In a multi-tenant enabled environment, Tenant: tenant value appears at the top of the screen next to the screen title. The tenant value can be either the name of a tenant or Shared. If the tenant value specifies a tenant name, it is the name of the tenant to which the selected Installations node is associated. The term One to five words that are meaningful to a specific type of business, or phrases that stand out in interactions in Speech and Text Analytics. Shared appears as the tenant value for the selected Site Group or Site nodes that contain servers that process data for all tenants in the system, or for selected Server nodes that process data for all tenants in the system. Typically, these servers are hosted servers or data center zone Logical deployment zone that serves as the centralized, single point of access where application data and content metadata is accessed, managed and maintained. servers.

The Pending Messages icon displays above this screen when the Enterprise Manager is processing configuration changes.

Select a predefined filtered view of the installations tree Graphical representation of the system in Enterprise Manager that includes Site Group, Site, Server, and Server Role nodes. or accept the default All view. The All view displays the entire Installations tree hierarchy. For a large hierarchy, a filter is recommended.

Type the name or first few letters of a Site Group, Site, or Server and then click Go to perform a search of the Installations tree. All matches are highlighted. For multiple matches, use the adjacent Up and Down arrows to move up and down the list of matches.

General (Configurable only from the Enterprise node)

Optionally type or update the security token passphrase.

When a user attempts to replay a telephone or screen recording, the system sends a retrieval request to retrieve the recording from storage.

These retrieval requests include a security token that validates these retrieval requests.

This passphrase is used to generate the key that encrypts this security token.

The system ships with a default passphrase. If you accept the default and do not enter anything in this setting, the system operates properly.

Generally, you only need to change this passphrase under the following circumstances:

• There is a security risk with the existing password. For example, the password is known by someone who can use it to gain illicit access to telephone recordings or screen recordings.

• The security policies of your enterprise require all passwords to be changed periodically.

Important:

• If you change this setting, restart the IIS server on every application server in your environment. (For example, on the application server open a command line as the server administrator, and run iisreset.)

• After restarting the IIS servers, it can take a few minutes for the change to go into effect.

Specify the maximum number of seconds allowed between the time the security token is generated and the time the security token is processed. If this period is exceeded, the token expires and authentication fails, and the user cannot replay any telephone or screen recordings.

This setting prevents unauthorized users from using old security tokens to gain illicit access to telephone or screen recordings.

The default setting is 300 seconds.

Lower settings provide greater security. However, if the setting is too low, network congestion can cause the timeout period to elapse before the system can process the security token. When specifying settings lower than 300 seconds, experiment as needed to find the setting that provides the highest security but does not cause unnecessary authentication failures.

The minimum setting is 1 second and the maximum setting is 99,999,999 seconds.

HTTPS

This option enables HTTPS for all data transmitted on the network by all applications and managed servers in the system.

Important: Selecting this option is not the only procedure required to enable HTTPS. Before you select this option, make the necessary preparations for enabling HTTPS for the system, including installing certificates. Details on how to prepare the system for HTTPS appear in the Security Configuration Guide. If you select this option without first making the necessary preparations, Enterprise Manager cannot communicate with the managed servers.

When you select this setting, also select an HTTPS Protocol and Cipher Configuration setting.

When HTTPS is enabled completely (including the installation of certificates), the following communications are encrypted:

• All web browser access to Enterprise Portal applications

• All client-to-server communications (includes all clients, such as Enterprise Manager and Quality Monitoring).

• All passwords transmitted between a web browser and the logon page, and any passwords transmitted on the network by the system to support Single Sign-On.

• All server-to-server communications.

To make HTTPS unavailable, clear the check mark from this setting.

You can edit this option at the Enterprise, Site Group, Site, or Server nodes of the Installations tree. (that is, you can enable HTTPS for some Site Groups, Sites, or Servers and make it unavailable for others).

When you select the Enable HTTPS setting, also select an HTTPS Protocol and Cipher Configuration setting (or accept the default setting of Intermediate).

The HTTPS Protocol and Cipher Configuration determines the specific TLS protocols and cipher suites that are used to encrypt communications.

The available settings are Modern, Intermediate, and Custom. The Modern setting provides the strongest security. Intermediate is the default setting and appropriate for backward compatibility. Custom mode is restricted. This mode is for troubleshooting purposes and is used only by technical support.

You can edit this mode for any node of the Installations tree: Enterprise, Site Group, Site, or Server.

The mode you select applies to all encrypted client-to-server and server-to-server connections to the servers at or beneath the Installations tree node at which you edit the setting. For example, you can specify the Medium mode for one site or server and the High mode for a different site or server.

For information about the specific protocols and ciphers supported by each HTTPS Protocol and Cipher Configuration setting, see the “HTTPS protocol and cipher configuration” section of the Security Configuration Guide.

Data Center SSL Offload

To enable data center SSL offload, all the following conditions must be true:

• You have enabled HTTPS.

