Genesys Cloud - Main

HI guys

Can anybody help clear up some confusion we have between our Genesys resource and Cisco guys?

We are deploying on-premise Edges to on-premise Cisco CUBEs.  The trunks between those need to be TLS.  The confusion is over what needs to be done for the cert side of this.

Genesys are telling me we can either export the Genesys cert for the Cisco guys to import into their CUBEs.  But the Cisco guys are telling me there should be a certificate imported on both sides, as well as talking about getting a signed CA cert onto the CUBES and then import the Genesys provided cert.  The question is also whether a self-signed CUBE cert will be ok.

There must be some of us here that have some Cisco/CUBE knowledge and have gone through this before, so can someone help me clear this up - being the man in the middle at the moment?

Thanks
#ArchitectureandDesign
#Telephony

------------------------------
Vaun McCarthy
NTT New Zealand Limited
------------------------------

For TLS calls you will need a proper certificate trust in each direction calls will flow.  If you are supporting inbound and outbound calls, then you will need certificate trusts in both directions.

The setup is different for Premise Edges (BYOC Premise) and Cloud Edges (BYOC Cloud).  These instructions are specific to BYOC Premise.

When a secure call is initialized the source (client) will attempt to establish a TLS session with the remote endpoint (server).  For each call only the server's certificate will be used, unless you are using mutual TLS (i do not think that is your intention). 

For outbound calls out of Genesys Cloud, the Cisco CUBE certificate will be used - you can import the remote certificates into Genesys Cloud with the Certificate Authorities section.  Instructions are here: https://help.mypurecloud.com/articles/certificate-authorities/   The imported certificate will be called "Remote" certiifcates.

For inbound calls into Genesys Cloud, the Genesys Cloud certificate will be used - you will need to import a certificate onto the Cisco CUBE to trust the certificate the Edge will use.  You can download the "Managed" certificate from the same Certificate Authorities page.

In both cases, you also need to make sure that the entire certificate chain is obtained by the client.  In most cases you will only need to import the top level Root Certificate Authority (CA) certificate.  However, that requires that each server transmits the server certificate AND any intermediate certificates during the Server Hello/Certificates portion of the TLS handshake.  If either server only transmits the server certificate, you can either update the server to send the intermediate certificate as well - or have the client trust the intermediate certificates as well.

Please let me know if you have any additional questions,


------------------------------
Phil Whitener
Genesys - Employees
------------------------------

Hi Phil

Can you please confirm if it is okay to have multiple certs loaded in Genesys Cloud - ie the "current" one that's not yet expired, and the "new" one that will be taking over?

------------------------------
Vaun McCarthy
------------------------------

Original Message:
Sent: 09-28-2020 13:32
From: Phil Whitener
Subject: Cisco CUBE and TLS cert?

For TLS calls you will need a proper certificate trust in each direction calls will flow.  If you are supporting inbound and outbound calls, then you will need certificate trusts in both directions.

The setup is different for Premise Edges (BYOC Premise) and Cloud Edges (BYOC Cloud).  These instructions are specific to BYOC Premise.

When a secure call is initialized the source (client) will attempt to establish a TLS session with the remote endpoint (server).  For each call only the server's certificate will be used, unless you are using mutual TLS (i do not think that is your intention).

For outbound calls out of Genesys Cloud, the Cisco CUBE certificate will be used - you can import the remote certificates into Genesys Cloud with the Certificate Authorities section.  Instructions are here: https://help.mypurecloud.com/articles/certificate-authorities/   The imported certificate will be called "Remote" certiifcates.

For inbound calls into Genesys Cloud, the Genesys Cloud certificate will be used - you will need to import a certificate onto the Cisco CUBE to trust the certificate the Edge will use.  You can download the "Managed" certificate from the same Certificate Authorities page.

In both cases, you also need to make sure that the entire certificate chain is obtained by the client.  In most cases you will only need to import the top level Root Certificate Authority (CA) certificate.  However, that requires that each server transmits the server certificate AND any intermediate certificates during the Server Hello/Certificates portion of the TLS handshake.  If either server only transmits the server certificate, you can either update the server to send the intermediate certificate as well - or have the client trust the intermediate certificates as well.

Please let me know if you have any additional questions,


------------------------------
Phil Whitener
Genesys - Employees
------------------------------

The certificates you manage for BYOC Premise in the Certificate Authorities section are the certificates you "trust".  When an outbound connection is made the remote endpoint provides its certificate chain and this list of certs are used to ensure that the Edges should trust the remote endpoint.  You can import any number of certs to "trust" at the same time and it will not effect existing working connections.  If you have multiple trunks that connect to various remote endpoints with different root certificates you would need to import the root certificate for all the remote endpoints.  If a certificate is expiring and a new root is going to be used, you can import the new root while retaining the existing root and connection before the change and after the change will work.  This section is ONLY used for BYOC Premise as BYOC Cloud is managed globally.  However, the Certificates Authority section also contains the end-entity certificate for the Edges, only one cert can exist for that at any time.

------------------------------
Phil Whitener
Genesys - Employees
------------------------------

Original Message:
Sent: 10-04-2022 23:06
From: Vaun McCarthy
Subject: Cisco CUBE and TLS cert?

Hi Phil

Can you please confirm if it is okay to have multiple certs loaded in Genesys Cloud - ie the "current" one that's not yet expired, and the "new" one that will be taking over?

------------------------------
Vaun McCarthy
------------------------------


Original Message:
Sent: 09-28-2020 13:32
From: Phil Whitener
Subject: Cisco CUBE and TLS cert?

For TLS calls you will need a proper certificate trust in each direction calls will flow.  If you are supporting inbound and outbound calls, then you will need certificate trusts in both directions.

The setup is different for Premise Edges (BYOC Premise) and Cloud Edges (BYOC Cloud).  These instructions are specific to BYOC Premise.

When a secure call is initialized the source (client) will attempt to establish a TLS session with the remote endpoint (server).  For each call only the server's certificate will be used, unless you are using mutual TLS (i do not think that is your intention).

For outbound calls out of Genesys Cloud, the Cisco CUBE certificate will be used - you can import the remote certificates into Genesys Cloud with the Certificate Authorities section.  Instructions are here: https://help.mypurecloud.com/articles/certificate-authorities/   The imported certificate will be called "Remote" certiifcates.

For inbound calls into Genesys Cloud, the Genesys Cloud certificate will be used - you will need to import a certificate onto the Cisco CUBE to trust the certificate the Edge will use.  You can download the "Managed" certificate from the same Certificate Authorities page.

In both cases, you also need to make sure that the entire certificate chain is obtained by the client.  In most cases you will only need to import the top level Root Certificate Authority (CA) certificate.  However, that requires that each server transmits the server certificate AND any intermediate certificates during the Server Hello/Certificates portion of the TLS handshake.  If either server only transmits the server certificate, you can either update the server to send the intermediate certificate as well - or have the client trust the intermediate certificates as well.

Please let me know if you have any additional questions,


------------------------------
Phil Whitener
Genesys - Employees