Contents
Introduction
Prerequisites
Requirements
Components Used
Procedure
Step 1: Generate and download Certificate Signing Request (CSR)
Step 2: Obtain Root, Intermediate (if applicable) and Application certificate from Certificate
Authority
Step 3: Upload certificates to the servers
Finesse Servers:
CUIC Servers:
a) Upload CUIC servers root certificate on finesse primary server
b) Upload Finesse root\intermediate certificate on CUIC primary server
Related Cisco Support Community Discussions
Introduction
In order to use HTTPS for secure communication between Finesse and Cisco Unified Intelligence
Center (CUIC) servers, security certificates setup is needed. By Default these servers provide selfsigned certifcates that are used or customers can procure and install Certificate Authority (CA)
certificates. These CA certs can be obtained either from a Third-party vendor like VeriSign,
Thawte, GeoTrust or can be produced internaly.
This document aims to explain in detail the steps involved to obtain and install a Certification
Authority (CA) certificate, generated from a third-party vendor to establish a HTTPS connection
between Finesse and Cisco Unified Intelligence Center (CUIC) servers.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
●
●
●
●
Cisco Package Contact Center Enterprise (PCCE)
Cisco Unified Intelligence Center (CUIC)
Cisco Finesse
CA certificates
Components Used
The information used in the document is based on PCCE solution 11.0(1) version.
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any step.
Procedure
Setting up certificates for HTTPS communication in Finesse and
●
●
●
Generate and download Certificate Signing Request (CSR).
Obtain root, intermediate (if applicable) and application certificate from Certificate Authority
using CSR.
Upload certificates to the servers.
Step 1: Generate and download Certificate Signing Request (CSR)
-----------------------------------------------------1. Steps described below for generating and downloading CSR is same for Finesse and CUIC
servers.
2. Open Cisco Unified Communications Operating System Administration page using the below
stated URL and sign in with the OS admin account created during the installation process
https://hostname of primary server/cmplatform
3. Generate Certificate Signing Request (CSR)
a) Select Security > Certificate Management > Generate CSR.
b) From the Certificate Purpose Name drop-down list, select tomcat.
c) Select Hash Algorithm as SHA256
d) Click Generate CSR.
4. Download Certificate Signing Request (CSR)
a) Select Security > Certificate Management > Download CSR.
b) From the Certificate Name drop-down list, select tomcat.
c) Click Download CSR.
Note:
Perform the above mentioned steps on the secondory server's using the url "https://hostname of
secondory server/cmplatform" to obtain CSR's for Certificate Authority.
Step 2: Obtain Root, Intermediate (if applicable) and Application certificate
from Certificate Authority
------------------------------------------------1. Provide the primary and secondory servers Certificate Signing Request (CSR) information to
third party Certifcate authority (CA) like VeriSign, Thawte, GeoTrust etc.
2. From Certifcate authority (CA) one should receive the following certificate chain for the primary
and secondory servers.
●
●
Finesse servers: Root, Intermediate and Application certificate
CUIC servers: Root and Application certificate
Step 3: Upload certificates to the servers
------------------------------------------------This section describes on how to upload the certificate chain correctly on Finesse and Cisco
Unified Intelligence Center (CUIC) servers
Finesse Servers:
==============
1. Upload primary finesse server root certificate
a) On primary server Cisco Unified Communications Operating System Administration page,
select
Security > Certificate Management > Upload Certificate.
b) From the Certificate Name drop-down list, select tomcat-trust.
c) In the Upload File field, click browse and browse to the root certificate file.
d) Click Upload File.
2. Upload primary finesse server intermediate certificate.
a) From the Certificate Name drop-down list, select tomcat-trust.
b) In the Root Certificate filed, enter the name of the root certificate that you uploaded in the
previous step.
This is a .pem file that is generated when the root/public certificate was installed. To view this file
Navigate to certificate management > Click . In the certificate list .pem file name will be listed
against tomcat-trust.
c) In the Upload File field, click Browse and browse to the intermediate certificate file.
d) Click Upload File.
Note:
As Tomcat-trust store is replicated between the primary and secondory servers it is not needed to
upload the primary Finesse server root or Intermediate certificate to the secondary Finesse server.
3. Upload primary finesse server application certificate.
a) From the Certificate Name drop-down list, select tomcat.
b) In the Root Certificate field, enter the name of the intermediate certificate that you uploaded in
the previous step. Include the .pem extension (for example, TEST-SSL-CA.pem).
c) In the Upload File field, click Browse and browse to the application certificate file.
d) Click Upload File.
