Avaya Aura Quality Monitoring Release 11.0 Security Administration Guide March 2012
2003-2011 Verint Systems Inc. All Rights Reserved. THIS AVAYA PRODUCT ('Product') CONTAINS CONFIDENTIAL AND PROPRIETARY INFORMATION OF VERINT SYSTEMS INC. OR ITS SUBSIDIARIES. USE OF THE PRODUCT INDICATES THE END USER'S ACCEPTANCE OF THE TERMS SET FORTH HEREIN AND THE GENERAL LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE AT http://support.avaya.com/licenseinfo/ ('GENERAL LICENSE TERMS'). IN THE EVENT OF ANY CONFLICT OR INCONSISTENCY BETWEEN THE TERMS SET FORTH HEREIN AND ANY WRITTEN AGREEMENT WITH AVAYA AND/OR AVAYA EULA, THE TERMS OF SUCH EITHER WRITTEN AGREEMENT WITH AVAYA AND/OR AVAYA EULA SHALL GOVERN. IF YOU DO NOT WISH TO BE BOUND BY THESE TERMS, YOU MUST RETURN THE PRODUCT(S) TO THE POINT OF PURCHASE WITHIN TEN (10) DAYS OF DELIVERY FOR A REFUND OR CREDIT. Avaya grants End User a license within the scope of the license types described below. The applicable number of licenses and units of capacity for which the license is granted will be one (1), unless a different number of licenses or units of capacity is specified in the Documentation or other materials available to End User. 'Software' means the computer programs in object code, originally licensed by Avaya and ultimately utilized by End User, whether as stand-alone Products or pre-installed on Hardware. 'Hardware' means the standard hardware Products, originally sold by Avaya and ultimately utilized by End User. License Type(s): "Channel" means a physical connection between or logical address associated with a recording device and an audio source. "Enterprise" means a license to use, without limitation on the number of copies or users applicable to that End User, that Software within that End User's technical environment in conjunction with other Software licensed. "Seat" means the number of uniquely identified work-stations (i) on which the Software is licensed to be installed, (ii) from or to which the Software will send or receive data, or (iii) about which the Software generates data. Any one or more of the foregoing, in the aggregate, applicable to a work-station shall qualify that work-station as a licensed Seat. Seat licenses are not concurrent, except that licenses relating to a work-station may be transferred to another work-station so long as such transfer is on a permanent basis. "Server" means a license to install the Software on a single central computer server. "Site" means a license to use the Software at a physical End User location, without limitation on the number of copies or users applicable to that physical End User location. Copyright: Except where expressly stated otherwise, the Product is protected by copyright and other laws respecting proprietary rights. Unauthorized reproduction, transfer, and or use can be a criminal, as well as a civil, offense under the applicable law. Third-party Components: This computer program is protected by U.S. and international copyright laws, patent laws, and other intellectual property laws and treaties. Unauthorized use, duplication, publication and distribution of all or any portion of this computer program are expressly prohibited and will be prosecuted to the maximum extent provided by law. Your rights in this computer program are limited to the license rights granted under the license agreement executed by you in hardcopy form (or if none, by acceptance of the clickwrap terms included with this computer program). If needed, please contact your vendor for an additional copy of those terms. All other rights, title and interest are expressly restricted and retained by Verint Systems, Inc. and its licensors. Certain open source applications ("Open Source") may be included with this computer program. For specific ownership information and license rights relating to those open source applications, please see the "Free and Open Source Licensing Information" guide ("Guide") provided with your computer program, or contact your vendor for a copy of that Guide. A license in each Open Source software application is provided to you in accordance with the specific license terms specified in the Guide. EXCEPT WITH REGARD TO ANY WARRANTIES OR OTHER RIGHTS AND OBLIGATIONS EXPRESSLY PROVIDED DIRECTLY TO YOU FROM VERINT, ALL OPEN SOURCE SOFTWARE IS PROVIDED "AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OWNERS OF THE OPEN SOURCE SOFTWARE OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THE OPEN SOURCE SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Certain other software programs or portions thereof included in the Product may contain software distributed under third party agreements ('Third Party Components'), which may contain terms that expand or limit rights to use certain portions of the Product ('Third Party Terms'). Information identifying Third Party Components and the Third Party Terms that apply to them is available on Avaya's web site at: http://support.avaya.com/thirdpartylicense/. In addition, this product may contain the ReportNet application from Cognos Corporation. If so, you are granted a limited for use: (i) by an unlimited number of "Anonymous Users" to set personal preferences, view, run, schedule and output reports, subscribe to scheduled reports, create and manage personal folders, and personalize standard reports, and (ii) by one "Named User" (unless otherwise specified on this Order) to, in addition to the rights of an Anonymous User, use the Query Studio module. Avaya fraud intervention: If you suspect that you are being victimized by toll fraud and you need technical assistance or support, call Technical Service Center Toll Fraud Intervention Hotline at +1-800-643-2353 for the United States and Canada. Suspected security vulnerabilities with Avaya Products should be reported to Avaya by sending mail to: securityalerts@avaya.com Trademarks: Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and/or other countries. Avaya may also have trademark rights in other terms used herein. References to Avaya include the Nortel Enterprise business, which was acquired as of December 18, 2009. All trademarks identified by, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. or the property of their respective owners. Patents: The Verint Systems Inc. products are protected by one or more of the following U.S., European or International Patents: USPN 5,790,798; USPN 6,278,978; USPN 6,370,574; USPN 6,404,857; USPN 6,510,220; USPN 6,724,887; USPN 6,751,297; USPN 6,757,361; USPN 6,782,093; USPN 6,952,732; USPN 6,959,078; USPN 6,959,405; USPN 7,047,296; USPN 7,149,788; USPN 7,155,399; USPN 7,203,285; USPN 7,216,162; USPN 7,219,138; USPN 7,254,546; USPN 7,281,173; USPN 7,284,049; USPN 7,325,190; USPN 7,376,735; USPN 7,424,715; USPN 7,424,718; USPN 7,466,816; USPN 7,478,051; USPN 7,558,322; USPN 7,570,755; USPN 7,574,000; USPN 7,587,041; USPN 7,613,290; USPN 7,633,930; USPN 7,634,422; USPN 7,650,293; USPN 7,660,307; USPN 7,660,406; USPN 7,660,407; USPN 7,672,746; USPN 7,680,264; USPN 7,701,972; USPN 7,734,783; USPN 7,752,043; USPN 7,752,508; USPN 7,769,176; USPN 7,774,854; USPN 7,787,974; USPN 7,788,286; USPN 7,792,278; USPN 7,792,671; USPN 7,801,055; USPN 7,817,795; USPN 7,822,018; USPN 7,826,608; USPN 7,836,171; USPN 7,848,524; USPN 7,853,006; USPN 7,852,994; USPN 7,853,800; USPN 7,853,753; USPN 7,864,946; USPN 7,873,156; USPN 7,881,216; USPN 7,881,471; USPN 7,882,212; USPN 7,882,217; USPN 7,885,813; USPN 7,899,178; USPN 7,899,180; USPN 7,899,176; USPN 7,904,481; USPN 7,903,568; USPN 7,904,325; USPN 7,907,142; USPN 7,913,063; USPN D606,983; USPN RE40,634; USPN RE41,534; USPN RE41,608; AU 2003214926; CA 2,474,735; CA 2,563,960; CA 2,564,127; CA 2,564,760; CA 2,567,232; CA 2,623,178; CA 2,627,060; CA 2,627,064; CA 2,628,553; EP 1096382; EP 1248449; EP 1284077; DE 1284077; FR 1284077; DE 833489; FR 833489; GB 833,489; GB 2374249; IE 84821; IE 85519; IL 13532400; NZ 534642; ZL 200520118289.3; ZL 200520118288.9; ZL 200520118287.4; and other provisional rights from one or more of the following Published U.S. Patent Applications: US 10/061,491; US 10/467,899; US 10/525,260; US 10/633,357; US 11/166,630; US 11/345,587; US 11/359,195; US 11/359,319; US 11/359,356; US 11/359,357; US 11/359,358; US 11/359,532; US 11/361,208; US 11/388,944; US 11/394,408; US 11/394,410; US 11/394,794; US 11/395,759; US 11/396,062; US 11/428,239; US 11/475,683; US 11/477,124; US 11/478,714; US 11/479,056; US 11/479,267; US 11/479,506; US 11/479,899; US 11/509,549; US 11/509,550; US 11/528,267; US 11/529,132; US 11/529,946; US 11/529,947; US 11/540,107; US 11/540,171; US 11/540,185; US 11/540,281; US 11/540,320; US 11/540,785; US 11/540,900; US 11/540,902; US 11/540,904; US 11/567,808; US 11/567,852; US 11/583,381; US 11/608,340; US 11/608,350; US 11/608,358; US 11/608,438; US 11/608,440; US 11/608,894; US 11/616,490; US 11/621,134; US 11/676,818; US 11/691,530; US 11/692,983; US 11/693,828; US 11/693,899; US 11/693,923; US 11/693,933; US 11/712,933; US 11/723,010; US 11/742,733; US 11/752,458; US 11/771,499; US 11/776,659; US 11/824,980; US 11/831,250; US 11/831,257; US 11/831,260; US 11/831,634; US 11/844,759; US 11/872,575; US 11/924,201; US 11/937,553; US 11/959,650; US 11/968,428; US 12/015,375; US 12/015,621; US 12/053,788; US 12/055,102; US 12/057,442; US 12/057,476; US 12/107,976; US 12/118,781; US 12/118,789; US 12/118,792; US 12/164,480; US 12/245,781; US 12/326,205; US 12/351,370; US 12/416,906; US 12/464,694; US 12/466,673; US 12/483,075; US 12/497,793; US 12/497,799; US 12/504,492; US 12/539,640; US 12/608,474; US 12/628,089; US 12/630,030; US 12/684,027; US 12/686,213; US 12/708,558; US 12/725,127; US 12/753,137; US 12/762,402; US 12/768,194; US 12/792,796; US 12/840,227; US 12/840,233; US 12/852,144; US 12/879,868; US 12/887,059; US 12/887,089; US 12/888,445; US 12/888,448; US 12/891,620; US 12/915,868; US 12/915,941; US 12/916,006; US 12/940,508; US 12/942,111; US 12/964,891; US 13/005,996; US 13/008,283; US 13/011,870; US 13/011,871; US 13/016,998; and other U.S. and International Patents and Patents Pending.
