Server Certificates
To ensure the system security, we recommend acquiring five server certificates for the following purposes. Additionally, it is possible to secure connection to IMAP server, and if Embedded Communications Framework (ECF) or Restful Interfaces is used, the connection to Tomcat must be secured.
Secured Connection |
Mandatory |
Configured in |
Note |
---|---|---|---|
Client-server |
Mandatory for CoS- client connections and QMS-External Quality Monitoring. |
For CoS and QMS, in IA installation variables; others see the table below. |
Marked with a polygon (⌂) in the figure below. |
Internal Server Connections |
If configured for one server, must be configured for all peer servers with the same certificate. Recommended. |
IA, installation variables for each server package. To provide a secure website (https://), configure the certificate for it in the IIS Manager. |
Certificate must be of type that allows both client and server roles, see Generating Certificate Request. Marked with a diamond (◊) in the figure below. Note:
The Certificate for External Password Encryption that is used for encryption, is used for decryption even if that certificate has expired. If the expired certificate is removed from the system, encryption/decryption will fail. To avoid that, do not remove the expired certificate from the servers where Agent Server, CEM Server, Email Sender, and SMS Server are installed. To correct the situation if the certificate has been removed, re-enter the passwords in System Configurator in:
|
HAC-HAC |
Recommended |
Marked with a circle (○) in the figure below. |
|
IA-HAC |
Recommended |
Marked with a triangle (∆) in the figure below. |
|
Certificate for External Password Encryption |
Mandatory (as of 1608) |
IA, see Agent Server Variables. |
Private key must be installed on server(s) where the Agent Server and CEM server packages are installed, and if sending e-mails and sms messages is protected with password, also on those servers where Email Sender and SMS Server are installed. Marked with a square (□) in the figure below. |
Additional: |
|||
IMAP Server Certificate |
Recommended |
System Configurator (SC) . |
Certificate must be installed and configured in IMAP server. |
ECF, RI |
Recommended |
See Embedded Communications Framework (ECF) or Installing Restful Interfaces |
If there is IIS installed on the same server, change also the HTTPS port number.. |
When a certificate-secured virtual unit has instances on more than one server, install the certificate on all those servers.
Client-Server Connections
The secured client-server connections and their configuration tools are listed in the table below. Each connection can have the certificate of its own, or the same one can be used for all.
Install the certificate on the physical server where the virtual unit with the installation package will have an instance, and configure it in the IA or IIS Manager correspondingly.
Connection |
Protocol Provided by Certificate |
Certificate Requirement |
Installation Package |
Configuration Tool |
---|---|---|---|---|
CDT, Convergence telephony communication |
TLS Tunnel |
Mandatory |
CoS |
IA |
SC configuration data |
TLS Tunnel |
Mandatory |
CoS |
IA |
VoIP desk phones |
SRTP |
Optional |
SIP Bridge |
IA |
External quality systems |
HTTPS |
Mandatory |
QMS |
IA |
SAP CRM |
HTTPS |
Optional |
Integration Interfaces |
IIS Manager |
Monitoring |
HTTPS |
Optional |
Monitoring Web Clients |
IIS Manager |
External SMS provider |
HTTPS |
Optional |
SMS Server |
IIS Manager |
Chat |
HTTPS |
Optional |
Chat Server and Chat Portal Server |
IIS Manager |
|
SMTP |
Optional |
E-mail Sender |
IIS Manager |
Reporting |
HTTPS |
Optional |
Standard Reports |
IIS Manager |