4. Upload secondory finesse server root and Intermediate certificate.
a) Follow the same steps as mentioned above in (1) and (2) on the secondory server for its
certificates
Note:
As Tomcat-trust store is replicated between the primary and secondory servers it is not needed to
upload the secondory finesse server root or Intermediate certificate to the primary finesse server.
5. Upload secondory finesse server application certificate.
a)
6. Restart servers
Access the CLI on the primary and secondory finesse servers and enter the command "utils
system restart" to restart the servers.
CUIC Servers:
============
1. Upload cuic primary server root (public) certificate
a) On primary server Cisco Unified Communications Operating System Administration page,
select
Security > Certificate Management > Upload Certificate.
b) From the Certificate Name drop-down list, select tomcat-trust.
c) In the Upload File field, click browse and browse to the root certificate file.
d) Click Upload File.
Note:
As Tomcat-trust store is replicated between the primary and secondory servers it is not needed to
upload the primary CUIC server root certificate to the secondary CUIC servers.
2. Upload cuic primary server application (primary) certificate
a) From the Certificate Name drop-down list, select tomcat.
b) In the Root Certificate field, enter the name of the root certificate that you uploaded in the
previous step.
This is a .pem file that is generated when the root/public certificate was installed. To view this file
Navigate to certificate management > Click . In the certificate list .pem file name will be listed
against tomcat-trust.
c) In the Upload File field, click Browse and browse to the application (primary) certificate file.
d) Click Upload File
3. Upload cuic secondory server root (public) certificate
a) On the secondory cuic server follow the same steps as mentioned in the step (1) for its root
certificate.
Note:
As Tomcat-trust store is replicated between the primary and secondory servers it is not needed to
upload the secondory CUIc server root certificate to the primary CUIC server.
4.Upload cuic secondory server application (primary) certificate.
a) Follow the same process as stated in step (2) on the secondory server for its own certificate.
6. Restart servers
Access the CLI on the primary and secondory CUIC servers and enter the command "utils system
restart" to restart the servers.
Note:
To avoid the certificate exception warning you must access the servers using the Fully qualified
domain name (FQDN) name.
Certificate Dependencies
============
As
Finesse agents and supervisors utilize CUIC gadgets for reporting purposes
●
●
Upload CUIC servers root certificate on finesse primary serve
Upload Finesse root\intermediate certificate on CUIC primary server
a) Upload CUIC servers root certificate on finesse primary server
------------------------------------------------1.On
https://hostname of primary Finesse server/cmplatform
2.Upload Primary CUIC root certificate.
a) Select Security > Certificate Management > Upload Certificate.
b) From the Certificate Name drop-down list, select tomcat-trust.
c) In the Upload File field, click Browse and browse to the root certificate file.
d) Click Upload File.
3.Upload Secondory CUIC root certificate.
a) Select Security > Certificate Management > Upload Certificate.
b) From the Certificate Name drop-down list, select tomcat-trust.
c) In the Upload File field, click Browse and browse to the root certificate file.
d) Click Upload File.
Note:
As Tomcat-trust store is replicated between the primary and secondory servers it is not needed to
upload the CUIC root certificates to the secondary finesse server.
4. Access the CLI on the primary and secondory finesse servers and enter the command "utils
system restart" to restart the servers.
b) Upload Finesse root\intermediate certificate on CUIC primary server
-------------------------------------------------1.On primary CUIC server open Cisco Unified Communications Operating System Administration
page using the below stated URL and sign in with the OS admin account created during the
installation provcess
https://hostname of primary CUIC server/cmplatform
2.Upload Primary Finesse root certificate.
a) Select Security > Certificate Management > Upload Certificate.
b) From the Certificate Name drop-down list, select tomcat-trust.
c) In the Upload File field, click Browse and browse to the root certificate file.
d) Click Upload File.
3. Upload primary finesse intermediate certificate
i
ii) In the Root Certificate filed, enter the name of the root certificate that you uploaded in the
previous step.
iii) In the Upload File field, click Browse and browse to the intermediate certificate file.
iv) Click Upload File.
4. Perform the same steps (2 & 3) for secondory Finesse root\intermediate certificates on primary
live data server.
Note:
As Tomcat-trust store is replicated between the primary and secondory servers it is not needed to
upload the Finesse root /intermediate certificate to the secondary CUIC servers.
5. Access the CLI on the primary and secondory CUIC servers and enter the command "utils
system restart" to restart the servers.