Contents 1 Introduction........................................ 6 System Overview............................. 7 Security Features............................. 8 RSA Key Management........................... 10 Server Authentication and Content Data Encryption................. 12 Components Without Security........................ 13 2 Preserve Security Settings During Upgrades........................ 14 Preparing the System for Upgrade....................... 15 Discovering Quality Monitoring Security Configuration..................... 15 Checking the Quality Monitoring Application Configuration................... 15 Locating Certificates, Encryption Keys, and Configuration Files................. 15 Backup Certificates, Encryption Key, and Configuration Files.................. 17 Upgrade Quality Monitoring......................... 17 Reconfiguring Quality Monitoring....................... 17 3 Passwords......................................... 20 Windows Domain Account Password...................... 21 Database Services Password......................... 21 Quality Monitoring Services Password...................... 23 Quality Monitoring with Full-time Recording Password................ 25 System Administration.................................... 25 Database.......................................... 26 Data-in-Transit Password.......................... 27 Quality Monitoring/Enterprise Reporting Secret Key................. 28 4 Quality Monitoring Services................................ 31 Services................................ 32 Services By Server.....................................33 Services Account............................. 34 Prerequisite......................................... 34 Creating a Non-Admin Account................................ 34 Configuring the BDR/Web Server Box............................. 34 Configuring erecorder Boxes................................. 35 Troubleshooting.......................................36 Command Scripts............................. 36
Contents BDR Server Command Script.................................37 erecorder Server Command Script..............................38 erecorder Audio Service...........................38 erecorder Server Without Dialogic Voice Cards........................38 erecorder Server With Dialogic Voice Cards..........................39 5 Server Hardening..................................... 40 Third Party Software............................ 41 Required Third Party Software.........................41 Java Runtime Environment 6.0 Update 18...........................41 Microsoft Data Access Components 2.8 SP1..........................41 Intel Dialogic System Release 6.0...............................41 Other Third Party Software..........................43 Dialogic DSE DL-3009 (VTG) Card Installation + Hot Fixes...................43 Interactive Intelligence COM Client..............................43 Mitel TAI API Installation...................................43 Alcatel TSAPI Client.....................................44 Avaya TSAPI Client.....................................44 Databases................................ 44 Microsoft SQL Server 2005 Standard/Enterprise Edition....................44 Oracle 10g Server Standard/Enterprise Edition.........................45 Microsoft Windows Security Features...................... 45 Internet Explorer Enhanced Security Configuration.......................45 Data Execution Prevention..................................46 Services................................ 46 Windows Server 2003....................................46 Windows Server 2008 R2...................................48 6 Security Preparation................................... 51 Before You Begin............................. 52 Software Prerequisites...........................53 7 Secure Data In Transit.................................. 54 Cipher List................................ 55 Prepare Quality Monitoring Server Certificates................... 55 Install Quality Monitoring Server Certificates.................... 55 Configure the Tomcat Server......................... 56 Command Server Configuration........................ 57 Search Service Configuration.........................57 Supervisor/Search and Replay Client Workstation Configuration............. 58 Quality Monitoring with Full-time Recording Configuration............... 58 Secure Communication with WorkForce Optimization (WFO).............. 58 Secure Content Data Transmission Configuration.................. 59 Enable Secure Communications........................ 61 8 Certificate Management.................................. 62 Required Certificates............................ 63 Public Certificate Authority..........................63 Quality Monitoring Configuration Guide 4
Contents Private Certificate Authority..........................64 Generate and Sign Server Certificate...................... 65 Install Server Certificates.......................... 66 Verify RSAProvider.cfg Contains the Certificate and Password..................67 Import to JRE............................... 68 Import to the Windows Certificate Store..................... 68 Import into Microsoft Internet Explorer...................... 69 Revoke Certificates............................. 71 Compromised Certificate Authority Certificate.........................71 Compromised Server Certificate...............................72 Update Expired Certificates..........................73 Update Certificate Authority Certificate............................73 Update Server Certificates..................................73 9 Secure Data At Rest.................................... 74 Prepare Server Certificates..........................75 Install and Configure KMS..........................75 KMS SSL Connection Configuration..............................75 KMS Properties in IIS Configuration..............................76 KMS Security Policies for erecorder Machines.........................76 Enable Content Encryption..........................80 10 Pause and Resume Recording............................... 81 Introduction............................... 82 Pausing and Resuming Contact Recording..................... 82 Pause/Resume Requestors.......................... 82 PauseRecord and ResumeRecord Events..................... 83 Multiple Contacts Recording the same Workspace.................. 83 Transferred Calls............................. 84 Pause and Resume Recording using AIM..................... 84 Pause and Resume Recording from an External Application............... 84 Full-time Recording............................. 85 Playing Back Paused Contacts......................... 85 Quality Monitoring Configuration Guide 5
Chapter 1 Introduction This chapter introduces security for Quality Monitoring. This guide contains key information for setting up a secure Quality Monitoring environment that complies with the requirements of the PCI data security standard. This guide does not describe the installation and administration of the RSA Key Manager server. For RSA Key Manager instructions, see the documentation that accompanies the RSA Key Manager installation DVD. This chapter describes the following topics: System Overview, page 7 Security Features, page 8 RSA Key Management, page 10 Server Authentication and Content Data Encryption, page 12 Components Without Security, page 13
Chapter 1 - Introduction System Overview System Overview The primary functions of the Quality Monitoring system include recording, archiving, replaying and evaluating interactions between contact center agents and customers. These interactions can be recorded as telephone audio data, telephony and contact metadata, screen images of agents' desktop PCs, and data captured from an interactive voice response (IVR) system, such as customer account information. The recorded interactions may contain personal payment card information. Therefore, as an integrated part of a company's call center operations, Quality Monitoring provides security options to help our customers meet their security requirements, such as Payment Card Industry (PCI) security compliance. Quality Monitoring can record telephone calls by analyzing computer telephony integration (CTI) events received from telephony switches and/or by processing call control messages, as well as audio data received either on the network adapter cards or voice cards of a PC. Quality Monitoring can also record screen images of agents' desktop PCs by deploying Screen Capture modules on agents' desktop PCs to capture the screen images and to transfer them to recorder servers. In addition, Quality Monitoring can archive the recorded data on various storage devices and retrieve recorded data. Quality Monitoring can also monitor agent interactions in real-time, known as Live Monitoring. Quality Monitoring Configuration Guide 7
Chapter 1 - Introduction Security Features Quality Monitoring components consist of a set of logical servers, which can be deployed on a single machine or can be deployed on multiple machines in a large enterprise environment. These servers include: BDR Server - Its primary functions include interfacing with customer's telephony infrastructure, translating CTI events, consolidating metadata to databases, and instructing recorders to record calls based on configured business rules. The BDR Server machine contains the Web Server, Search Server and Command Server as well. erecorder Server - Its primary functions include capturing media data and storing them on local hard drives, compressing the media data, and archiving recorded media as well as serving recorded content to replay and live monitor applications. Database Server - Its primary functions include storing recorded metadata and Quality Monitoring configurations. Quality Monitoring supports both SQL Server and Oracle databases. Key Management Server - Its primary functions include generating, supplying, and managing symmetric encryption keys for components of the Quality Monitoring. This is a third party software application provided by RSA, the Security Division of EMC. Security Features A set of security features has been implemented in the Quality Monitoring system. These features are mostly optional and configurable. The objective is to secure recorded customer sensitive information such as payment card information, as well as application authentication parameters. Security requirements often vary from customer to customer. Even for standard compliance, such as PCI, requirements on security technology and configuration depend on the security policies, procedures, and network configurations of each customer's environment. Instead of providing a checklist of security configurations for a specific security compliance requirement, the rest of this document focuses on the security features included in the Quality Monitoring system, and how to configure them. Security administrators of call centers must decide, based on their particular security policies, what security features need to be enabled. Quality Monitoring Configuration Guide 8
Chapter 1 - Introduction Security Features Quality Monitoring security features include: Optional encryption of recorded data persisted on any storage device of the Quality Monitoring Recording Systems using the standard AES256 algorithm and RSA Security Enterprise Key Manager (Encryption of Data at Rest). Optional encryption using standard AES256 technology of captured screen images of agent desktop PCs before transmitting these images to screen recorders (Encryption of Data in Transit). Optional encryption using standard AES256 technology of call screen and audio data sent to supervisor desktops during call replaying and live monitoring (Encryption of Data in Transit). Optional encryption of communication between client applications and server components, including the ability to encrypt all application administration commands and data (Encryption of Data in Transit). Quality Monitoring uses standard security technologies such as SSL/TLS to secure these communication lines. Ability to pause and resume recording of sensitive content from an external source, such as an application running on the agent desktop. Comprehensive auditing of Quality Monitoring user activities, including changes to system configuration parameters, reviewing interactions, evaluating agents, and deleting recorded interactions and evaluations. User account and password policies, which include role-based administrative accounts, account lockout, password length, and password complexity, set within the System Administrator module. Changeable application account logon credentials. This includes Windows accounts, Database accounts, and Application Administration accounts. All logon credentials stored on hard drives are encrypted. Successful operation in locked-down servers and networks based on the benchmarks provided by the Center for Internet Security. This includes: a. the documentation of a minimum list of services and protocols necessary for recording systems b. identification of the Windows Services/Privileges, protocols, and ports required to install or run the Quality Monitoring System c. thorough testing in locked-down environments, based on benchmarks published by the Center for Internet Security Quality Monitoring Configuration Guide 9
Chapter 1 - Introduction RSA Key Management RSA Key Management The encryption of data at rest uses the RSA Key Management software for the generation, update, and management of symmetric encryption keys. RSA Key Management software consists of key management server(s) (KMS) and key management clients (KMC). An RSA key management server, or servers for scalability and/or redundancy, serves as a centralized key management module for configuring key policies and managing the generation, update, and archiving of encryption keys. An RSA KMS is typically deployed on a standalone PC. RSA key management clients are API libraries, deployed on application servers, which provide functions for encryption key-aware applications, such as Recorder components, to communicate via SSL with KMS, and to get and cache encryption keys. RSA KMC libraries are installed on the erecorder servers by the Quality Monitoring installation program. Quality Monitoring Configuration Guide 10
Chapter 1 - Introduction RSA Key Management The RSA Key Manager is built on a highly scalable and fault tolerant architecture that includes the following components: The Key Manager Server: Securely stores, generates, manages and brokers access to cryptographic keys. The Key Manager Client: This is a development library of encryption and key-retrieval functions. The KMC library is embedded in the Quality Monitoring installation. It provides configurable key caching features to store active encryption keys, in encrypted format, in memory or on local file system. This feature significantly reduces the network traffic between KMS and applications. The Key Manager Administration Console: This is an interface for administrators to manage the KMS. The Database Server: Provides database services for an RSA Key Manager deployment and hosts the Key Manager Server Datastore and Keystore. The Datastore : This is a persistent storage area for all administrative and operational information. The Keystore : This is a separate database for storage of cryptographic keys. All keys are stored in encrypted form-encrypted using a key encryption key (KEK). The Key Manager Server and Database can be deployed either on separate machines or on the same machine. To reduce server footprint, the Key Manager server and Key Manager database can also be deployed on one of the Quality Monitoring system machines. At this time only SQL is supported at the key management database. The following is the minimum hardware required for the KMS: Processor: 1.6 GHz CPU Hard Disk Drive: 20 GB Memory: 2GB of RAM Base Operating System: Windows 2003 Server R2 It is critical that the customer is made aware of the importance of maintaining the keys used for encryption. They must ensure that backup and maintenance strategies are in place with the key management system. If the keys are lost then ALL recordings will be put beyond reach. More information on RSA Key Management software can be found in the RSA Key Manager Server Administration Guide and in the RSA Key Manager Installation Guide included on the RSA Key Manager Server installation DVD. Quality Monitoring Configuration Guide 11
