure connection between CTI Event Consumer and RabbitMQ
In an IVG solution, the CTI Event Consumer worker can be configured to communicate via SSL with the RabbitMQ application. Configuration only needs to be performed for CTI Event Consumer, as RabbitMQ is ready to handle secure connections by default.
NOTES
- You must also enable secure communication for RabbitMQ on your On-Premise Callback servers. See the Securing your RabbitMQ connection for High Availability solutions section in the Securing your Callback installation article for instructions.
- This guide presents a configuration example for a high-availability solution with two instances of CTI Event Consumer and RabbitMQ deployed across two servers. For a standalone solution, leave the Core Server 2 configuration blank.
Step 1: Update the consumer.cfg file
Edit the consumer.cfg configuration file, which is located at /export/home/VirtualHold/CTIEventConsumer by default. Save a backup copy of the file before making changes.
Sample consumer.cfg file
Use the following example configuration file and parameter definitions as a guide to update the consumer.cfg file for CTI Event Consumer.
#User credentialscore_server1 = localhostcore_server2 = localhostrabbitmq_username = userrabbitmq_password = <encrypted password>rabbtimq_connection_retry_period = 2000cti_eventconsumer_installpath=/export/home/VirtualHold/CTIEventConsumer#Secured connectioncti_eventconsumer_installpath=/export/home/VirtualHold/CTIEventConsumerrabbtimq_connection_retry_period=2000core_server1=IVG01core_server2=IVG02rabbitmq_username=IVG01sslEnabled=truesslVersion=TLSv1.2vHost=/port=5671#core_server1 configcore_server1=IVG01rabbitmq_username_server1=IVG01certPathP12_server1=/export/home/VirtualHold/CTIEventConsumer/certs/server1/server_key.p12keyFileP12_server1=/export/home/VirtualHold/CTIEventConsumer/certs/server1/client_key.p12#core_server2 configcore_server2=IVG02rabbitmq_username_server2=IVG02certPathP12_server2=/export/home/VirtualHold/CTIEventConsumer/certs/server2/server_key.p12keyFileP12_server2=/export/home/VirtualHold/CTIEventConsumer/certs/server2/client_key.p12
Parameter | Description | Default value |
---|---|---|
rabbitmq_username | Username for RabbitMQ | user |
rabbitmq_password | encrypted RabbitMQ password | |
rabbtimq_connection_retry_period | Number of milliseconds to wait before retrying a failed connection | 2000 |
sslEnabled | Specifies whether a secure connection should be established | false |
sslVersion | Version of SSL to use | TLSv1.2 |
vHost | Virtual host of RabbitMQ service | / |
port | RabbitMQ service port | 5672/5671(SSL) |
rabbitmq_username_server1 | RabbitMQ username on Core Server 1 | Short name of the server on which RabbitMQ is installed |
core_server1 | Core Server 1 shortname | Short name of Core Server 1 |
certPathP12_server1 | Path to the server key file on Core Server 1 (server_key.p12) | |
keyFileP12_server1 | Path to the client key file on Core Server 1 (client_key.p12) | |
rabbitmq_username_server2 | RabbitMQ username on Core Server 2 | Short name of the server on which RabbitMQ is installed |
core_server2 | Core Server 2 shortname | Short name of Core Server 2 |
certPathP12_server2 | Path to the server key file on Core Server 2 (server_key.p12) | |
keyFileP12_server2 | Path to the client key file on Core Server 2 (client_key.p12) |
Step 2: Deploy SSL certificates
- On each server hosting an instance of CTI Event Consumer, place your SSL certificate in the /export/home/VirtualHold/CTIEventConsumer/certs directory.
- Update the certPathP12_server1 and certPathP12_server2 keys in consumer.cfg to reflect the location of the certificates, if needed.
BEST PRACTICE
In a high-availability solution, create uniquely named subfolders within the certs folder to store each server's certificate. For example:
- Server 1: /export/home/VirtualHold/CTIEventConsumer/certs/Server1
- Server 2: /export/home/VirtualHold/CTIEventConsumer/certs/Server2
Step 3: Restart CTI Event Consumer
Restart the CTI Event Consumer worker for the configuration changes to take effect. There are two options available to restart the worker.
Option 1: Restart the holly service, which will also restart the ctieventconsumer worker:
service holly restart
Option 2: Alternatively, you can restart only the ctieventconsumer worker:
su - holly-ivgfm restart ctieventconsumer
Virus scanning exclusions
To prevent file locks and other file access issues, exclude the following directories from virus scanning on all IVG servers. The default locations are listed, but they could be different depending on the configuration chosen when installing the system.
IVG directories to exclude
Exclusion | Default location |
---|---|
Holly installation directory | /export/home/holly |
PostgreSQL installation directory | /export/home/postgres |
CTI Event Consumer directory | /export/home/VirtualHold |
VIS directories to exclude
On IVG servers that also host VIS in Apache Tomcat, exclude the following directories, as well.
Exclusion | Default location |
---|---|
Tomcat installation directory | /export/home/tomcat<version> |
VIS backup and configuration files | /etc/VirtualHold |
Vulnerability reductions
The IVG installer process excludes installing the Tomcat examples/ and tomcat-docs/ directories in order to reduce security vulnerabilities.