• Your enterprise has an application server cluster fronted by a load balancer

• You have selected the Enterprise node in the left pane

Note: For step-by-step instructions on enabling data center SSL offload, see the Security Guide.

When you enable this setting, all HTTPS traffic from servers and desktop applications outside the data center firewall is terminated at the load balancer. All communication behind the load balancer/firewall (inside the data center network) is unencrypted HTTP communication.

In this scenario, a TLS certificate is installed on the load balancer server on the data center firewall. No TLS certificates are installed on any servers in the data center network. All servers inside the data center firewall communicate with each other and with the load balancer using unencrypted HTTP.

Site servers and desktop applications that are on external networks (that is, outside the data center firewall) use encrypted HTTPS to communicate with the load balancer. The load balancer terminates the HTTPS communication and routes the communication internally to the data center servers using HTTP.

When you enable this setting, you must also specify an Internal Load Balancer Address and an External Load Balancer Address.

This feature secures communication in your enterprise while reducing costs and maintenance. The feature eliminates the need to deploy TLS certificates on your data center servers. This feature also enhances performance because the data center servers do not have to encrypt and decrypt HTTPS traffic continuously.

Complete this field when you enable the Enable Data Center SSL Offload setting. Enter the host name or IP address that servers inside the data center network (behind the data center firewall) use to connect to the load balancer that fronts the application server cluster. The servers inside the data center network use unencrypted HTTP to connect to the load balancer using this address. For step-by-step instructions on enabling data center SSL offload, see the Security Guide.

Complete this field when you enable the Enable Data Center SSL Offload setting. Enter the host name or IP address that site servers and desktop applications on networks outside the data center firewall use to connect to the load balancer that fronts the application server cluster. The site servers and desktop applications use encrypted HTTPS to connect to the load balancer using this address. For step-by-step instructions on enabling data center SSL offload, see the Security Guide.

Data-At-Rest Encryption

To encrypt all recorded content immediately as it is written to the disk on the recorder server, choose this option. The content remains encrypted as it is archived.

This field can be enabled only when there is a RSA, Thales, or AWS Key Management Server configured. See the Security Configuration Guide for more information.

You must have a license for security to enable this option.

You can edit this option at the Enterprise, Site Group, Site, or Server nodes of the Installations tree.

Type the encryption key class of the RSA Key Management Server (KMS). Key classes, such as recorder, are created in the RSA KMS. These key classes identify a set of encryption keys, derived from a specified key policy, and associated with a defined application group. For more information, refer to the Security Configuration Guide.

This field is required when Enable Data at Rest Encryption is checked. This field is disabled when Enable Data at Rest Encryption is not checked.

You can edit this option at the Enterprise, Site Group, or Site nodes of the Installations tree.

Beginning with release 15.2 Update 2020R1, this configuration setting applies only to an RSA KMS. For a Thales KMS, key creation is automatic based on tenant. For details, see the Thales 6.4.2 Key Manager Server Installation and Configuration Guide.

In a gradual upgrade scenario, where you have upgraded application servers to v15.2 HFR4 (or higher) and you still have servers of the v11.1 release operating in your environment, you can specify the Legacy Encryption Key Class for the RSA Key Management Server (KMS) used by the v11.1 servers.

Specifying this key class allows the v11.1 servers to continue to operate with the legacy RSA Key Management Server.

Screen Encryption

This check box applies to environments that support screen recording. You must be licensed for Encryption Management to select this option.

With screen recording, screen capture data is sent over the network from the local computer of an agent to a screen recorder server.

To ensure that this screen capture data is sent over the network in the encrypted format, select this check box.

Selecting this option prevents sensitive data present in screen images, such as credit card or social security numbers, from being transmitted in an unencrypted format.

Note: If you enable this option, the screen capture data is encrypted only while in transit on the network. Selecting this option does not encrypt screen capture data that is stored on a recorder or archived. To encrypt the recordings stored on a recorder or archived, also select the Enable Data-At-Rest Encryption option.

You can edit this option at the Enterprise, Site Group, or Site nodes of the Installations tree.

For example, assume that you select this option for Site A, but not Site B. Screen activity Core component of both schedules and time records in Workforce Management (WFM). When an employee performs any kind of work, activities specify the scheduled work and capture employee adherence to their schedule. is encrypted for the agent computers operating in Site A, but not for the agent computers in Site B.

Encrypting Screen Content in Transit to the Live Monitor Application

An extra configuration step is required on a supervisor desktop when screen content is encrypted in transit to the Live Monitor application.

Assume that both of the following are true:

• You use Screen Live Monitor (Real-Time Monitoring) in your enterprise.

• You enable the Encrypt Screen Content in Transit option.