Chapter 1 - Introduction Server Authentication and Content Data Encryption Server Authentication and Content Data Encryption Server Authentication and Data Encryption features are added to authenticate and encrypt the data transmitted over the network between the erecorder, Search and Replay and Screen Capture Module. Server Authentication occurs between the erecorder and the Screen Capture module, after establishing a successful connection. The erecorder sends the authentication code, which is read from Server.wss file, in encrypted form to the Screen Capture module. The Screen Capture module validates this code with the code read from Agent.wss file. If the code matches, then the Screen Capture module authenticates the connection and begins the video capturing. If the authentication fails, it closes the socket connection. Data Encryption encrypts data transmitted over the network between the erecorder, Search and Replay, and Screen Capture Module using AES256 Encryption. When the server is configured for Secure Communications, Server Authentication and Data Encryption are enabled. The communication password is stored in encrypted form in Server.wss, Client.wss and Agent.wss security files. Initially these files are deployed with default password 'witness'. Server.wss file is installed as part of erecorder installation, and on each erecorder in multi-node case. Client.wss is installed as part of Web Server installation. Agent.wss is installed as part of Screen Capture Module installation. Quality Monitoring Configuration Guide 12
Chapter 1 - Introduction Components Without Security Components Without Security Quality Monitoring does not secure the following data and/or communications: Recording control and tag messages sent to Quality Monitoring from external sources via the Quality Monitoring Connect adapter Socket communications between the BDR and erecorder servers Communications between Quality Monitoring servers and external database servers (these communications are protected by authentication but not encryption) Quality Monitoring Configuration Guide 13
Chapter 2 Preserve Security Settings During Upgrades If you have implemented secure access to Quality Monitoring information in a previous release, you can keep the configuration intact during an upgrade to the current release. All of the security features of the previous release are included in the current release. Depending on the release being upgraded, the current release can be configured to the same level of security or higher. This chapter outlines the steps needed to preserve the security level when upgrading from Quality Monitoring 7.8 SP1 or Quality Monitoring 10.1.2 to Quality Monitoring 11. For older releases of Quality Monitoring (7.7 SP1 or 7.7 SP2), sections of the chapter that point to securing Tomcat can be used. If the release is older than Quality Monitoring 7.7.1, you must configure security as documented elsewhere in this guide. This chapter describes the following topics: Preparing the System for Upgrade, page 15 Upgrade Quality Monitoring, page 17 Reconfiguring Quality Monitoring, page 17
Chapter 2 - Preserve Security Settings During Upgrades Preparing the System for Upgrade Preparing the System for Upgrade This section provides instructions on what needs to be done to prepare an existing Quality Monitoring system for upgrading to the current release. Discovering Quality Monitoring Security Configuration There are different types of security configurations, such as certificate deployment and public versus private certificates. It is important to understand the current configuration before upgrading. Checking the Quality Monitoring Application Configuration Use the following steps to discover the current security configuration: 1 Check if Secure Communication and\or Enable Recording Content Encryption on Disk (Data At Rest) are enabled. Login to Quality Monitoring and go to System Administration. Go to Root Settings > Security tab. If Secure Communication is enabled, you are using certificates to secure the communication between the Client to the Command Server and BDR Server. This also means that media data in transit is being encrypted during transfer from Screen Capture to the erecorder and from the erecorder to the Client for Playback and Live Monitor. If Enable Recording Content Encryption on Disk is checked, Data at Rest is configured. Locating Certificates, Encryption Keys, and Configuration Files After you confirm that Secure Communications and\or Data At Rest are enabled, you need to locate the certificates, encryption, and configuration files used to configure Quality Monitoring for security. Depending on the system configuration, there could be a mix of public or private certificates used at your site. It depends on how you deployed certificates to secure Quality Monitoring, so it is important to understand the system configuration. The following steps determine the location of the certificates used: 1 Check the Tomcat Server.xml file for the certificate used for HTTPS. Go to <drive>:\tomcat\conf. Open the server.xml file. Locate the Connector Port used for secure communication with Tomcat. This port is usually 8443. Within the Connector check for 'keystorefile' attribute. It will have the location of the certificate used to secure communications with Tomcat. Note the location of this file for later use. Quality Monitoring Configuration Guide 15
Chapter 2 - Preserve Security Settings During Upgrades Preparing the System for Upgrade 2 Search for the certificate used to secure Search Server RMI communications. Open the Windows Registry. Locate the key: HKEY_LOCAL_MACHINE\SOFTWARE\Witness\eQuality\Quality Monitoring Search Service. Locate the Bitsize key and open. Locate the keyword '-Djavax.net.ssl.keyStore'. This value will contain the location of the certificate used to secure the Search Server. Note the location of this file for later use. 3 Check the Command and BDR Servers for the certificate used to secure Socket communications. Go to the directory <QM installation folder>\qm\ and open the file 'CertConfiguration.xml'. It has the location of the certificates being used by the Command and BDR Servers. This location is usually <QM installation folder>\qm\qmcerts. There should be two files in this directory. Both are the same certificate in different formats. The Command and BDR Servers used the certificate formatted with the.pem extension, but you need to keep the other certificate because it may be used by other components. Note the location of these files for later use. 4 Check the erecorder\kmc certificate used for Data at Rest Media encryption. Go to the directory <QM installation folder>\qm\conf\security. There should be two certificates in this directory. Note the location of these files for later use. 5 Locate the Encrypted password files used to encrypt Data in Transit (Media Data). To locate the file used by the erecorder to decrypt and encrypt media data, go to directory <drive>:\program files\witness\qm and locate the file name 'server.wss'. Note the location of this file for later use. To locate the file used by the Client for Playback and Live Monitor to decrypt media data, go to directory <drive>:\tomcat\webapps\qm\applets and locate the file name 'client.wss'. Note the location of this file for later use. To locate the file used by the Agent Capture to encrypt media data, go to directory '<drive>:\program Files\Witness Systems\Screen Capture Module' and locate the file name 'agent.wss'. Note the location of this file for later use. 6 Locate the configuration file that contains the password used to authenticate communications with Enterprise Reporting and a certificate location. Go to the directory <QM installation folder>\qm and open the file 'ERConfiguration.xml'. It has the password that is used to authenticate communication with ER and it has the location of the certificate used to communicate with ER. Note the location of this file for later use. Quality Monitoring Configuration Guide 16
Chapter 2 - Preserve Security Settings During Upgrades Upgrade Quality Monitoring Backup Certificates, Encryption Key, and Configuration Files Now that all certificate, encryption and configuration file locations have been discovered, you can backup the certificates, encryption key, and configuration files used by the installed version of Quality Monitoring. 1 Create a Certificate Backup directory. 2 Copy the following files to the backup directory: Tomcat server.xml CertConfiguration.xml ERConfiguration.xml server.wss client.wss agent.wss certificate files This is a preventative step in case some of the certificates, encryption key, or configuration files are overridden during the upgrade. Upgrade Quality Monitoring Upgrade to the latest release of Quality Monitoring. Install the new default JRE required for Quality Monitoring Services and use the Quality Monitoring installer to upgrade the Quality Monitoring software. Reconfiguring Quality Monitoring After the Quality Monitoring install is finished and the machine reboots, you need to do the following: 1 Stop all Quality Monitoring services. 2 Check to see if any certificates have been erased during the install. If a certificate is not present, copy the certificates to the proper directories: Command and BDR Server certificates need to be copied to the location indicated in the file CertConfiguration.xml. The location of the certificate is usually <drive>:\program files\witness\qm\qmcerts, but this can be different depending on the previous system configuration. Check the backup CertConfiguration.xml file and configure the new CertConfiguration.xml file accordingly and save. Copy the certificates for the Command and BDR Server to the directory as configured in the CertConfiguration.xml file. Quality Monitoring Configuration Guide 17
Chapter 2 - Preserve Security Settings During Upgrades Reconfiguring Quality Monitoring erecorder certificates need to copied to <QM installation folder>\qm\conf\security on each erecorder. The KMS certificate does not need changing if the certificate has not expired. To add a new certificate to KMS, see Install Server Certificates, page 66. Tomcat certificate needs to be copied to the directory specified in the Connector port used to secure HTTP (HTTPS) communications in the server.xml file. Search Server certificate needs to be copied to the previously noted location. 3 With the certificates copied to their previous locations, Tomcat needs to be reconfigured to support HTTPS. Open the server.xml file in the Backup directory. Search for 'Connector port="8443"' in this file. Copy the attributes and values of 'keystoretype', 'keystorefile', and 'keystorepass'. If keystorepass is not present, there is no worry; it's using the default certificate password. Got to <drive>:\tomcat\conf and open the server.xml file. Search for 'Connector port="8443"' in this file. Remove the symbols '<!--' and '-->' from above and below the connector. Paste the text copied from the old Server.xml exactly as it appears to the Connector in the current Server.xml file. Close both Server.xml files. You will be prompted to save the changes in the modified Server.xml file. 4 Search Server needs to be properly reconfigured for secure communications. Go to <QM installation folder>\qm\cautility and open the file ConfigSSLForSearch.reg. Make sure that it is pointing to the correct location for the certificate it will use. Also ensure that Search Server is pointing to the JRE being used by the QM Server Components. If either is incorrect, correct the locations. Also if the certificate is using a password other than the default, enter the correct password with the key -Djavax.net.ssl.keyStorePassword=[Password]. Save the changes to the file. Double click on the registry file and Windows will update the Registry with the proper change corrections. 5 The JRE used for the Quality Monitoring Server Components need to have the CA certificate imported into its certificate store. Go to the directory <QM installation folder>\qm\cautility. Unzip the zip file ImportCACertToJREandWindowsCertStores.zip into the current directory. Execute the command file 'ImportCACertToJRE.cmd' passing the parameters of the JRE location to insert the CA certificate and the location of the CA certificate. Quality Monitoring Configuration Guide 18
Chapter 2 - Preserve Security Settings During Upgrades Reconfiguring Quality Monitoring 6 Data in Transit needs to be configured for the upgraded system. If the customer is using the default password to encrypt data in transit, no action is needed as the files install will contain the default password. If a new password is needed, see Secure Data In Transit, page 54. Otherwise if you want to use the same files (i.e. use the same modified password), follow the steps below: Copy the file 'Server.wss' from the backup directory to <QM installation folder>\qm on every machine the erecorder is installed. Copy the file 'Client.wss' from the backup directory to <drive>:\tomcat\webapps\qm\applets for Tomat. Copy the file 'Agent.wss' from the backup directory to the directory '<drive>:\program Files\Verint Systems\Screen Capture Module' on every machine used for Screen Capture. 7 Configure Quality Monitoring to communicate with Enterprise Reporting, as it has changed in the current release. If the certificate for the Enterprise Reporting server was created by a CA other than the CA used for the Quality Monitoring server, import the certificate into the Windows Certificate Store using the command 'ImportCaCertToWindows.cmd' passing the location of the CA certificate. One change from previous release is that the EREncyptionKey itself is encrypted. Copy the password from the backup ERConfigutation.xml. Open the encryption tool 'PwdGenerator.exe' located in the directory <QM installation folder>\qm. Use the PwdGenerator tool to encrypt the Enterprise Reporting password and place the encrypted password in the ERConfiguration.xml file and save. 8 Configuring Supervisor's desktops if using a new JRE. If you are going to use a new JRE, import the CaCert from the CA used to secure Quality Monitoring into the new JRE. Use the script 'ImportCaCertToJRE.cmd' file to import the CaCert into the JRE. 9 Start all Quality Monitoring Services and test the system. Quality Monitoring Configuration Guide 19
Chapter 3 Passwords After installation, you should change the Quality Monitoring application password from the default to a new password you define. This chapter describes the following topics: Windows Domain Account Password, page 21 Database Services Password, page 21 Quality Monitoring Services Password, page 23 Quality Monitoring with Full-time Recording Password, page 25 Data-in-Transit Password, page 27 Quality Monitoring/Enterprise Reporting Secret Key, page 28
Chapter 3 - Passwords Windows Domain Account Password Windows Domain Account Password You can change the Windows domain account password for each Quality Monitoring server. When changing the login credentials for multiple servers, make all changes simultaneously. You do not need to reboot the servers after the password is updated. To change the Windows domain account password: 1 Log into the server and proceed as if you were going lock the workstation, but instead of choosing Lock Workstation choose Change Password. If you logging in remotely to the server, go to Start > Settings > Windows Security and click Change Password. 2 Enter in a new password and confirm it. The password must meet the domain minimum requirements. 3 Return to the desktop. 4 Select the Services icon in the Quick Launch Toolbar or select Start > Settings > Services. 5 Sort the services window by the "Log On As" column. 6 Change the passwords for the services that are logged on using the Windows domain user authentication: a. For each service you need to change, select Properties from the right-click menu. b. Update the Password and Confirm Password fields and click OK. 7 Stop and restart Quality Monitoring services. 8 Launch Quality Monitoring to verify access. Database Services Password To change the password used by the Quality Monitoring services: 1 On the Database server, reset the password for the user name that is used by the Quality Monitoring application. 2 On the Quality Monitoring server, launch the PwdGenerator.exe tool from the Quality Monitoring installation directory, typically <Program Files>\Witness\QM. Quality Monitoring Configuration Guide 21
