Genesys Engage on-premises

 View Only
Discussion Thread View
  • 1.  Configuring TLS between Web Services and Configuration Server with Minimal configuration

    Posted 02-24-2021 09:04
    Edited by Ricky Chaddock 02-24-2021 09:40
    We are using GWS version 8.5.202.27.
    I can successfully interact with GWS ReST API using http on port 8090.
    We need to also make requests using HTTPS.

    I have attempted to follow the Genesys documentation to update /opt/genesys/gws/config/application.yaml
    tlsEnabled: true

    Restarting gws using command
    sudo systemctl restart gws
    appears to work.

    But, GWS will not respond to HTTPS ReST requests.

    We are not using Cassandra.  We only want to use the GWS ReST API.

    Are there other settings that must be reconfigured from the defaults?
    #PlatformAdministration
    #Security
    #SystemAdministration

    ------------------------------
    Ricky Chaddock
    Unimax Systems
    ------------------------------


  • 2.  RE: Configuring TLS between Web Services and Configuration Server with Minimal configuration

    Posted 02-24-2021 17:11
    Hi Ricky,
    Despite the title of your post, it seems like your actually interested in enabling HTTPS SSL/TLS for the GWS app itself, as opposed to encrypting the connection between GWS and Config Server?  Apologies if I'm misreading.
    If it is indeed to expose GWS outwards via HTTPS, then I believe you need to configure the values in the Jetty section as per this documentation.

    ------------------------------
    Jason McLennan
    Commonwealth Bank of Australia
    ------------------------------



  • 3.  RE: Configuring TLS between Web Services and Configuration Server with Minimal configuration

    Posted 02-25-2021 13:10
    Edited by Ricky Chaddock 02-25-2021 14:10
    You were correct, Jason.  Thank you very much for commenting.

    I've been spending some time trying to find a viable set of configuration settings that will result in gws responding to an HTTPS ReST request.
    One thing I've learned is that it appears to take about 50 seconds after a restart before gws will even respond to a version request.
    So far, I've not found a usable set of jetty section ssl settings when enableSsl: true.
    Everything I've tried causes the gws process to die after about 50 seconds.
    If I change enableSsl back to false, it stays up and responds to http requests.
    I can find no combination of enableSsl: true settings that will not result in the gws process dying.

    ------------------------------
    Ricky Chaddock
    Unimax Systems
    ------------------------------



  • 4.  RE: Configuring TLS between Web Services and Configuration Server with Minimal configuration

    Posted 02-25-2021 18:05
    Have you configured your keystore/certs correctly?  What are the logs showing?  I can sometimes find it useful to actually run these from the command line so you can stdout as well and see a little more what is happening in real time.

    ------------------------------
    Jason McLennan
    Commonwealth Bank of Australia
    ------------------------------



  • 5.  RE: Configuring TLS between Web Services and Configuration Server with Minimal configuration

    Posted 02-26-2021 10:58
    Edited by Ricky Chaddock 02-26-2021 11:40
    Using Fiddler to diagnose interacting with our HTCC GWS, I can request the version, but not Tenant Environment:

    GET http://htcc.unimax.local:8090/api/v2/diagnostics/version HTTP/1.1
    Authorization: Basic c25hZG1pbjpVbmltYXgxNjI=
    Host: htcc.unimax.local:8090
    Content-Type: application/json
    Content-Length: 0

    HTTP/1.1 200 OK
    Date: Fri, 26 Feb 2021 15:46:02 GMT
    Set-Cookie: JSESSIONID=ZB8cvdJPz6yO32uDr0vMIQ1hxvnfpncfnp0w3yd3ms8klbr.ZB8cvdJPz6yO32uDr0vMIQ;Path=/;Secure;HttpOnly
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-store
    Content-Type: application/json;charset=UTF-8
    Transfer-Encoding: chunked

    27
    {"statusCode":0,"version":"8.5.202.27"}
    0

    GET https://htcc.unimax.local:443/api/v2/platform/configuration/tenants?dbid=1 HTTP/1.1
    Authorization: Basic c25hZG1pbjpVbmltYXgxNjI=
    Host: htcc.unimax.local:443
    Content-Type: application/json
    Content-Length: 0

    HTTP/1.1 502 Fiddler - Connection Failed
    Date: Fri, 26 Feb 2021 16:09:03 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    Cache-Control: no-cache, must-revalidate
    Timestamp: 10:09:03.392

    [Fiddler] The connection to 'htcc.unimax.local' failed. <br />System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https&gt; HTTPS handshake to htcc.unimax.local (for #1402) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.


