Genesys TLS - User Manual

This document outlines the configuration of Transport Layer Security (TLS) within the Genesys Workbench environment, detailing how to secure communications between various Workbench components and with external Genesys Framework components.

Function Description:

The Genesys Workbench User's Guide, specifically the "Configuring TLS" section, provides instructions for enabling secure communication using TLS. TLS is a cryptographic protocol designed to provide communication security over a computer network. When configured, it ensures that data exchanged between specified Workbench components and other Genesys systems is encrypted and authenticated, protecting against eavesdropping and tampering. The guide covers TLS enablement for Workbench Host objects, Workbench IO Applications, Elasticsearch applications when Elastic Authentication is used, and connections from Workbench to Genesys Configuration Server, Message Server, and Solution Control Server.

Important Technical Specifications:

• TLS Protocol Support: The default TLS protocol specified is TLSv1.2, though the configuration allows for selection of other TLS protocols.
• Cipher Suites: The system uses a comma-delimited list of cipher suites for TLS negotiation. Users are directed to the "JSSE Cipher Suite Names" section of the Oracle Java documentation for a valid list of supported cipher suites (e.g., https://docs.oracle.com/javase/10/docs/specs/security/standard-names.html).
• Certificate Management: Certificates must be stored in a Java Key Store (.jks file) and be accessible by the user account running Workbench on the host.
• Key Store and Trust Store: Configuration requires specifying paths and passwords for both the Java Key Store (containing the host's private key and certificate) and the Java Trust Store (containing trusted root and intermediate CA certificates).
• Mutual TLS: The guide explicitly mentions a "Mutual-TLS" option, indicating support for two-way authentication where both the client and server verify each other's identities.

Usage Features:

• Workbench Host TLS: This feature enables secure communication between Workbench IO Applications located in different data centers (e.g., APAC and EMEA). It's a prerequisite for enabling Workbench IO Application TLS and Elasticsearch Authentication.
  • Configuration Steps: Involves navigating to the "Configuration > Hosts" section in Workbench, selecting the relevant host, and populating "2. Workbench TLS Communication" options such as Keystore Path, Keystore Password, Truststore Path, Truststore Password, Protocol, Algorithms, and Mutual-TLS.
• Workbench IO Application TLS: This feature secures connections between Workbench IO Applications, particularly useful for inter-data center communication of Alarm, Changes, Channel Monitoring, and Auditing events over a Wide Area Network (WAN).
  • Prerequisite: Workbench Host TLS must be configured first for the host running the Workbench IO application.
  • Configuration Steps: Within Workbench, go to "Configuration > Applications," select the Workbench_IO application, navigate to "9. Workbench Distributed Mode," and check the "TLS Enabled" property. A restart of the Workbench_IO service is required.
• ElasticSearch Application TLS: This is specifically for securing the Elasticsearch node when Elastic Authentication is enabled.
  • Prerequisite: Workbench Host TLS must be configured for the host running the Elasticsearch node.
  • Configuration Steps: Involves placing copies of the key store and trust store in {WBInstallDirectory}/ElasticSearch/config, then in Workbench, navigating to "Configuration > Applications," selecting the Elasticsearch application, going to "8.Workbench Elasticsearch Authentication," enabling authentication, and specifying a username and password.
• Workbench to Engage TLS (Framework Components): Workbench supports TLS connections to Genesys Configuration Server, Message Server, and Solution Control Server.
  • Configuration Guidance: Users are directed to the Genesys Security guide (Documentation/System/8.5.x/SDG/Welcome) for detailed instructions on configuring TLS for these components.
  • Certificate Installation: Certificates must be installed on the Workbench Server host/VM. For Windows, certificates need to be installed for both the user running the Workbench installation and the LOCAL_SYSTEM account running Workbench Services.
  • Configuration Server: During Workbench installation, the auto-upgrade port for the Configuration Server instance should be specified. If Workbench was initially installed with a non-secure port, the {WbInstallDir}/karaf/etc/ConfigServerInstances.cfg file can be updated, followed by a restart of Workbench_IO.
  • Solution Control Server (SCS): During Workbench installation, the SCS instance for subscribing to framework events is selected. Within Genesys Administrator or GAX, the Workbench Server application object must have secure port connections to both primary and backup SCS instances.
  • Message Server: Similar to SCS, during Workbench installation, the Message Server instance for subscribing to framework events is selected. In Genesys Administrator or GAX, the Workbench Server application object must have secure port connections to both primary and backup Message Servers.

Maintenance Features:

• Restart Requirements: Many TLS configuration changes, particularly for Workbench IO Applications and Configuration Server port updates, require a restart of the Workbench_IO service to take effect.
• Centralized Configuration: Workbench provides a centralized interface ("Configuration > Hosts" and "Configuration > Applications") for managing TLS settings, simplifying the process of enabling and modifying secure communication parameters.
• Documentation Reference: The guide frequently references external documentation, such as the Oracle Java documentation for cipher suites and the Genesys Security guide for Framework component TLS, ensuring users have access to comprehensive information for troubleshooting and advanced configurations.
• Pre-requisite Management: The guide clearly outlines prerequisites (e.g., Workbench Host TLS before Workbench IO Application TLS or Elasticsearch TLS), helping users follow the correct order of operations to avoid configuration issues.
• Warning Notes: Important warnings are provided, such as the current lack of support for TLS connections to Workbench IO and Kibana (main Workbench UI) and ZooKeeper, guiding users on what is and isn't supported. It also highlights the importance of completing Elasticsearch TLS enablement before enabling Elasticsearch Authentication.