Chapter 3 - Passwords Database Services Password 3 Type the new password. The password must be identical to the password you set on the Database server. 4 Click Generate. The encrypted password is printed in the Encrypted password field. 5 Click Copy to clipboard to place the encrypted password onto the Windows Clipboard. 6 Open the Windows Registry Editor Tool (Run > regedit) and navigate to the following registry key: For 32-bit Operating Systems: HKLM\Software\Witness\BDR\Database: Password. For 64-bit Operating Systems: HKLM\Software\Wow6432Node\Witness\BDR\Database: Password. Quality Monitoring Configuration Guide 22
Chapter 3 - Passwords Quality Monitoring Services Password 7 Right-click on Password and select Modify. Paste the newly encrypted password and press OK. 8 Restart the Quality Monitoring services. Quality Monitoring Services Password It is recommended to use a Domain level account for Quality Monitoring Services if you are not using the Local System account. To change the password of the Quality Monitoring Service accounts: 1 On the BDR Sever, start the Services Manager. 2 Locate the Quality Monitoring services and right-click on the Quality Monitoring Apache Tomcat Service and select Properties. Quality Monitoring Configuration Guide 23
Chapter 3 - Passwords Quality Monitoring Services Password 3 Open the Log On tab. 4 Type the new password in the Password and Confirm Password fields. 5 Click OK. 6 Repeat the process for the other remaining Quality Monitoring services to update the service with the correct Log On account information. Quality Monitoring can be deployed on multiple servers; remember to change the Log On account information on all deployed servers. The other services that are apart of Quality Monitoring are: Quality Monitoring BDR Service Quality Monitoring Command Service Quality Monitoring erecorder Service Quality Monitoring erecorder Video Service Quality Monitoring erecorder Audio Service Quality Monitoring Search Service Quality Monitoring Configuration Guide 24
Chapter 3 - Passwords Quality Monitoring with Full-time Recording Password Quality Monitoring with Full-time Recording Password Changing the password that allows Quality Monitoring to connect with Viewer is usually handled in the database upgrade scripts and with System Administration. Usually, you can change the password using system administration. If that does not work for your deployment, you can also use the database. System Administration To change the password using System Administration: 1 Log into Quality Monitoring. 2 Select System Administration. 3 Select Root Settings > General tab. 4 Click Edit. 5 Scroll down the page to the QM with Full-Time Recording section. 6 Type the new password and click Submit. 7 Confirm the changes. Quality Monitoring Configuration Guide 25
Chapter 3 - Passwords Quality Monitoring with Full-time Recording Password Database When you cannot use System Administration to change the password, you can use the database. To change the password using Microsoft SQL: 1 On the Database server, open the Microsoft SQL Server Management Studio. 2 Click New Query. 3 Select witness from the database drop down. 4 Run the following query: select * from registry_value where registry_key_pk = 69 and name like 'Password'. 5 Check the value in the String_Value column. If the password is not encrypted, highlight and copy the password from the String_Value column and follow steps 2-5 of Database Services Password, page 21 with the following exception; instead of typing the password, paste the password copied from the database. 6 Run the following query to update the String_Value with the newly encrypted password: update registry_value set string_value = 'ENCRYPTED PASSWORD' where registry_key_pk = 69 and name like 'Password'. To change the password using Oracle: 1 On the Database server open SQLPlus. 2 Log into the qm database. 3 Run the following query: select * from registry_value where registry_key_pk = 69 and name like 'Password';. 4 Check the value in the String_Value column If it is not encrypted, highlight and copy the password from the String_Value column and steps 2-5 of Database Services Password, page 21 with the following exception; instead of typing the password, paste the password copied from the database. 5 Run the following query to update the String_Value with the newly encrypted password: update registry_value set string_value = 'ENCRYPTED PASSWORD' where registry_key_pk = 69 and name like 'Password';. Quality Monitoring Configuration Guide 26
Chapter 3 - Passwords Data-in-Transit Password Data-in-Transit Password The communication password can be changed using the wsschangepassword.exe utility, which is installed as a part of the erecorder installation. This utility generates a new set of the security files for a new password. To change the password: 1 Copy the wsschangepassword.exe and server.wss files to any temporary directory. 2 Run wsschangepassword.exe. 3 Type the current password and then type and re-type the new password in the appropriate text boxes. 4 Click OK. The system overwrites the old files and generates a new set of Server.wss, Agent.wss and Client.wss files. 5 Copy the Server.wss file to each erecorder node in the erecorder installed directory. 6 Copy the Agent.wss file to each Screen Capture module-installed machine in the Capture installed directory. This file can be copied in to different directories, as long as the following registry value is pointing to the correct directory: 32-bit Operating System: HKLM\Software\Witness Systems\eQuality Agent\Capture\Current Version\WSSPath 64-bit Operating System: HKLM\Software\Wow6432Node\Witness Systems\eQuality Agent\Capture\Current Version\WSSPath Quality Monitoring Configuration Guide 27
Chapter 3 - Passwords Quality Monitoring/Enterprise Reporting Secret Key 7 Copy the Client.wss file to Web Server in the.\tomcat\webapps\qm\applets directory. If the Quality Monitoring Supervisor client is installed onto a supervisor machine, then copy the Client.wss file to each Supervisor machine. Quality Monitoring/Enterprise Reporting Secret Key To use single sign on from Quality Monitoring to Enterprise Reporting, requires identity verification of the requestor. This verification involves a key that encrypts a token which is passed from Quality Monitoring to Enterprise Reporting. To change the key: 1 On the BDR Server, open the ERConfiguration.xml file located at <drive>:\program Files\Witness\QM in Notepad. Quality Monitoring Configuration Guide 28
Chapter 3 - Passwords Quality Monitoring/Enterprise Reporting Secret Key 2 On the Quality Monitoring BDR server, launch the PwdGenerator.exe tool from the Quality Monitoring installation directory, typically <Program Files>\Witness\QM. 3 Type the new password. 4 Click Generate. The encrypted password is printed in the Encrypted password field. 5 Click Copy to clipboard to place the encrypted password onto the Windows Clipboard. 6 Replace the current password with the new generated password between the xml tags <EREncryptionKey> and </EREncryptionKey>. 7 Save your changes. 8 After this key is changed, you must change the corresponding Key in Enterprise Reporting or the verification process will fail. To update Enterprise Reporting with the new key: 1 On the Enterprise Reporting sever, open the file witness-portal.properties located at <drive>:\program Files\Verint Systems\Enterprise Reporting\ApplicationServer\webapps\ws_portal\WEB-INF\conf. Quality Monitoring Configuration Guide 29
Chapter 3 - Passwords Quality Monitoring/Enterprise Reporting Secret Key 2 Locate the variable "secret.password". 3 Change the value to match the key used in Quality Monitoring. This value is the decrypted key, not the encrypted version. 4 Save your changes. 5 Restart the Enterprise Reporting service. Quality Monitoring Configuration Guide 30
Chapter 4 Quality Monitoring Services This chapter describes the following topics: Services, page 32 Services Account, page 34 Command Scripts, page 36 erecorder Audio Service, page 38
Chapter 4 - Quality Monitoring Services Services Services Quality Monitoring services can be configured with service recovery options set to Restart the Service on the first, second and subsequent failures after 1 minute. It is recommended to start the services in the following order: 1 Dialogic service [can be set to Automatic startup except for Quality Monitoring erecorder servers with Dialogic DSE DL-3009 (VTG)] 2 erecorder service 3 erecorder Audio service 4 erecorder Video service 5 BDR service On Quality Monitoring erecorder server with Dialogic DSE DL-3009 (VTG), the DSE Loader service should be set to Automatic startup and the Dialogic service should be set to Manual startup. After a reboot start DCM and let it load the firmware, and then start the Dialogic service. If the following Quality Monitoring services are set to manual (some environments require this due to Dialogic dependency). Quality Monitoring BDR Service Quality Monitoring erecorder service Quality Monitoring erecorder audio service Quality Monitoring erecorder video service The services should be started in the following order: Quality Monitoring erecorder service Quality Monitoring erecorder audio service Quality Monitoring erecorder video service Quality Monitoring BDR Service Quality Monitoring Configuration Guide 32
Chapter 4 - Quality Monitoring Services Services Generally Quality Monitoring services on a Quality Monitoring server can be set to Automatic startup after setting up dependencies to ensure the recommended startup order is as follows: 1 Database software 2 Dialogic software (if applicable) 3 erecorder service 4 erecorder audio service and erecorder video service 5 BDR service 1 The Quality Monitoring services not mentioned in the above list should be set to the Automatic startup. 2 In some cases setting service dependencies may not provide the necessary delays resulting in errors during services startup. In such cases customized solutions (e.g. using startup scripts) may be needed. Optionally, the services may be changed to the manual startup. Services By Server Make sure the following applicable services are running at startup: BDR Server Third Party erecorder Server Quality Monitoring Apache Tomcat Quality Monitoring BDR Service Quality Monitoring Command Service Quality Monitoring Search Service SQL Server (if applicable) SQL Server Agent (if applicable) Oracle services (if applicable) Dialogic System Service (if applicable) Quality Monitoring erecorder Audio Service Quality Monitoring erecorder Service Quality Monitoring erecorder Video Service Quality Monitoring Configuration Guide 33
Chapter 4 - Quality Monitoring Services Services Account Services Account Prerequisite This section provides instructions for creating and using a least privileged user account to be used as the service logon account. This will allow customers to adjust their services to be less vulnerable. We will refer to this account as the Quality Monitoring Services Non-Admin account. This account should be used for running all services. This can be a local account (for a single-box Quality Monitoring solution) or a domain account (for a multi-box Quality Monitoring solution). This chapter describes the following topics: Prerequisite, page 34 Creating a Non-Admin Account, page 34 Configuring the BDR/Web Server Box, page 34 Configuring erecorder Boxes, page 35 Troubleshooting, page 36 Quality Monitoring has been installed successfully using an account with Administrative privileges. Creating a Non-Admin Account Create a non-admin account; meaning a domain account that has no administrative or power user privileges to any of the BDR server or erecorder boxes. Configuring the BDR/Web Server Box The goals are to: grant the non-admin account the necessary permissions to access the QM and Tomcat directories, as well as the NT Registry keys. configure the Quality Monitoring BDR and Quality Monitoring Apache Tomcat Services to be run under the non-admin account. On the BDR Server box: 1 Copy the ServicesRunUtility folder from the installation DVD "Third Party Components" folder and paste it to the local QM directory. 2 Open the Command window. 3 Navigate to the ServicesRunUtility directory under the installed QM directory and run the following command line: Quality Monitoring Configuration Guide 34
Chapter 4 - Quality Monitoring Services Services Account Set_BDR_Logon_and_Permissions.cmd <non_admin_account> <password> <full_path_to_qm> <full_path_to_tomcat> where: <non_admin_account> = the non-admin account including the domain name. Example: witness\qmclient <password> = the password for the non-admin account. <full_path_to_qm> = the full path to the QM directory. Example: C:\Program Files\Witness\QM. <full_path_to_tomcat> = the full path to installed Apache Tomcat directory. Example: C:\Tomcat. 4 Log off the admin account on the BDR/Web box and log in non-admin account. Configuring erecorder Boxes The goals are to: grant the non-admin account the necessary permissions to access the erecorder directories. configure the Quality Monitoring erecorder Audio Services and Quality Monitoring erecorder Video Services to be run under the non-admin account. On every erecorder box: 1 Copy the ServicesRunUtility folder from the installation DVD "Third Party Components" folder and paste it to the local QM directory. 2 Open the Command window. 3 Navigate to the ServicesRunUtility directory under the installed QM directory and run the following command line: Set_eRecorder_Logon_and_Permissions.cmd <non_admin_account> <password> <full_path_to_qm> <full_path_to_ecorder> where: <non_admin_account> = the non-admin account including the domain name. Example: witness\qmclient <password> = the password for the non-admin account. <full_path_to_qm> = the full path to the QM directory. Example: C:\Program Files\Witness\QM. <full_path_to_ecorder> = the full path to the predefined ecorder directory. Example: D:\eCorder\01. 4 Log off the admin account on the erecorder boxes and log in non-admin account. Quality Monitoring Configuration Guide 35
Chapter 4 - Quality Monitoring Services Command Scripts Troubleshooting 1 Cannot playback contacts on the Quality Monitoring server if it was logged on with the non-admin account. During contact playback, Quality Monitoring downloads some libraries (such as witcanvas.dll, winhttp.dll, ) to the local machine. Quality Monitoring needs permission to write the content cache and log file. The non-admin account needs full control permissions on the Log, Content, and Playback folders. These folders are configured in the System Administration application by the System Administrator. By default, the folder is <JRE_Directory>\bin. 2 Cannot start Quality Monitoring services. Make sure that you provided the correct password during execution of Set_BDR_Logon_and_Permissions.cmd and Set_eRecorder_Logon_and_Permissions.cmd. Command Scripts There are two sets of command scripts: BDR Server and erecorder(s). These commands use SetACL, DComPerm, NtRights and SC utilities: SetACL: This utility is a freeware (http://setacl.sourceforge.net) for Window Permission Management. It is used for granting permissions to directory, registry and services to users. This utility has some advantages over SubInACL from Window Resource Kit, such as inherited permission. DComPerm: This utility is built on SDK sample (http://msdn2.microsoft.com/en-us/library/aa242178.aspx). It is used to set DCOM access rights. NtRights: This utility is from the Windows Resource Kit (http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4 AE7-96EE-B18C4790CFFD&displaylang=en). It is used to manage NT user rights. SC: It is a command line utility used for communicating with Service Control Manager and services. Quality Monitoring Configuration Guide 36
