PureConnect

 View Only
Discussion Thread View
  • 1.  Using an Internal Cert for Media Servers Web Config page

    Top 25 Contributor
    Posted 20 days ago
    Hi all,

    As usual hoping the experts here have ran into this before and have a solution. We need to secure our media servers web config page. It appears by default WebConfigCertificate.cer is used. The only instructions I have found thus far are from the PureConnect Security Features Technical Reference. It says the following:

    Webpage interface (administration)

    Interaction Media Server self-signs its certificate (WebConfigCertificate.cer). You can put your own certificate or key here as long
    as the "Subject" matches the Media Server's fully qualified domain name (FQDN). If you have a public key infrastructure (PKI) in
    place, sign the certificate according to your own internal policies.

    I cannot find any other information or further instruction on using our own certs to secure the page. Has anyone accomplished this and have guidance or instructions for doing so? Looking for any help at all here.

    I've tried a generated cert in which the FQDN is the subject, placed in the proper folder and named to match the above. Upon restarting Media Server services, a new .cer file is generated and simply overwrites it. I must not have the format correct.

    Thank you,
    #Implementation
    #Security
    #SystemAdministration

    ------------------------------
    Shane
    ------------------------------


  • 2.  RE: Using an Internal Cert for Media Servers Web Config page

    Posted 19 days ago
    You must change all three files, the WebConfigCertificate (containing the signed certificate), the WebConfigPublicKey.bin (containingthe public key) and WebConfigPrivateKey.bin (containing the private key).
    There are different key-notations in the field, please check that the public key file starts with "-----BEGIN RSA PUBLIC KEY-----" and the private key with "-----BEGIN RSA PRIVATE KEY-----".
    The word "RSA" here is important. If this doesn't match, you can use openSSL to convert the file to PKCS#1

    ------------------------------
    Andreas Tikart
    Fiebig GmbH
    ------------------------------



  • 3.  RE: Using an Internal Cert for Media Servers Web Config page

    Posted 15 days ago
    I have been following this topic as I have considered moving to using our PKI certs for our Pureconnect system but I have assumed that If I move one portion to our PKI certs, I would need to replace all the Genesys Self-signed certs. Is moving to the PKI certs an 'All or nothing' effort or can i do this 'As needed?'

    Thank you in advance.



    ------------------------------
    Christopher Becker
    State of Michigan - Oakland County - WRC
    ------------------------------



  • 4.  RE: Using an Internal Cert for Media Servers Web Config page

    GCAP Member
    Posted 15 days ago
    in 2019 we moved our system from Genesys Self Sign Cert to our own single signed Cert and it was a mess. After multiple attempts and building a process that worked, we found that Interaction Connect will not work in a Single Signed Cert. This wasn't a deal breaker for us as we weren't using Connect yet, but now we are stuck on Interaction Desktop until  IC-159903 & IC-159218 SCR are resolved.

    My suggestion is that unless being required from a security standpoint, I wouldn't move away from Genesys Self Sign Cert.

    ------------------------------
    Scott WilliAMs
    Missouri Higher Education Loan Authority
    ------------------------------



  • 5.  RE: Using an Internal Cert for Media Servers Web Config page

    Top 25 Contributor
    Posted 15 days ago
    Thanks Andreas!

    So we have made progress on this front. We now have all of our Media Servers web config pages secured using our own internal cert.

    Long story short we created a cert using our internal CA and downloaded it in PXCS#12 format. We then used the document linked below as a guideline for then taking that PKCS12 Cert and adjusting it to the proper format.

    Please note the version of ssl_app-w32r will vary based upon the version of CIC you're running and we used steps 5, 7, 8 and 9. We skipped step 6. Also, since we are dealing with a media server, we didn't touch anything on the IC servers. We placed the WebConfigCertificate.cer, PrivateKey and PublicKey generated using these commands in the I3\IC\Certificates folder on our media server then restarted the media server service.

    Article we used as a guide: https://help.genesys.com/pureconnect/mergedProjects/wh_tr/mergedProjects/wh_tr_sso/desktop/replace_the_cic_https_certificate_with_an_externally-generated_certificate.htm

    Christopher, in regards to your question, we plan to stick with Genesys certs for all subsystems and overall functionality, we just wanted to secure the Media Server config web page with our own SSL cert.

    Thanks all 


    ------------------------------
    Shane
    ------------------------------



  • 6.  RE: Using an Internal Cert for Media Servers Web Config page

    Posted 14 days ago
    You cannot customize all CIC certificates. Please see Idea COOPLA-I-231.

    ------------------------------
    Andreas Tikart
    Fiebig GmbH
    ------------------------------