    I have attempted to configure the keystore/certs correctly.
    The logs don't indicate any issues with them.
    I did see an issue using your suggestion of running gws from the command line with one of the logfile parameter that appears to be resolved.
    Here are my current application.yaml settings and the output of keytool -list (note I have obfuscated the password and email).
    Does this look reasonable?  We still can't seem to get gws to respond to a HTTPS request.  It does respond to the version request (over HTTP).

    jetty:
    host: 0.0.0.0
    port: 8090
    idleTimeout: 30000
    soLingerTime: -1
    sessionMaxInactiveInterval: 1800
    enableWorkerName: true
    enableRequestLog: true
    requestLog:
    filename: yyyy_mm_dd.request.log
    filenameDateFormat: yyyy_MM_dd
    logTimeZone: GMT
    retainDays: 90
    append: true
    extended: true
    logCookies: true
    logLatency: true
    preferProxiedForAddress: true
    enableSsl: true
    cookies:
    httpOnly: true
    secure: true
    #sameSite: None
    ssl:
    port: 443
    securePort: 8443
    idleTimeout: 30000
    soLingerTime: -1
    keyStorePath: /opt/genesys/gws/ssl/gws.jks
    keyStorePassword: ********
    #keyManagerPassord: None
    #keyStoreProvider: None
    keyStoreType: JKS
    #trustStorePath: None
    #trustStorePassword: None
    #trustStoreProvider: None
    #trustStoreType: JKS
    needClientAuth: false
    wantClientAuth: false
    #certAlias: None
    validateCerts: false
    trustAll: true
    renegotionationAllowed: true
    #excludeCiphterSuites: None
    #includeCiphterSuites: None
    #endpointIdentificationAlgorithm: HTTPS
    #includeProtocols: None
    #excludeProtocols: None
    enableHsts: false
    enableNonSecureToSecureRedirect: false

    --------------------------------------------

    keytool -list

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: gws
    Creation date: Feb 2, 2021
    Entry type: trustedCertEntry

    Owner: EMAILADDRESS=email@unimax.com, CN=htcc.unimax.local, OU=IT, O=Unimax, L=Minneapolis, ST=Minnesota, C=US
    Issuer: EMAILADDRESS=email@unimax.com, CN=htcc.unimax.local, OU=IT, O=Unimax, L=Minneapolis, ST=Minnesota, C=US
    Serial number: c94e58de830976cb
    Valid from: Tue Feb 02 21:26:02 UTC 2021 until: Fri Jan 31 21:26:02 UTC 2031
    Certificate fingerprints:
    MD5: 33:CE:AE:C4:5E:59:33:73:E3:74:86:48:0D:6F:99:F4
    SHA1: C1:04:D1:85:96:82:56:55:BC:6E:5B:7C:C0:01:BB:E9:53:B4:A7:33
    SHA256: 84:5A:30:A1:B1:43:6B:2A:81:55:98:6A:B4:5E:77:D1:EA:4E:83:26:DA:1B:28:96:F1:09:67:68:2B:1C:9E:1A
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3

    Extensions:

    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 4D CE 83 76 AA 89 B3 C5 47 CC 6C A1 3C C8 C8 9C M..v....G.l.<...
    0010: DD FA 5E B7 ..^.
    ]
    ]

    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    #3: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 4D CE 83 76 AA 89 B3 C5 47 CC 6C A1 3C C8 C8 9C M..v....G.l.<...
    0010: DD FA 5E B7 ..^.
    ]
    ]



    *******************************************
    *******************************************


    ------------------------------
    Ricky Chaddock
    Unimax Systems
    ------------------------------