Chapter 4 - Quality Monitoring Services Command Scripts BDR Server Command Script This script is Set_BDR_Logon_and_Permissions.cmd. Set_BDR_Logon and_permissions.cmd will do the following: Give the user full control privileges to the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Witness: This is for Quality Monitoring on 32-bit operating systems. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Witness: This is for Quality Monitoring on 64-bit operating systems. HKEY_CLASSES_ROOT\AppID: This is for Quality Monitoring services on 32-bit operating systems. HKEY_CLASSES_ROOT\Wow6432Node\AppID: This is for Quality Monitoring services on 64-bit operating systems. Give the user full control privileges to the following installed directories: Installed QM directory Installed QM Apache Tomcat Give the user full control privileges to the following Quality Monitoring services: Quality Monitoring Command Service Quality Monitoring Search Service Quality Monitoring BDR Service Quality Monitoring Apache Tomcat Give the user launch permission for DCOM: Edit Limits Local Launch Local Activation Remote Launch Remote Activation Edit Defaults Allow Allow Allow Allow Grant the user to log on as service. Change the logon account to start services. Quality Monitoring Configuration Guide 37
Chapter 4 - Quality Monitoring Services erecorder Audio Service erecorder Server Command Script This script is Set_eRecorder_Logon_and_Permissions.cmd. Set_eRecorder_Logon_and_Permissions.cmd will do the following: Give the user full control privileges to the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Witness: This is for Quality Monitoring on 32-bit operating systems. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Witness: This is for Quality Monitoring on 64-bit operating systems. HKEY_CLASSES_ROOT\AppID: This is for Quality Monitoring services on 32-bit operating systems. HKEY_CLASSES_ROOT\Wow6432Node\AppID: This is for Quality Monitoring services on 64-bit operating systems. Give the user full control privileges to the following directories: Installed QM directory. Predefined erecorder directory. Give the user full control privileges to the following Quality Monitoring services: Quality Monitoring erecorder Service Quality Monitoring erecorder Audio Service Quality Monitoring erecorder Video Service Grant the user to log on as service. Change the logon account to start services. erecorder Audio Service Additional considerations related to running erecorder Audio service under a non-admin account. Since the erecorder Audio service calls Dialogic Administration APIs, which requires Administrative privileges, the erecorder Audio service is usually run using LOCAL SYSTEM account or any account with administrative privileges. The process described in the previous sections configures the Quality Monitoring erecorder Audio Service to use non-admin account. The following describes when the erecorder Audio service can be configured to run under an Admin\Local System account. erecorder Server Without Dialogic Voice Cards If the erecorder server does not have Dialogic voice cards, the erecorder audio service can run under a non-admin account without any limitations. This is the case when the erecorder server is configured to support Quality Monitoring integration with NCR or ACR, or is used to record video only. Quality Monitoring Configuration Guide 38
Chapter 4 - Quality Monitoring Services erecorder Audio Service erecorder Server With Dialogic Voice Cards If the erecorder server has Dialogic voice cards, the erecorder audio service still may be configured to run under a non-admin account. However, the service will not be able to verify whether the Dialogic service is running, so you have to ensure that the Dialogic service has been started before starting the erecorder audio service. Starting the erecorder audio service while the Dialogic service is not running will result in failures on all of the audio media on the server and an inability to record or play contacts using the voice cards on the server. erecorder Audio Service Configuration After changing the other Quality Monitoring services to run under a non-admin account as described earlier do the following: Start services. Go to the Quality Monitoring erecorder Audio Service. Right-click on the service and select Properties. Select the Log On tab. Change the service account to an Admin\Local System account and click OK. Restart Quality Monitoring services. Quality Monitoring Configuration Guide 39
Chapter 5 Server Hardening The purpose of this section is to provide guidelines on how to harden all servers on which Quality Monitoring is to be deployed. This includes: All Verint Systems and third party processes required by the system (prerequisite software) Dependencies on operating system level and third party products, services, drivers, libraries, and so forth. This chapter describes the following topics: Third Party Software, page 41 Required Third Party Software, page 41 Other Third Party Software, page 43 Databases, page 44 Microsoft Windows Security Features, page 45
Chapter 5 - Server Hardening Third Party Software Third Party Software Third Party Software is 'merged' with the Quality Monitoring Server Installation. Please note that the following required third party software is automatically installed by the Quality Monitoring Server installation, if not found on the target server machine. 1 Apache Tomcat 6.0.24 Required Third Party Software The third party software listed below are prerequisites that are required to be installed on the Quality Monitoring server prior to the Quality Monitoring installation. Java Runtime Environment 6.0 Update 18 JRE 6.0 Update 18 must be installed on the machine that will function as the Quality Monitoring Web server. 32-Bit Operating System Default Installation Folder: C:\Program Files\Java\jre1.6.0_18 64-Bit Operating System Default Installation Folder: C:\Program Files (x86)\java\jre1.6.0_18 Microsoft Data Access Components 2.8 SP1 On Windows Server 2003, Microsoft Data Access Components 2.8 SP1 can only be installed by either upgrading to the latest service pack or by installing relevant windows updates. For more information, please refer to the following link on the Microsoft website that describes the MDAC 2.8 SP1 release manifest. http://support.microsoft.com/kb/899456 Intel Dialogic System Release 6.0 32-Bit Operating System Default Installation Folder: C:\Program Files\Dialogic 64-Bit Operating System Default Installation Folder: C:\Program Files (x86)\dialogic Quality Monitoring Configuration Guide 41
Chapter 5 - Server Hardening Required Third Party Software Windows Services The following services are installed as part of the Dialogic installation following instructions as mentioned in the Quality Monitoring Installation Guide. Display Name Service Name Depends On Intel Dialogic product System Service Intel Dialogic product System Service DlgPnPObserverService DlgPnPObserverService DM3Config Intel DebugAngel Intel DebugAngel None Intel Runtime Tracing Dispatcher Intel Dialogic product Boardserver Intel Runtime Tracing Dispatcher Intel Dialogic product Boardserver None DlgPnPObserverService DlgPnPObserverService DlgPnPObserverService Implementation Repository CT Bus Broker CTBusBroker Remote Procedure Call (RPC) DM3Config DM3Config CT Bus Broker IPLink Media Service IPMedia None Implementation Repository Implementation Repository None Drivers Display Name Service Name Driver File Dialogic SRAM Protocol Driver Dialogic Core Abstraction Layer Dialogic BRI2 ISDN Adapter Driver DlgcSram Dlgccore Dlgcbri <system32>\drivers\dlgc Sram.sys <system32>\drivers\dlgc core.sys <system32>\drivers\dlgc bri.sys DM3 Protocol Driver Dlgcmpd <system32>\drivers\dlgc mpd.sys DM3 Class Driver Dlgcmcd <system32>\drivers\dlgc mcd.sys DM3 Insight Driver DM3InsightDrv <system32>\drivers\dm3 InsightDrv.sys Quality Monitoring Configuration Guide 42
Chapter 5 - Server Hardening Other Third Party Software Other Third Party Software The following sections detail other third party software that could also be used with Quality Monitoring. Dialogic DSE DL-3009 (VTG) Card Installation + Hot Fixes Dialogic DSE DL-3009 (VTG) is to be installed only if using a Nortel Switch. The following services are installed by the Dialogic DSE DL-3009 (VTG) installation. Once the Dialogic DSE DL-3009 (VTG) installation is run, a dependency to the DSE Loader Service is automatically created on the Dialogic System Service. Default Installation Folder: C:\VBPC Windows Services Display Name Service Name Driver File DSE Loader Service Vbpcload Dialogic System Service Drivers Display Name DSE DL30-XX Driver File <system32>\drivers\vbpc_wdm.sys Interactive Intelligence COM Client This is usually provided by the customer; however a version (2.2) is distributed along with Quality Monitoring as part of the OEM folder on the Quality Monitoring Installation DVD. For more information, see the Quality Monitoring Integration Interactive Intelligence Guide. Default Installation Folder: C:\Program Files\Interactive Intelligence Mitel TAI API Installation This component is required only if you are using a Mitel switch. The Mitel TAI API component must be installed prior to installing BDR server components. Default Installation Folder: C:\Program Files\Mitel Networks\MiTA Quality Monitoring Configuration Guide 43
Chapter 5 - Server Hardening Databases Alcatel TSAPI Client For Alcatel Integration to work, the following files must be installed in the <Program Files>\Witness\Quality Monitoring directory after installation of the Alcatel TSAPI Client 1 csta32.dll 2 alccsta.cfg Avaya TSAPI Client For Avaya integration, the Avaya TSAPI client must be installed on the BDR server. Default Installation Folder: C:\Program Files\Avaya\CT\TS Win32 Databases For Databases that are supported, following tables list default installation folders and Windows Services installed by them. Microsoft SQL Server 2005 Standard/Enterprise Edition Default Installation Folder: C:\Program Files\Microsoft SQL Server Windows Services Display Name Service Name Depends On SQL Server (MSSQLSERVER) SQL Server Active Directory Helper SQL Server Agent (MSSQLSERVER) SQL Server Analysis Services (MSSQLSERVER) MSSQLSERVER MSSQLServerADHelper SQLSERVERAGENT MSSQLServerOLAPService None None SQL Server (MSSQLSERVER) None SQL Server Browser SQLBrowser None SQL Server FullText Search (MSSQLSERVER) SQL Server Integration Services Msftesql MsDtsServer NT LM Security Support Provider Remote Procedure Call (RPC) None Quality Monitoring Configuration Guide 44
Chapter 5 - Server Hardening Microsoft Windows Security Features Display Name Service Name Depends On SQL Server Reporting Services (MSSQLSERVER) ReportServer None SQL Server VSS Writer SQLWriter None Oracle 10g Server Standard/Enterprise Edition Default Installation Folder: C:\Program Files\Oracle Windows Services Display Name Service Name Depends On OracleCSService OracleCSService None OracleDBConsole<SID> OracleDBConsole<SID> OracleService<SID> OracleJobScheduler<SID > OracleOraDb10g_home1i SQL*Plus OracleOraDb10g_home1S NMPPeerEncapsulator OracleOraDb10g_home1S NMPPeerMasterAgent OracleOraDb10g_home1T NSListener OracleJobScheduler<SID > OracleOraDb10g_home1i SQL*Plus OracleOraDb10g_home1S NMPPeerEncapsulator OracleOraDb10g_home1S NMPPeerMasterAgent OracleOraDb10g_home1T NSListener None None None None None OracleService<SID> OracleService<SID> None ** where <SID> is the Database SID. Microsoft Windows Security Features Internet Explorer Enhanced Security Configuration For the Quality Monitoring application to work with Internet Explorer Enhanced Security Configuration, the site (http://<machine name>) must be included in the 'Local Intranet' zone or in the 'Trusted Sites' zone. Quality Monitoring Configuration Guide 45
Chapter 5 - Server Hardening Services Data Execution Prevention DEP (Data Execution Prevention) must be turned off. This setting has been introduced from Windows XP SP2 and Windows Server 2003 SP1 onwards. Services For server hardening purposes some services can be disabled on Quality Monitoring servers. Some services can not be disabled. Do not disable the services listed in this section. Windows Server 2003 For Quality Monitoring to function correctly, the following services should not be disabled on server running Windows Server 2003. Required Windows Services Application Experience Lookup Service COM+ Event System COM+ System Application Cryptographic Services CT Bus Broker DCOM Server Process Launcher DHCP Client Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client Error Reporting Service Event Log IPSEC Services Logical Disk Manager Net Logon Network Connections Performance Logs and Alerts Plug and Play Remote Procedure Call (RPC) Quality Monitoring Configuration Guide 46
Chapter 5 - Server Hardening Services Remote Registry Security Accounts Manager Server Task Scheduler TCP/IP NetBIOS Helper Virtual Disk Service Windows Management Instrumentation Windows Time Workstation Required Quality Monitoring 10.1.1 Services Quality Monitoring Apache Tomcat Quality Monitoring BDR Service Quality Monitoring Command Service Quality Monitoring erecorder Audio Service Quality Monitoring erecorder Service Quality Monitoring erecorder Video Service Quality Monitoring Search Service Required Dialogic Services These services are only required on the erecorder server. DM3 Config Dialogic Boardserver Dialogic DebugAngel Dialogic Runtime Tracing Dispatcher Dialogic System Service Distributed Link Tracking Client DlgPnPObserverService Required Microsoft SQL Server 2005 Services These services are only required on the Quality Monitoring Database Server. SQL Server (MSSQLSERVER) SQL Server Agent (MSSQLSERVER) Required Oracle Services These services are only required on the Quality Monitoring Database Server. Quality Monitoring Configuration Guide 47
Chapter 5 - Server Hardening Services Oracleora102TNSListener OracleServiceQM Required RSA KMS Services These services are only required if RSA KMS is running on a Quality Monitoring Server. Tomcat5 RKMAutoStart RSA Access Manager Agent 4.7 Token Tool RSAaserver60 RSAdispatch60 RSAeserver60 RSAiserver60 RSAlserver60 Windows Server 2008 R2 For Quality Monitoring to function correctly, the following services should not be disabled on server running Windows Server 2008 R2. Required Windows Server 2008 R2 Services Base Filtering Engine COM+ Event System DCOM Server Process Launcher Desktop Window Manager Session Manager DHCP Client Distributed Link Tracking Client Diagnostic Policy Service DNS Client Function Discovery Provider Host Group Policy Client Netlogon Network Connections Network List Service Network Location Awareness Network Store Interface Service Performance Counter DLL Host Performance Logs & Alerts Plug and Play Quality Monitoring Configuration Guide 48
Chapter 5 - Server Hardening Services Power Remote Procedure Call (RPC) RPC Endpoint Mapper Security Accounts Manager Server Task Scheduler TCP/IP NetBIOS Helper User Profile Service Windows Event Log Windows Time Workstation Required Quality Monitoring 10.1.1 Services Quality Monitoring Apache Tomcat Quality Monitoring BDR Service Quality Monitoring Command Service Quality Monitoring erecorder Audio Service Quality Monitoring erecorder Service Quality Monitoring erecorder Video Service Quality Monitoring Search Service Required Dialogic Services These services are only required on the erecorder server. DM3 Config Dialogic Boardserver Dialogic DebugAngel Dialogic Runtime Tracing Dispatcher Dialogic System Service Distributed Link Tracking Client DlgPnPObserverService Implementation Repository Required Microsoft SQL Server 2008 Services These services are only required on the Quality Monitoring Database Server. SQL Server (MSSQLSERVER) SQL Server Agent (MSSQLSERVER) Quality Monitoring Configuration Guide 49
Chapter 5 - Server Hardening Services Required Oracle Services These services are only required on the Quality Monitoring Database Server. OracleJobSchedulerQM OracleOra102iSQL*Plus Oracleora102TNSListener OracleServiceQM Quality Monitoring Configuration Guide 50
