Server Certificates

To ensure the system security, we recommend acquiring five server certificates for the following purposes. Additionally, it is possible to secure connection to IMAP server, and if Embedded Communications Framework (ECF) or Restful Interfaces is used, the connection to Tomcat must be secured.

Table 1. Connections Secured with Server Certificates
Secured Connection	Mandatory	Configured in	Note
Client-server	Mandatory for CoS- client connections and QMS-External Quality Monitoring.	For CoS and QMS, in IA installation variables; others see the table below.	Marked with a polygon (⌂) in the figure below.
Internal Server Connections	If configured for one server, must be configured for all peer servers with the same certificate. Recommended.	IA, installation variables for each server package. To provide a secure website (https://), configure the certificate for it in the IIS Manager.	Certificate must be of type that allows both client and server roles, see Generating Certificate Request. Marked with a diamond (◊) in the figure below. Note: The Certificate for External Password Encryption that is used for encryption, is used for decryption even if that certificate has expired. If the expired certificate is removed from the system, encryption/decryption will fail. To avoid that, do not remove the expired certificate from the servers where Agent Server, CEM Server, Email Sender, and SMS Server are installed. To correct the situation if the certificate has been removed, re-enter the passwords in System Configurator in: System Services > E-Mail Settings > External Outgoing Mail Server (SMTP) > Password System Management > Modules > SMS Server > Password.
HAC-HAC	Recommended	IA, see Creating HAC Nodes and Starting HAC Services.	Marked with a circle (○) in the figure below.
IA-HAC	Recommended	IA, see Creating HAC Nodes and Starting HAC Services.	Marked with a triangle (∆) in the figure below.
Certificate for External Password Encryption	Mandatory (as of 1608)	IA, see Agent Server Variables.	Private key must be installed on server(s) where the Agent Server and CEM server packages are installed, and if sending e-mails and sms messages is protected with password, also on those servers where Email Sender and SMS Server are installed. Marked with a square (□) in the figure below.
Additional:
IMAP Server Certificate	Recommended	System Configurator (SC) System Services > E-Mail Settings.	Certificate must be installed and configured in IMAP server.
ECF, RI	Recommended	See Embedded Communications Framework (ECF) or Installing Restful Interfaces	If there is IIS installed on the same server, change also the HTTPS port number..

Note:

When a certificate-secured virtual unit has instances on more than one server, install the certificate on all those servers.

Client-Server Connections

The secured client-server connections and their configuration tools are listed in the table below. Each connection can have the certificate of its own, or the same one can be used for all.

Install the certificate on the physical server where the virtual unit with the installation package will have an instance, and configure it in the IA or IIS Manager correspondingly.

Table 2. Secured Client-Server Connections
Connection	Protocol Provided by Certificate	Certificate Requirement	Installation Package	Configuration Tool
CDT, Convergence telephony communication	TLS Tunnel	Mandatory	CoS	IA
SC configuration data	TLS Tunnel	Mandatory	CoS	IA
VoIP desk phones	SRTP	Optional	SIP Bridge	IA
External quality systems	HTTPS	Mandatory	QMS	IA
SAP CRM	HTTPS	Optional	Integration Interfaces	IIS Manager
Monitoring	HTTPS	Optional	Monitoring Web Clients	IIS Manager
External SMS provider	HTTPS	Optional	SMS Server	IIS Manager
Chat	HTTPS	Optional	Chat Server and Chat Portal Server	IIS Manager
E-mail	SMTP	Optional	E-mail Sender	IIS Manager
Reporting	HTTPS	Optional	Standard Reports	IIS Manager