CVP REST Client

Set the first variable “myLocalVar1” to below (the other variables - do not require the first two lines) This variable is then available as “LocalVar.myLocalVar1”

importPackage(com.audium.server.cvpUtil);
var xml= {Data.Element.restClient.response_body}     
var path= "/SamplePath/status"
XpathUtil.eval(xml,path);

Reference: https://xmltoolbox.appspot.com/xpath_generator.html
Reference: https://www.w3schools.com/xml/dom_nodes_get.asp

Set the first variable “myLocalVar1” to below (the other variables - do not require the first two lines) This variable is then available as “LocalVar.myLocalVar1”

importPackage(com.audium.server.cvpUtil);
var val= {Data.Element.restClient.response_body}     
var path= "JSONVariable1"
JSONPathUtil.eval(val,path);

CVP Call Studio JSON Example

https://maps.googleapis.com/maps/api/geocode/xml?components=country:US|postal_code:91406&key=<your google API Key>
<?xml version="1.0" encoding="UTF-8"?>
<GeocodeResponse>
    <status>OK</status>
    <result>
        <type>postal_code</type>
        <formatted_address>Van Nuys, CA 91406, USA</formatted_address>
        <address_component>
            <long_name>91406</long_name>
            <short_name>91406</short_name>
            <type>postal_code</type>
        </address_component>
        <address_component>
            <long_name>Van Nuys</long_name>
            <short_name>Van Nuys</short_name>
            <type>neighborhood</type>
            <type>political</type>
        </address_component>
        <address_component>
            <long_name>Los Angeles</long_name>
            <short_name>Los Angeles</short_name>
            <type>locality</type>
            <type>political</type>
        </address_component>
        <address_component>
            <long_name>Los Angeles County</long_name>
            <short_name>Los Angeles County</short_name>
            <type>administrative_area_level_2</type>
            <type>political</type>
        </address_component>
        <address_component>
            <long_name>California</long_name>
            <short_name>CA</short_name>
            <type>administrative_area_level_1</type>
            <type>political</type>
        </address_component>
        <address_component>
            <long_name>United States</long_name>
            <short_name>US</short_name>
            <type>country</type>
            <type>political</type>
        </address_component>
        <geometry>
            <location>
                <lat>34.1985119</lat>
                <lng>-118.4980744</lng>
            </location>
            <location_type>APPROXIMATE</location_type>
            <viewport>
                <southwest>
                    <lat>34.1717329</lat>
                    <lng>-118.5185960</lng>
                </southwest>
                <northeast>
                    <lat>34.2214109</lat>
                    <lng>-118.4661849</lng>
                </northeast>
            </viewport>
            <bounds>
                <southwest>
                    <lat>34.1717329</lat>
                    <lng>-118.5185960</lng>
                </southwest>
                <northeast>
                    <lat>34.2214109</lat>
                    <lng>-118.4661849</lng>
                </northeast>
            </bounds>
        </geometry>
        <place_id>ChIJvfiuqOOZwoARBLALvtBppoA</place_id>
    </result>
</GeocodeResponse>
GET ?timestamp=myunixtimestamp&callingpartynumber=5551234&transfernumber=6661002&callid=D03104B0390E11E9AA32D1E6EA5DB755&reason=start&description=Callback+Required&icmdialednumber=12125551001 HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.7.0_67
Host: myHostName
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

Note: When using Mutual Authentication on a Windows Client Machine - you must have a client cert in the users (not machine) personal certificate location - otherwise the browser will return with no cert and you will fail auth. If you do have a cert in the correct store - you should get a prompt to select it. This might be useful for troubleshooting etc. Note - this is not relevant / needed for Mutual Auth on CVP VXML Servers - but useful for testing against the Server etc.

You can use the existing Self Signed CVP Certificates for Mutual Auth. However it is more likely you will want the client cert signed by the customers CA. And it is likely that the Server you are connecting to also has a cert signed by the same by the customer's CA (maybe by a different Intermediate cert - hence install them all!). If this is the case - make sure to install the Root and all of the Intermediate Certs into the cacerts file - folder location below

C:\Cisco\CVP\jre\lib\security\

The Certificate Extensions Key Usage should have

  • Digital Signature
  • Key Encipherment

The Certificate Extensions Extended Key Usage should have

  • Server Authentication
  • Client Authentication

How to check the Certificate for above?

  • openssl x509 -in <certificate to check> -purpose -noout -text

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/customer_voice_portal/cvp11_0/user/guide/CCVP_BK_14998B8D_00_1101-vxml-server-guide/Two_Way_SSL_Authentication.html#CCVP_TK_C69F94CE_00

SSL debugging on CVP VXML Servers

Enable Standard output and standard Error for the VXML Tomcat is not already done

Run the following below command on the VXML Server bin folder and set the log value to “auto” as per the below screen shot.

tomcat9w //ES//VXMLServer

The standard output and standard error files will not appear in the C:\Cisco\CVP\VXMLServer\Tomcat\logs folder in the following format

  • vxmlserver-stdout.<date>.log
  • vxmlserver-stderr.<date>.log

Enable SSL debugging on the VXML Server

Registry Location:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0 \VXMLServer\Parameters\Java\Options

You can set the the following option (to the existing options list) - only set one of below :

-Djavax.net.debug=ssl:handshake
-Djavax.net.debug=ssl
-Djavax.net.debug=all

Note - you need to restart the VXML Server Service after making the above change for it to be activated.

Since reading the standard output file can be difficult (no timestamps) use powershell (as per below) to tail the file

get-content .\vxmlserver-stdout.2021-11-12.log -tail 5 -wait

Then make a test call and reproduce the issue - so you just get the relevant logs.

Search for ***** CertificateRequest** - example below.
Note - in this instance because the Cert linked to VXML Server was NOT Signed by this CA - no response was sent.
This was because the VXML Server seems to bind the client cert it uses to the FIRST cert loaded in it java config. And this happens to be the orm cert when on UCCE (with CVP Ops server) and teh CallServer (when on PCCE - no CVP Ops server and no .ormkeystore)
 
*** CertificateRequest
Cert Types: ECDSA, RSA, DSS
Supported Signature Algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, Unknown (hash:0x8, signature:0x4), Unknown (hash:0x8, si
gnature:0x5), Unknown (hash:0x8, signature:0x6), Unknown (hash:0x8, signature:0x9), Unknown (hash:0x8, signature:0xa), Unknown (hash:0x8, s
ignature:0xb), SHA256withRSA, SHA384withRSA, SHA512withRSA, Unknown (hash:0x4, signature:0x2), SHA224withECDSA, SHA224withRSA, Unknown (has
h:0x3, signature:0x2), SHA1withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=PurplePi  Root CA, O=Purplepi, C=IE>
<CN=LAB2-ROOT-CA, O=Purplepi, OU=LAB2>
*** ServerHelloDone
*** Certificate chain
***

Standard TLS

<sequencediagram>

  Client ->Server : SYN 
  Server ->Client : SYN ACK
  Client ->Server : ACK
  Client ->Server : TLS - Client Hello
  Server ->Client : TLS - Server Hello, Certificate, Server Hello Done
  Client ->Server : Client Key Exchange
  Client ->Server : Change Cipher Spec
  Server ->Client : ACK
  Client ->Server : Finished
  Server ->Client : Change Cipher Spec, Finished

</sequencediagram>

<sequencediagram>

  Client ->Server : SYN 
  Server ->Client : SYN ACK
  Client ->Server : ACK
  Client ->Server : TLS - Client Hello
  Server ->Client : TLS - Server Hello, Certificate, Certificate Request, Server Hello Done
  Client ->Server : Certificate, Client Key Exchange
  Client ->Server : Certificate Verify
  Client ->Server : Change Cipher Spec
  Server ->Client : ACK
  Client ->Server : Encrypted Handshake Message
  Server ->Client : ACK
  Server ->Client : Change Cipher Spec, Encrypted Handshake Message

</sequencediagram>

Example

note - the Wireshark trace below was decrypted using the Server private key and disabling DH (Diffie-Hellmen) - so some of below is not typically visible. i.e. once the initial TLS connection is setup, you won't get to see the second Mutual Auth TLS been established as in the below example.

  • vendors/cisco/uc/cvp/rest.txt
  • Last modified: 2021/11/22 09:46
  • by gerardorourke