Chapter 6 Security Preparation This chapter helps you prepare to implement security for Quality Monitoring. This chapter describes the following topics: Before You Begin, page 52 Software Prerequisites, page 53
Chapter 6 - Security Preparation Before You Begin Before You Begin The installation of Quality Monitoring system components automatically installs the necessary libraries and configuration files for the security features covered in this document, except for digital certificates. Digital certificates are required for SSL communications and can be obtained either from a public Certificate Authority or from a private Certificate Authority, as described in later sections of this document. The default setting for all configurable security features is Disabled. Therefore, after installation, the Quality Monitoring System operates without requiring any security certificates. For more information on installing the Quality Monitoring system, refer to the Quality Monitoring Installation Guide. To enable security features, you need to follow the guidelines in this document. Quality Monitoring Configuration Guide 52
Chapter 6 - Security Preparation Software Prerequisites Software Prerequisites The following platforms and versions of third party software are the minimum required by the Quality Monitoring System to fully achieve PCI readiness: Operating System: see the Quality Monitoring Release Notes. Database: see the Quality Monitoring Release Notes. Key Management System: RSA Key Manager 2.x Please refer to the Quality Monitoring Release Notes for more details about minimum system requirements. Quality Monitoring Configuration Guide 53
Chapter 7 Secure Data In Transit This chapter explains how to secure data in transit for Quality Monitoring. Each section describes a high level step of the procedure to configure and enable the "Secure Data in Transit" feature and should be executed in the order listed in this chapter. Some sections only apply to particular deployment scenarios (as specified in those sections). This chapter describes the following topics: Cipher List, page 55 Prepare Quality Monitoring Server Certificates, page 55 Install Quality Monitoring Server Certificates, page 55 Configure the Tomcat Server, page 56 Command Server Configuration, page 57 Search Service Configuration, page 57 Supervisor/Search and Replay Client Workstation Configuration, page 58 Quality Monitoring with Full-time Recording Configuration, page 58 Secure Communication with WorkForce Optimization (WFO), page 58 Secure Content Data Transmission Configuration, page 59 Enable Secure Communications, page 61
Chapter 7 - Secure Data In Transit Cipher List Cipher List OpenSSL: DHE-DSS-AES256-SHA AES256-SHA:AES128-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC3-SHA DHE-RSA-AES256-SHA DHE-DSS-AES128-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA Apache Tomcat: TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Prepare Quality Monitoring Server Certificates Obtain a PKCS#12 file, containing server cert/private key and issuing CA's certificate, from a public or private Certificate Authority for each Quality Monitoring server and copy it to the.\qm\cautility directory of the server. For instructions, see Certificate Management, page 62. Install Quality Monitoring Server Certificates On each Quality Monitoring server, after copying the PKCS#12 file to the.\qm\cautility directory and rename the file to svr_cert_key.p12. To install the Quality Monitoring Server certificates: 1 At a DOS prompt, navigate to the.\qm\cautility directory and execute installqmcert.cmd. For instructions, see Install Server Certificates, page 66. 2 Load the svr_cert_key.p12 into the Windows "Personal" certificate store using the Certificate snap-in of MMC. For instructions, see Import to the Windows Certificate Store, page 68. Quality Monitoring Configuration Guide 55
Chapter 7 - Secure Data In Transit Configure the Tomcat Server Configure the Tomcat Server 1 Locate the server.xml file under the Tomcat 'conf' directory. 2 Open the server.xml file and find the commented out SSL Connector in the Server.xml file. Search for "Connector port="8443" and uncomment the section. 3 Change the connector port settings to match the following: <Connector port="8443" protocol="http/1.1" SSLEnabled="true" maxthreads="150" scheme="https" secure="true" clientauth="false" sslprotocol="tls" keystoretype="pkcs12" keystorefile="c:\program Files\Witness\QM\QMCerts\svr_cert_key.p12" ciphers="tls_dhe_dss_with_aes_256_cbc_sha, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"/> 4 If Quality Monitoring is not installed in the default installation directory (C:\Program Files\Witness\QM), you must change the keystorefile accordingly. Where keystorefile is the full path to the PKCS#12. keystoretype is the type of the key store. We use PKCS12 in this case. 5 If the Export Password of the certificate is something other than changeit add keystorepass and the password to the Connector above: keystorepass="<certificate export password>" keystorepass is the export password of the certificate. If the certificate you configure for Tomcat is signed by a private Certificate Authority, the client browser might receive a warning stating that the certificate is not from a trusted Certificate Authority. To avoid the warning, the Certificate Authority certificate should be installed to Internet Explorer (IE) on every Supervisor machine. For instructions, see Import into Microsoft Internet Explorer, page 69. Quality Monitoring Configuration Guide 56
Chapter 7 - Secure Data In Transit Command Server Configuration Command Server Configuration There is a configuration files named CertConfiguration.xml in the Quality Monitoring installation directory. Make sure the following settings in these files point to the.\qm\qmcerts\svr_cert_key.pem file: CertConfiguration.xml <CACertificate>C:\Program Files\Witness\QM\QMCerts\svr_cert_key.pem</CACertificate> <Certificate>C:\Program Files\Witness\QM\QMCerts\svr_cert_key.pem</Certificate> <PrivateKey>C:\Program Files\Witness\QM\QMCerts\svr_cert_key.pem</PrivateKey> Make sure the ciphers are present in the configuration file. The tag should look like this: <CipherList>DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:AES128-SH A:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:EDH-DSS-DES-CBC3-SHA:EDH-RSA -DES-CBC3-SHA:DES-CBC3-SHA</CipherList> Search Service Configuration You need to: For 32-bit operating systems: update the.\qm\cautility\configsslforsearch.reg file to ensure the certificate and JRE paths are correct. For 64-bit operating systems: update the.\qm\cautility\configsslforsearchwin64bit.reg to ensure the certificate and JRE paths are correct. Execute the appropriate file to update the Quality Monitoring Search Service registry. A successful execution will update the Windows Registry key for the Quality Monitoring Search Service with the key store pointers set to svr_cert_key.p12, which is under the.\qm\qmcerts directory, and the key store type set to pkcs12. After completing this section, check the registry to ensure the correct ciphers are configured. The location in the Windows registry is: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Witness\eQuality\Quality Monitoring Search Service The CipherList key should contain the following values: TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_ AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA Quality Monitoring Configuration Guide 57
Chapter 7 - Secure Data In Transit Supervisor/Search and Replay Client Workstation Configuration Supervisor/Search and Replay Client Workstation Configuration The issuing CA's certificates must be installed in the following locations on every supervisor machine:.\lib\security\cacerts file of the JRE used by Quality Monitoring client applications Windows trusted Root CA certificate store To install the CA s certificates to the required locations on each supervisor machine: Copy the trustedca\cacert.pem and ImportCaCertToJREandWindowsCertStores.zip files from the.\qm\cautility folder on a Quality Monitoring server to a location accessible by the supervisor workstation. Extract the zipped files. The cacert.pem will be added to the Windows and JRE Certificate store by using the ImportCaCertToJREandWindowsCertStores.cmd. Pass the parameters of the JRE location to insert the CA certificate and the location of the CA certificate. Quality Monitoring with Full-time Recording Configuration When the Secure Communications setting is enabled in System Administration, in Quality Monitoring with Full-time Recording deployments, the erecorder export module and Search and Replay client will use SSL communication to download the media data file from the Viewer. Therefore, in addition to certificate installation and SSL configuration for the Quality Monitoring server and client applications described in the current document, you must also ensure that Viewer is configured to work in SSL (https) mode. Instructions on configuring HTTPS on Viewer are documented in the Enterprise Security Administration Guide on the Full-time Recording installation DVD. Secure Communication with WorkForce Optimization (WFO) If the Secured Communication setting is enabled in the Data Source setting for a Quality Monitoring server in WFO (Weblogic), connections from WFO to Quality Monitoring will all use https and SSL. Quality Monitoring will only use https in Quality Monitoring Configuration Guide 58
Chapter 7 - Secure Data In Transit Secure Content Data Transmission Configuration communication back to WFO if HTTPS is specified in the URLs of the "Single Sign-ON Token Verifier" and "Audit Server" in Quality Monitoring System Administration. To fully force secured communications between Quality Monitoring and WFO, the Secured Communication setting in the Quality Monitoring Data Source in WFO must be enabled, Quality Monitoring Web Server must operate in https and both URLs, "Single Sign-ON Token Verifier" and "Audit Server", must use https. Therefore, in addition to certificate installation and SSL configuration for Quality Monitoring server and client applications described in the current document, you must also ensure that WFO (Weblogic) is configured to work in SSL (https) mode. Instructions on configuring HTTPS for WFO are documented in the Enterprise Security Administration Guide on the Full-time Recording installation DVD. Secure Content Data Transmission Configuration Make sure the registry value on agent machines is set to 1. For Windows 32-bit: HKLM\Software\Witness Systems\eQuality Agent\Capture\Current Version\DataEncryption For Windows 64-bit: HKLM\Software\Wow6432Node\Witness Systems\eQuality Agent\Capture\Current Version\WSSPath The three security files (server.wss, client.wss and agent.wss) that store a password necessary for secure data transmission are distributed during Quality Monitoring component installation. The initial password is witness. The communication password can be changed using the wsschangepassword.exe utility, which is installed as a part of the erecorder installation. This utility generates a new set of the security files for a new password. To change the password: 1 Copy the wsschangepassword.exe and server.wss files to any temporary directory. Quality Monitoring Configuration Guide 59
Chapter 7 - Secure Data In Transit Secure Content Data Transmission Configuration 2 Run wsschangepassword.exe. 3 Type the current password and then type and re-type the new password in the appropriate text boxes. 4 Click OK. The system overwrites the old files, and generates a new set of Server.wss, Agent.wss and Client.wss files. 5 Copy the Server.wss file to each erecorder node in the erecorder installed directory. 6 Copy the Agent.wss file to each Screen Capture module-installed machine in the Capture installed directory. This file can be copied in to different directories, as long as the HKLM\Software\Witness Systems\eQuality Agent\Capture\Current Version\'WSSPath registry value is pointing to the correct directory. 7 Copy the Client.wss file to Web Server in the '.\Tomcat\webapps\qm\Applets' directory. If the Quality Monitoring Supervisor client is installed onto a Supervisor machine, then copy the Client.wss file to each Supervisor machine. Quality Monitoring Configuration Guide 60
Chapter 7 - Secure Data In Transit Enable Secure Communications Enable Secure Communications After you have completed the various configurations, you can enable the Secure Communications option in System Administration. 1 Open the Quality Monitoring System Administration window and navigate to the Security tab of the Root Settings node. 2 Click Edit. 3 Select the Secure Communications checkbox. 4 Click Save. 5 Restart all of the Quality Monitoring services on every Quality Monitoring server. Quality Monitoring Configuration Guide 61
Chapter 8 Certificate Management Digital certificates are required for Quality Monitoring, including the RSA Key Management Server, to communicate securely over the networks using standard SSL/TLS technology. This chapter provides information on certificate management and describes commonly used configuration procedures. Each topic is independent of the others and not all topics are necessarily required for all deployment scenarios. You should not use the order of these topics as a configuration workflow. This chapter describes the following topics: Required Certificates, page 63 Public Certificate Authority, page 63 Private Certificate Authority, page 64 Generate and Sign Server Certificate, page 65 Install Server Certificates, page 66 Import to JRE, page 68 Import to the Windows Certificate Store, page 68 Import into Microsoft Internet Explorer, page 69 Revoke Certificates, page 71 Update Expired Certificates, page 73
Chapter 8 - Certificate Management Required Certificates Required Certificates Certificates can be purchased by the customer from a public CA (Certificate Authority) or generated using a private CA. In the Quality Monitoring SSL/TLS implementation, every Quality Monitoring server, including the RSA KMS server if at rest data encryption is required, requires a server certificate with its matching private key for SSL server applications and the issuing CA's certificate for SSL client applications. In addition, the issuing CA's certificate must also be added to each supervisor PC. Public Certificate Authority If customers elect to use a public Certificate Authority, they can generate the PKCS#12 file and the public Certificate Authority certificate file with the tools provided by the Certificate Authority. Check the server certificate to ensure the proper values are used for the Key Usage Extension. If present, the Key Usage Extension determines the conditions when the certificate can be used. The two values needed by Key Usage Extension, if present, are the Digital Signature and Key Encipherment. If either of the two values is missing, SSL may not work properly. To check the certificate for the proper values: 1 Extract the Server Certificate from the p12 file using OpenSSL. 2 Change the certificate's extension to.cer. 3 Right click on the certificate and select Open. 4 Click on the Details tab of the certificate. 5 Scroll down the list until you find the Key Usage Extension; then, select it. 6 Ensure the Digital Signature and Key Encipherment are part of the value set. The value set is displayed in the text below the certificate attributes. If Key Usage Extension is not used, the certificate can be used for SSL as there will be no restrictions on its usage. Quality Monitoring Configuration Guide 63
Chapter 8 - Certificate Management Private Certificate Authority The following example shows the Key Usage Extension with the proper values (Data Encipherment is not needed for implementing SSL; this setting enables the certificate to be used for other purposes): Private Certificate Authority If customers elect to use a private Certificate Authority, they should setup the private Certificate Authority first. To setup a Certificate Authority, the security administrator should execute the following steps: 1 Identify a secure PC. This can be any windows based PC as long as it is only accessible by the security administrator or other trusted personnel. 2 Copy the CAUtility directory from Quality Monitoring installation OEM DVD, including its sub-directories.\conf and.\bin, to your secure PC. Do not execute the following steps on the DVD. The CAUtility directory on your secure PC should contain: setca.cmd - a script to set up a Certificate Authority gencert.cmd - a script to generate and sign certificate and key for servers revokecert.cmd - a script to revoke a compromised certificate README.txt.\conf directory containing ca_conf.txt and req_conf.txt files Quality Monitoring Configuration Guide 64
