Genesys Engage on-premises

 View Only
Discussion Thread View
  • 1.  Enable GMS for https

    Posted 12-06-2018 09:55
    Hello
    We have a customer who wants to access the GMS for Chat through https and not http. I know we can set the http.ssl-trus-all parameter to true. And then we don't need a certificate. 

    But if we don't set this parameter do we need a certificate? And what kind of certificate do we need? If we supposed to generate a CSR file on the server is it specific paramater we need to add?
    Eystein
    #ArchitectureandDesign
    #Implementation
    #PlatformAdministration
    #Security

    ------------------------------
    Eystein Kylland
    Sopra Steria AS Norway
    ------------------------------


  • 2.  RE: Enable GMS for https

    Posted 12-08-2018 07:06
    Hi Eystein,

    The customer should provide .key and .crt files related to GMS server in which .crt is signed by any third party SSL verifier.

    After you obtain the .crt and .key file Please follow below steps

    1. Download <g class="gr_ gr_43 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="43" data-gr-id="43">openssl</g> library
    2. Extract attached <g class="gr_ gr_45 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="45" data-gr-id="45">rar</g> package to directory <g class="gr_ gr_247 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="247" data-gr-id="247">openssl
    </g>3. Open Command Prompt with admin privileges
    4. Navigate to openssl>bin
    5. type below command
    openssl pkcs12 -export -name servercert -in <Certificate Name.crt> -inkey <Certificate Key.key> -out keystore.p12 -- It will ask for password, enter any password

    6. Open the SSL configuration file, GMS/server/etc/jetty-ssl.xml, in a text editor.
    7. Find the element and update all paths and passwords then Save your changes

     <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">

    Note: You can run Jetty's password utility to obfuscate your passwords. See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html.

    8. Open the Jetty SSL module configuration file, GMS/server/modules/<g class="gr_ gr_666 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="666" data-gr-id="666">ssl</g>.mod, in a text editor.
    9. Comment out all properties settings after the line that says etc/jetty-ssl.xml except for lines containing below then Save your changes.
    • [files]
    • [ini-template]
    <g class="gr_ gr_1213 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="1213" data-gr-id="1213">10 .</g> You can now start Jetty the normal way (make sure that jcert.jarjnet.jar and jsse.jar are on your classpath)

    ------------------------------
    Mohammed Adel
    IST Networks - Saudi Arabia
    ------------------------------



  • 3.  RE: Enable GMS for https

    GENESYS
    Posted 12-10-2018 11:57
    Eystein,

    One thing I've done in the past is to use a web server like Apache or Nginx and implement a reverse proxy.  The web server can be hardened and implement all of the latest SSL/TLS security, then any requests that it receives are then proxied through the DMZ into your GMS server(s) running on your LAN.  This way you don't need to concern yourself with hardening Jetty.

    Good luck,


    ------------------------------
    Jim Crespino
    Director, Developer Enablement
    Genesys
    https://developer.genesys.com
    ------------------------------



  • 4.  RE: Enable GMS for https

    Posted 12-10-2018 13:51
    Another option is to use a Load Balancer or similar appliance in your DMZ. This is a similar concept as what Jim mentioned. But you can use something like an F5 Load balancer and configure https secured connection over the internet, while it forwards the data unencrypted on the internal network to the GMS server.


    Daniel Hilaire






Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources