Configure Application Server for CTI Subscriptions

Update the ClientIdentity on Application Server with the common name (CN) of the Webex for Cisco BroadWorks CTI client certificate.

For each Application Server you are using with Webex, add the certificate identity to the ClientIdentity as follows:

AS_CLI/System/ClientIdentity> add bwcticlient.webex.com

Configure TLS and Ciphers on the CTI Interface

The levels of configurability for the XSP|ADP CTI interface are as follows:

Most general = System > Transport > CTI Interfaces > CTI interface = Most specific

The CLI contexts you use to view or modify the different SSL settings are:

Reading CTI TLS Interface Configuration on the XSP|ADP

1. Sign in to the XSP|ADP and navigate to XSP|ADP_CLI/Interface/CTI/CTIServer>

2. Enter the get command and read the results. You should see the interfaces (IP addresses) and, for each, whether they require a server certificate and whether they require client authentication.

   XSP|ADP_CLI/Interface/CTI/CTIServer> get
     Interface IP  Port  Secure  Server Certificate  Client Auth Req
   =================================================================
     10.155.6.175  8012    true                true             true
   

Adding TLS 1.2 Protocol to the CTI Interface

The XSP|ADP CTI interface that is interacting with the Webex Cloud must be configured for TLS v1.2. The cloud does not negotiate earlier versions of the TLS protocol.

To configure the TLSv1.2 protocol on the CTI interface:

1. Sign in to the XSP|ADP and navigate to XSP|ADP_CLI/Interface/CTI/CTIServer/SSLSettings/Protocols>

2. Enter the command get <interfaceIp> to see which protocols are already used on this interface.

3. Enter the command add <interfaceIp> TLSv1.2 to ensure that interface can use TLS 1.2 when communicating with the cloud.

Editing TLS Ciphers Configuration on the CTI Interface

To configure the required ciphers on the CTI interface:

1. Sign in to the XSP|ADP and navigate to XSP|ADP_CLI/Interface/CTI/CTIServer/SSLSettings/Ciphers>

2. Enter the get command to see which ciphers are already used on this interface. There must be at least one from the Cisco recommended suites (see XSP|ADP Identity and Security Requirements in the Overview section).

3. Enter the command add <interfaceIp> <cipherName> to add a cipher to the CTI interface.

   The XSP|ADP CLI requires the IANA standard cipher suite name, not the openSSL cipher suite name. For example, to add the openSSL cipher ECDHE-ECDSA-CHACHA20-POLY1305 to the CTI interface, you would use: XSP|ADP_CLI/Interface/CTI/CTIServer/SSLSettings/Ciphers> add 192.0.2.7 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

   See https://ciphersuite.info/ to find the suite by either name.

Trust Anchors for CTI Interface (R22 and later)

This procedure assumes the XSP|ADPs are either internet-facing or face the internet via pass-through proxy. The certificate configuration is different for a bridging proxy (see TLS Certificate Requirements for TLS-bridge Proxy).

For each XSP|ADP in your infrastructure that is publishing CTI events to Webex, do the following:

1. Sign in to Partner Hub.

2. Go to Services > Additional links and click Download Webex CA Certificate to get CombinedCertChain2023.txt on your local computer.

   These files contain two sets of two certificates. You need to split the files before you upload them to the XSP|ADPs. All files are required.

3. Split the certificate chain into two certificates - combinedcertchain2023.txt

   1. Open combinedcertchain2023.txt in a text editor.

   2. Select and cut the first block of text, including the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and paste the text block into a new file.

   3. Save the new file as root2023.txt.

   4. Save the original file as issuing2023.txt. The original file should now only have one block of text, surrounded by the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

4. Copy both text files to a temporary location on the XSP|ADP you are securing, e.g. /var/broadworks/tmp/root2023.txt and /var/broadworks/tmp/issuing2023.txt

5. Sign in to the XSP|ADP and navigate to /XSP|ADP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts>

6. (Optional) Run help updateTrust to see the parameters and command format.

7. Upload the certificate files to new trust anchors - 2023

   XSP|ADP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts> updateTrust webexclientroot2023 /var/broadworks/tmp/root2023.txt

   XSP|ADP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts> updateTrust webexclientissuing2023 /var/broadworks/tmp/issuing2023.txt

   All aliases must have a different name. webexclientroot2023, and webexclientissuing2023 are example aliases for the trust anchors; you can use your own as long as all entries are unique.

8. Confirm the anchors are updated:

   XSP|ADP_CLI/Interface/CTI/SSLCommonSettings/ClientAuthentication/Trusts> get

     Alias   Owner                                   Issuer
   =============================================================================
   webexclientissuing2023       Internal Private TLS SubCA      Internal Private Root
   webexclientroot2023       Internal Private Root      Internal Private Root[self-signed]

9. Allow clients to authenticate with certificates:

   XSP|ADP_CLI/System/CommunicationUtility/DefaultSettings/ExternalAuthentication/CertificateAuthentication> set allowClientApp true

Add CTI Interface and Enable mTLS

1. Add the CTI SSL interface.

   The CLI context depends on your BroadWorks version. The command creates a self-signed server certificate on the interface, and forces the interface to require a client certificate.

   • On BroadWorks R22 and R23:

     XSP|ADP_CLI/Interface/CTI/CTIServer> add <Interface IP> 8012 true true true

2. Replace the server certificate and key on the XSP|ADP's CTI interfaces. You need the IP address of the CTI interface for this; you can read it from the following context:

   • On BroadWorks R22 and R23:

     XSP|ADP_CLI/Interface/CTI/CTIServer> get

     Then run the following commands to replace the interface’s self-signed certificate with your own certificate and private key:

     XSP|ADP_CLI/Interface/CTI/CTIServer/SSLSettings/Certificates> sslUpdate <interface IP> keyFile</path/to/certificate key file> certificateFile </path/to/server certificate> chainFile</path/to/chain file>

3. Restart the XSP|ADP.

Enable Access to BroadWorks CTI Events on Webex

You need to add and validate the CTI interface when you configure your clusters in Partner Hub. See Configure Your Partner Organization in Partner Hub for detailed instructions.

• Specify the CTI address by which Webex can subscribe to BroadWorks CTI Events.

• CTI subscriptions are on a per-subscriber basis and are only established and maintained while that subscriber is provisioned for Webex for Cisco BroadWorks.