Chapter 8 - Certificate Management Generate and Sign Server Certificate.\bin directory containing openssl.exe, libeay32.dll, and ssleay32.dll files The OpenSSL libraries also depend on the Microsoft C runtime libraries msvcr71.dll and msvcrt.dll. Make sure these dlls are copied to.\system32 if not already done so. 3 Navigate to the.\cautility directory on your secure PC and execute the setca.cmd script. You will be prompted for the: PEM password to protect the private key of the Certificate Authority. Note the password and store it securely. Certificate Authority Common Name (CN). The default RootCA will work for most people. No spaces are allowed in this name. Certificate Authority Organization Name (O). This is a field you must enter. It is typically your company's name. No spaces are allowed in this name For all subsequent certificates signing, the certificate Organization Name must match that of the Certificate Authority. Run setca.cmd only once and generate required number of certificates using gencert.cmd with the same Certificate Authority organization name that was entered during setca.cmd. 4 A successful execution of this command will generate: a private Certificate Authority certificate cacert.pem in the.\certs directory the matching private key cakey.pem in the.\keys directory This private Certificate Authority certificate will be valid for 10 years. Generate and Sign Server Certificate Navigate to the.\cautility directory on Certificate Authority PC and execute the following command line at a Command prompt: gencert <Server Name> <Certificate Authority's Organization Name> where <Server Name> is the fully qualified DNS name of the server. You will be prompted for: The password of the Certificate Authority key file (CAKey.pem) An export password to protect the output svr_cert_key.p12 file A successful execution will generate a svr_cert_key.p12 file in the.\cautility\signed_certs\<server Name> directory of the Certificate Authority PC. The file contains the: signed server certificate matching private key Certificate Authority certificate in PKCS#12 format The signed server certificate will be valid for two years. Quality Monitoring Configuration Guide 65
Chapter 8 - Certificate Management Install Server Certificates Install Server Certificates To install Server and trusted Certificate Authority Certificates for Quality Monitoring servers, do the following on all BDR Servers and all erecorder servers: 1 Copy the certificate container svr_cert_key.p12 generated/purchased for this server to the.\qm\cautility directory. You may have to rename the file to svr_cert_key.p12. If the file has the extension.pfx, it is safe to rename the file as it has the same format as a.p12 file. 2 Navigate to that directory and execute the following command line at a Command prompt: installqmcert <export_password> <jre_ directory> <root_certificate> where <export_password> is the password entered when the certificate was signed by the Certificate Authority <jre_directory> is the full path to a JRE directory, where the trusted Certificate Authority certificate should be added to the key store. On 32-bit operating systems, by default, JREs are stored on C:\Program Files\Java\JRE\. On 64-bit operating systems, by default, JREs are stored on C:\Program Files (x86)\java\jre. <root_certificate> is the full path to the Root CA Certificate. It is needed if the Third Party Certificate is signed by a Intermediate Certificate Authority (ICA). These Chained Certificates need the Root CA Certificate to validate the signed certificate was created from a trusted CA. 3 A successful execution of the script will Extract the certificate chain (cert.pem), the server private key (key.pem), CA certificate (cacert.pem), and a single server certificate (rsa_app_cert.pem) from the svr_cert_key.p12 file. The rsa_app_cert.pem and dump file are stored in.\<qm install folder>\qm\conf\security. The *.pem and *.p12 files are stored in.\<qm install folder>\qm\qmcerts The Cacert file is stored in.\<qm install folder>\qm\cautility\trustedca The rsa_app_cert.pem will be loaded into RSA KMS to identify KMC on this server if at rest data encryption with RSA Key Management needs to be enabled (For more information, see Create an Identity, page 79). Create the Certificate Authority certificate as cacert.pem and Client_cert.pem files in the.\qm\cautility directory. Add the Certificate Authority certificate (cacert.pem) to the trusted Certificate Authority certificate key store <jre_ directory>\lib\security\cacerts of the running JRE with "qm-impact360" as the alias. Adding Certificate Authority certificate to JRE key store does not harm anything in the system. If there is an error in adding the certificate to the JRE key store then ignore the error. Quality Monitoring Configuration Guide 66
Chapter 8 - Certificate Management Install Server Certificates Create a svr_cert_key_dp.p12 file as a renamed copy of the svr_cert_key.p12 file. The password for both.p12 files is changeit, which is the default password for JAVA key store. Create svr_cert_key.p12 and svr_cert_key.pem files in the.\qm\qmcerts directory It is safe to re-run the above script in case of errors such as incorrect password. Verify RSAProvider.cfg Contains the Certificate and Password After installing each server certificate, you should verify that the RSAProvider.cfg file contains the full path to both the certificate and its export password. 1 Navigate to the following location on the server: <QM installation folder>\qm\conf\ 2 Using a text editor, open the RSAProvider.cfg file. 3 Verify the values for the following parameters are correct: kms.sslpkcs12file Full path to the certificate file. kms.sslpkcs12password Export password for the certificate. If the values for the above parameters are not correct, update the parameter as required. Do NOT update any other parameters in the RSAProvider.cfg file. Note: If did not modify the installqmcert script from the CAUtility directory (see Install Server Certificates on page 66), the script created the following certificate path/file and export password values: kms.sslpkcs12file <QM installation folder>\qm\conf\security\svr_cert_key_dp.p12 kms.sslpkcs12password changeit 4 Save the RSAProvider.cfg file. Quality Monitoring Configuration Guide 67
Chapter 8 - Certificate Management Import to JRE Import to JRE Execute the following command to import a Certificate Authority certificate to a JRE: ImportCaCertToJre <jre_directory> <cacert_file_path_and_name > where <jre_directory> is full path to JRE directory, where the trusted Certificate Authority certificate should be added to the key store. By default, JREs are stored on C:\Program Files\Java\JRE\. <cacert_file_path_and_name> is a Certificate Authority certificate file name including the full path. A successful execution imports the Certificate Authority certificate into <jre_directory>\lib\security\cacerts keystore. Full list of Certificate Authority certificates in this key store can be obtained by executing: <jre_directory>\bin\keytool -list -keystore <jre_directory>\lib\security\cacerts The key store password is changeit Import to the Windows Certificate Store Import the p12 file located in.\<qm install folder>\qm\qmcerts. The following script imports the certificate into the Windows Key Store: ImportCACertToWindows.cmd The above script takes the same parameters as ImportCaCertToJre. It will add the certificate to the JRE as ImportCaCertToJre and add the certificate to the Windows Keystore as well. This is the preferred script to run on client machines. We recommend using the above script. If necessary, you can use Microsoft Management Console (MMC) to insert into the certificate store. To use MMC to import a server certificate into Windows Certificate store: 1 Click Start > Run. The Run dialog box displays. 2 In the Open field, enter mmc and click OK. The Microsoft Management Console appears. 3 Select File > Add/Remove Snap in. The Add/Remove Snap in dialog box displays. 4 Click Add. The Add Standalone Snap in dialog box displays. 5 Select Certificates and click Add. The Certificates snap-in dialog box displays. 6 Select Computer account and click Next. The Select Computer dialog box displays. 7 Select Local Computer and click Finish. 8 On the Add Standalone Snap in dialog box, click Close. Quality Monitoring Configuration Guide 68
Chapter 8 - Certificate Management Import into Microsoft Internet Explorer 9 On the Add/Remove Snap in dialog box, click OK to return to the Microsoft Management Console. Certificates (Local Computer) should display as a node under Console Root. 10 Expand Certificates (Local Computer), right click Personal and select All Tasks > Import. The Certificate Import Wizard dialog box displays. 11 Click Next and follow the steps to import your server certificate. On completion, your server certificate displays in the list of Personal certificates. Make sure that the ER certificate is imported to the Windows certificate store on the QM Server. Import into Microsoft Internet Explorer Import the p12 file located in.\<qm install folder>\qm\qmcerts. To import Certificate Authority Certificates into Microsoft Internet Explorer, perform the following steps: 1 Open Internet Explorer. 2 Select Internet Options from the Tools menu and open the Content tab. Quality Monitoring Configuration Guide 69
Chapter 8 - Certificate Management Import into Microsoft Internet Explorer 3 Click Certificates. 4 Click Import. Quality Monitoring Configuration Guide 70
Chapter 8 - Certificate Management Revoke Certificates 5 Browse to Certificate Authority Certificates and Click Next. 6 Select Automatically select the certificate store based on the type of certificate and click Next. 7 Click Finish. Revoke Certificates When a certificate and its matching private key are compromised, the certificate must be revoked and a new certificate must be generated and installed. Compromised Certificate Authority Certificate When a Certificate Authority certificate and its matching private key are compromised, the entire PKI trusting system built upon the Certificate Authority is broken. Not only must the compromised Certificate Authority certificate be removed from all the Trusted Certificate Authority Certificate stores used by applications; the certificates signed by the compromised Certificate Authority private key can no longer be trusted. With our private Certificate Authority, the revocation of a compromised Certificate Authority consists of the following steps: Start a new Certificate Authority from the very beginning, namely rerun the setca command in a new.\cautility directory. Re-sign all server certificates. Install the re-signed server certificates and the new Certificate Authority certificate. Quality Monitoring Configuration Guide 71
Chapter 8 - Certificate Management Revoke Certificates Remove the old Certificate Authority certificate from the Windows Trusted Root Certificate Authority certificate store of each server after the new Certificate Authority certificate is loaded using Certificate snap-in of MMC. The old Certificate Authority certificate in the Java trusted keystore and OpenSSL.\trustedCA\cacert.pem are replaced when the new certificates are installed. Compromised Server Certificate The revocation procedure consists of the following steps: Revoke the certificate on Certificate Authority by executing the following command at DOS prompt in.\cautility: revokecert <certificate_coontainer> <Export_Password> <Server_Name> where: <certificate_container> - This is the PKCS 12 certificate container created by the gencert script. <Export_Password> - This is the export password used to secure the PKCS 12 certificate container created by the gencert script. <Server_Name> - This is the name of the server that created the PKCS 12 certificate container. The successful execution of the above command will update Certificate Authority database and the CRL list file (.\CRL\crl.pem). For Quality Monitoring 10.1.1, this file is not used. Add the revoked certificate to Windows Un-trusted Certificates store using Certificate snap-in of MMC for all Windows API based SSL client applications, such as WinHTTP on servers hosting. This step is only needed if the certificate was imported into the MMC certificate snap-in. In future versions, you would add the revoked certificate to CRL keystore (crl.jks file) in.\qm\conf\security on all servers hosting Java based SSL client applications by executing the following command in that directory at a DOS prompt: <jre_directory>\bin\keytool -import <cert_filename> -keystore crl.jks where <jre_directory> is the home directory of the running JRE. Enter "changeit" as the key store password. This step is needed only when installqmcert.cmd has successfully installed Certificate Authority certificate to JRE key store. Re-sign and re-install a server certificate for the server. Quality Monitoring Configuration Guide 72
Chapter 8 - Certificate Management Update Expired Certificates Update Expired Certificates Each Certificate Authority certificate or server certificate is valid for a period of time specified on the certificate. With our utility, each Certificate Authority certificate will be valid for 10 years and each server certificate will be valid for 2 years starting from the time it is signed. These certificates need to be updated before they become expired. Update Certificate Authority Certificate The process of updating Certificate Authority certificate is the similar to that of starting a new Certificate Authority. First, a new Certificate Authority needs to be set. Once the new Certificate Authority is set, all server certificates signed by the old Certificate Authority certificate/private key should become invalid. New server certificate and private key needs to be signed and installed using the new Certificate Authority for each server. Update Server Certificates The process of updating an expired server certificate using the private Certificate Authority Utility tool is very similar to that of revoking a compromised server certificate. First, the expired certificate must be revoked on Certificate Authority by executing the following command: revokecert <certificate_coontainer> <Export_Password> <Server_Name> where: <certificate_container> - This is the PKCS 12 certificate container created by the gencert script. <Export_Password> - This is the export password used to secure the PKCS 12 certificate container created by the gencert script. <Server_Name> - This is the name of the server that created the PKCS 12 certificate container. The successful execution of the above command will update Certificate Authority database and the CRL list file (.\CRL\crl.pem). For Quality Monitoring 10.1.1, this file is not used. Second, a new certificate for that server needs to be signed and install in the same way as original certificate was signed and installed. However, an expired certificate does not need to be added to the Windows un-trusted certificate store nor to the CRL of Java SSL client applications. Quality Monitoring Configuration Guide 73
Chapter 9 Secure Data At Rest This chapter instructs you to secure data at rest for Quality Monitoring. This chapter describes the following topics: Prepare Server Certificates, page 75 Install and Configure KMS, page 75 Enable Content Encryption, page 80
Chapter 9 - Secure Data At Rest Prepare Server Certificates Prepare Server Certificates Obtain the PKCS#12 certificate files from a public or private Certificate Authority for every erecorder server and one for the RSA Key Manager Server (KMS) if it is going to be installed on a dedicated box. Please see Certificate Management, page 62. Install and Configure KMS For details on installing and securing the RSA Key Management Server, see the Custom RSA Key Manager Server Installer User Guide. This document is included on the RSA Software DVD. KMS SSL Connection Configuration On the KMS machine, import the KMS server certificate into the Certificate store of MMC. For instructions, see Import to the Windows Certificate Store, page 68. Quality Monitoring Configuration Guide 75
Chapter 9 - Secure Data At Rest Install and Configure KMS KMS Properties in IIS Configuration On the KMS machine, set the SSL port for RSA Key Manager Web Site in IIS to 7443. KMS Security Policies for erecorder Machines Configure the security policies on the RSA Key Management Server (KMS) for Quality Monitoring to support the registration of each erecorder server in the Quality Monitoring system as an application. RSA Key Manager Server provides a web browser-based configuration interface that can be accessed by typing HTTPS://<hostname>:7443/KMS/admin in the browser. The <hostname> is the full hostname, meaning the server name plus the fully qualified domain name (FQDN), of the PC hosting the RSA Key Manager server. During the initial installation, the install engineer sets a Master password that is required at every restart of the KMS server. In addition, the install engineer creates a System Administrator, whose role has the privilege to create KMS Administrators as well as Application Groups. Only KMS as an organization has the privilege to create and manage key policies and classes. Applications are identified by the certificate (contained in the rsa_app_cert.pem file) of the server. Quality Monitoring Configuration Guide 76
Chapter 9 - Secure Data At Rest Install and Configure KMS Procedures for creating security policies and registering Quality Monitoring erecorder servers are described in the following topics: Create a Crypto Policy, page 77 Create an Identity Group, page 77 Create a Key Class, page 78 Create an Identity, page 79 Create an Identity Policy, page 79 In a typical deployment, the first three procedures only need to be done once during the initial configuration of KMS. The procedure for creating an application needs to be executed for each erecorder server that needs to communicate with KMS. Create a Crypto Policy Create a crypto policy to be followed by the encryption keys that are used by the applications in the Quality Monitoring System. In creating the key policy, you need to specify the encryption algorithm, the key length, and the key update period. A key policy was created as part of the RSA KMS installation. We recommend using that existing crypto policy. Creating another crypto policy is optional and not recommended. To create a crypto policy: 1 As an administrator, log onto the RSA KMS using the browser-based interface and click Crypto Policies. 2 Click Create, and then type a policy name. 3 Choose an Algorithm. AES is recommended. 4 Select a Key Size. 256 is recommended. 5 Select a Mode. CBC is recommended. 6 Select a Duration. 1 day is recommended. 7 Click Save. Create an Identity Group You can create different application groups to segment the usage of encryption keys for different applications. An application group was created as part of the RSA KMS installation. We recommend using that existing application group. Creating another application group is optional and not recommended. To create an application group: 1 As an administrator, log onto the RSA KMS using the browser-based interface, and click Identity Groups > Create. 2 Type the name of the group and then click Save. Quality Monitoring Configuration Guide 77
Chapter 9 - Secure Data At Rest Install and Configure KMS 3 Click Create. The Administration application displays a list of all created Identity Groups. 4 Select the new Identity group. Create a Key Class Create a key class to identify a set of encryption keys, derived from a specified key policy, associated with a defined identity group. A key class was created as part of the RSA KMS installation. We recommend using that existing key class. Creating another key class is optional and not recommended. To create a key class: 1 As an administrator, log on to the RSA KMS using the browser-based interface, and click Key Classes. 2 Type a name for your key class, such as recorder. You should typically use recorder as this is the default key class configured on Quality Monitoring. 3 Select the Identity group created in Create an Identity Group, page 77. 4 Click Next. 5 Select the Crypto policy you created in Create a Crypto Policy, page 77. 6 Leave Use Current Key as the Type and check the Allow Auto-Generation box. 7 Click Next. 8 On the Class Attributes screen, click Next. 9 On the Attribute Specifications screen, click Next. 10 Click Finish. Quality Monitoring Configuration Guide 78
Chapter 9 - Secure Data At Rest Install and Configure KMS Create an Identity In order for an application that uses an encryption key to be able to get keys from RSA KMS, the application must be added to a particular identity group. In RSA KMS, each application is identified by a certificate, which is imported into KMS when the identity is created. In the deployment of Quality Monitoring, all applications on a single server share the same certificate. All such applications on the same server are treated by KMS as a single identity. So, one identity needs to be created for each erecorder Server in the Quality Monitoring System. To create an identity: 1 As an administrator, log onto the RSA KMS using the browser-based interface and click Identities. 2 Click Create and then type the name of your application. 3 Select the correct Identity Group. 4 Leave the Role set as Operational User. 5 Under Certificate, browse for the rsa_app_cert.pem certificate in.\qm\conf\security and click on Open. QM is the erecorder installed location. 6 Click Save. Create an Identity Policy An Identity Policy was created as part of the RSA KMS installation. We recommend using that existing Identity Policy. Creating another Identity Policy is optional and not recommended. To create an Identity Policy: 1 As an administrator, log on to RSA KMS using the browser-based interface and click Identity Policies. 2 Click Create and provide the Identity Policy name. 3 Check the All box. 4 Click Save. 5 In the list of Identity Policies, find the identity policy you created and click Bind. 6 Check the boxes for the appropriate Identities and click Bind. Quality Monitoring Configuration Guide 79
Chapter 9 - Secure Data At Rest Enable Content Encryption Enable Content Encryption After you have completed the various configurations, you can enable content encryption. 1 Open the Quality Monitoring System Administration window and navigate to the Security tab of the Root Settings node. 2 Click Edit. 3 Select the Enable Recording content Encryption on Disk checkbox. 4 For the option If keys are not available, the recorder(s) will choose the stop recording value. In this case the Quality Monitoring system will record and playback the contents only if security is configured correctly. Later you can change this option if desired. 5 Provide the fully qualified name of the KMS. 6 Click Save. 7 Restart the Quality Monitoring erecorder services on every Quality Monitoring server. Quality Monitoring Configuration Guide 80
Chapter 10 Pause and Resume Recording The following limitations make the usage of Stop Record unacceptable for a PCI compliant application: It can only stop/restart recording that has been triggered by an Externally Controlled business rule. Even if the recording has been triggered by an Externally Controlled rule it cannot stop recording if another business rule also triggered the recording. The Pause and Resume Recording feature is the ability of Quality Monitoring System not to store sensitive audio/video content at a certain period of time during a customer-agent communication. This chapter describes the following topics: Introduction, page 82 Pausing and Resuming Contact Recording, page 82 Pause/Resume Requestors, page 82 PauseRecord and ResumeRecord Events, page 83 Multiple Contacts Recording the same Workspace, page 83 Transferred Calls, page 84 Pause and Resume Recording using AIM, page 84 Pause and Resume Recording from an External Application, page 84 Full-time Recording, page 85 Playing Back Paused Contacts, page 85
Chapter 10 - Pause and Resume Recording Introduction Introduction Previously, there are three ways to control recording of a contact: Internally by a request from the Business Rule Engine (BRE) when a business rule (or rules) trigger. The Contact Manager starts recording and makes a note that the start has been requested by the business rule engine. BRE never requests stop recording, but it can request Do not store (reject) a contact. Once started, the recording continues until the end of the contact unless the contact is rejected. Internally by a request from LMPS for a live or scheduled monitoring of an agent. The Contact Manager starts recording and makes a note that the start has been requested by LMPS. The recording cannot be stopped until LMPS requests stop recording. Start/stop recording is fully controlled by LMPS. Externally upon receiving Start Record and Stop Record events via the Quality Monitoring Connect adapter and WAPI. The Contact Manager starts recording and makes a note that the start has been requested by an unknown requestor. Therefore an external event cannot stop an internally triggered recording making it impossible to avoid recording sensitive information without severe limitations of Quality Monitoring functionality. The Pause and Resume feature has been designed to overcome those limitations. Pausing and Resuming Contact Recording Pause and Resume Recording feature is the ability of Quality Monitoring not to store recordings upon receiving an external request from an agent or a third party application. Pause/Resume Recording is implemented so that Quality Monitoring actually does not stop receiving and processing audio/video contents of a contact when the contact is in Paused state. The system just does not store the original contents in content files. Instead it stores generated content: some simple sound for audio and a black frame for video to provide an indication during a playback that the contact at this time was in a paused state. This approach helps avoiding possible delays associated with actual starts and stops of content recording. Pause/Resume Requestors The pause and resume requests come to the BDR Server in the form of PauseRecord and ResumeRecord events, which also carry the information about the content types to pause/resume (audio, video or both) and a requestor ID. Quality Monitoring Configuration Guide 82
Chapter 10 - Pause and Resume Recording PauseRecord and ResumeRecord Events The requestor ID is necessary to prevent the system from intentional or unintentional premature resume of the recording. Quality Monitoring does not resume a content recording until it receives a ResumeRecord event from the last pause requestor. For example, AIM requests pausing of audio and video recording and Focus requests to pause video recording. After some time AIM requests to resume audio and video recording. Quality Monitoring will resume only audio recording. Video recording will be resumed only after receiving a resume request from Focus. PauseRecord and ResumeRecord Events A contact enters Paused state when it receives a PauseRecord event. The contact leaves the Paused state upon receiving a ResumeRecord event. As for other events, PauseRecord and ResumeRecord must be associated with a contact. It means that: If the BDR Server receives a Pause/ResumeRecord event and cannot find a corresponded contact, it discards the event. If a contact has ended while it has been paused, it is considered to have been resumed, as if it has received a ResumeRecord event just before the end. If a contact received a ResumeRecord event while not being in a Paused state then the ResumeRecord event is discarded. The BDR Server does not associate Pause and ResumeRecord events with a device or a workspace; it associated the events with a contact. Multiple Contacts Recording the same Workspace At any point of time an agent's workspace can be recorded by a call contact (usually initiated by CTI events), a monitor contact (live and scheduled monitoring) or both. Quality Monitoring supports the situations where Pause/ResumeRecord events come at a time when an agent is monitored by: A call contact A monitor contact Both call and monitor contacts For one contact at a time the system behavior is straightforward: the recording is paused on a PauseRecord event and resumed on a corresponded ResumeRecord event. It can be a bit more complicated when two calls exist at the same time. Since Quality Monitoring uses the same media channel to record the same device in different contacts, the result of pausing and resuming recording may vary depending on when a pause event received. Quality Monitoring Configuration Guide 83
Chapter 10 - Pause and Resume Recording Transferred Calls If a pause event comes when both contacts exist then each contact processes it independently. If a pause event comes when only contact A exists, the system pauses this contact recording. When contact B begins and the recording is triggered it will not be in Paused state but its shared media channels will be paused by contact A. If the resume event comes before the end of contact A, then both recordings will be resumed. Otherwise the channels will remain paused even after the end of the contact A. When contact B receives a resume event it will resume the recording. Transferred Calls If a contact is paused and then is transferred to another agent, the recording remains paused until it is resumed. The system does not automatically resume contacts when it is transferred. The resume event must be sent with a new agent or device address. Otherwise the contact will not be found. Pause and Resume Recording using AIM An agent can pause and resume recording using the Pause Monitoring and Resume Monitoring items from AIM Tray menu. Pause and Resume Recording from an External Application An external Application can send PauseRecord and ResumeRecord events via the Quality Monitoring Connect adapter using the following URLs: http://server:port/servlet/eqc6?interface=icontactmanagement&metho d=deliverevent&contactevent=pauserecord&device.device=device&devic e.systemdevice=systemdevice&attribute.key=contact.contenttype&attr ibute.value=content_type&attribute.key=contact.requestor&attribute.value=requestor Quality Monitoring Configuration Guide 84
Chapter 10 - Pause and Resume Recording Full-time Recording http://server:port/servlet/eqc6?interface=icontactmanagement&metho d=deliverevent&contactevent=resumerecord&device.device=device&devi ce.systemdevice=systemdevice&attribute.key=contact.contenttype&att ribute.value=content_type&attribute.key=contact.requestor&attribut e.value=requestor In these events, please replace: server:port with the server name and port for your Quality Monitoring Connect adapter address. device and systemdevice with your device and system device names to identify the workspace to be paused/resumed. An agent address could be used to identify the workspace. content _type with one of the following strings: Audio, or Video, or AudioVideo. requestor with a requestor name. Full-time Recording The Quality Monitoring system can be configured to pause and resume recording for its internal recorders and some internal and external recorders when integrated in a selective recording mode only. When integrated with external full-time recorders, pause and resume triggers must be sent to both the Quality Monitoring system and the full-time recorders in parallel to ensure that both voice and screen recording are controlled appropriately. Playing Back Paused Contacts When playing back contacts that have been paused, you will see a black screen and hear a specific sound during the time when the contacts have been paused. The characteristics of the audio pause indicator sound are: 3 beeps of tone each 120ms long, separated by 120ms of silence. Between each set of beeps is 2400ms of silence, for a total of 3 seconds. Quality Monitoring Configuration Guide 85