To allow a supervisor to Live Monitor agent desktops that are configured for Encrypt Screen Content in Transit, perform this additional procedure on the supervisor desktop:

• Copy the client.wss file into the playback Process of selecting a recorded interaction, playing it back to listen to the call, and viewing the content of the interaction on the screen. directory (default C:\Program Files\Verint\Playback) of the supervisor workstation.

Note: If the client.wss file is copied to the playback directory, the supervisor can live monitor only encryption-enabled desktops. If the client.wss file is not copied to the playback directory, the supervisor can live monitor only desktops that are not encryption-enabled.

For information about creating and deploying the client.wss file, see the Security File Configuration section of the Security Configuration Guide.

Encryption Management for RSA and Thales KMS types (Configurable only from the Enterprise node)

Select the appropriate KMS server type, such as RSA, Thales KMS, or Thales CipherTrust KMS.

NOTE: To use AWS KMS or Azure Key Store, you need the appropriate license. For configuration of the encryption parameters, see:

• "Encryption Management for AWS KMS (Configurable only from the Enterprise node)"

• "Encryption Management for Azure KMS (Configurable only from the Enterprise node)"

Type the host name or fully qualified domain name (FQDN) of the primary server that hosts the key management system. If you selected the RSA KMS server type, type the port number (default 7443) for the RSA server in the Port field. If you selected the Thales KMS server type, a Port field is not available.

You must have a license for security to specify a Primary Key Management Server.

For more information, see the RSA Key Manager Server Installation and Configuration Guide or the Thales 6.4.2 Key Manager Server Installation and Configuration Guide.

Type the host name or fully qualified domain name (FQDN) of the secondary (or backup) server that hosts the key management system, if one exists. If you selected the RSA KMS server type, type the port number (default 7443) for the RSA server in the Port field. If you selected the Thales KMS server type, a Port field is not available.

You must have a license for security to specify a Secondary Key Management Server.

For more information, see the RSA Key Manager Server Installation and Configuration Guide or the Thales 6.4.2 Key Manager Server Installation and Configuration Guide.

This field displays only when Thales or Thales CipherTrust is selected as the KMS Server Type.

The domain is Vormetric-specific and created by the customer during the Thales KMS web application set up. You must obtain the domain name from the customer.

The domain is a logical group under which you can add the application server so that the application server can retrieve keys from the Thales KMS. This domain entry is required to enable the Key Agent installed on the application server to register under the domain.

The username and password for the user account created on the CipherTrust KMS server for selected domain.

This field displays only when Thales is selected as the KMS Server Type.

This key is a password created by the customer in the Thales KMS web application. You must obtain this password from the customer. This key must be specified here to enable the Key Agent on the application server to register with the Thales KMS.

This field displays only when RSA is selected as the KMS Server Type.

Type the export password of the client certificate used to create an identity/application in RSA KMS.

A pre-generated client certificate, I360KMClientCertKey.p12, is installed in the install directory\software\conf\securityKMCerts folder during installation. By default, the system is configured to use the pre-generated client certificate.

The default password of the pre-generated client certificate is impact360 (all lowercase).

This field displays only when RSA is selected as the KMS Server Type.

This field is used only if you have Acquisition Recorders in your environment. In this case, enter the password that protects the key cache. Otherwise, do not complete this field.

Select the action to be taken when the encryption key is not available for any reason. For example, the key is unavailable due to network problems or other technical difficulties.

This setting applies only to recorder servers that have either the TDM Recorder or IP Recorder server role Entity that contains a logical, predefined set of components (system software or certified third-party software) deployed in the Data Center and Site Zones that provide specific functionality for the system. activated.

• If you want the recorder servers to stop recording or archiving when the encryption key is not available, click Stop Recording or Archiving.

• If you want the recorder servers to continue recording or archiving when the encryption key is not available, click Record or Archive in Unencrypted Format.

You can test whether application servers can retrieve the encryption key from the Test KMS feature at the bottom of the Security page.

Encryption Management for AWS KMS (Configurable only from the Enterprise node)

Select the AWS KMS server type.

Note: In a cloud deployment for the AWS KMS, you must disable HCM (Host Certificate Matching Check) to allow web access using a public IP.

Select the AWS Authentication Type used in your environment. Options include:

• Access Key ID

• Implicit Authentication (Only works on EC2 instances because the base credentials are implicitly sent through the EC2 metadata service.)

This field is available only when Access Key ID is selected as the AWS Authentication Type. Enter the user-specified alphanumeric application access key ID for the AWS account. This field can have a minimum of 16 character and a maximum of 128 characters.

This field is available only when Access Key ID is selected as the AWS Authentication Type. Enter the user-specified application secret access key for the AWS account. This field supports alphanumeric characters and the plus ( + ) and forward slash ( / ) characters. This field has no character limit.

Specify the Amazon Web Service (AWS) region hosting the Amazon Connect call center. This field can have a minimum of 2 characters and a maximum of 25 characters. The field supports alphanumeric characters and the hyphen ( - ) character. This field is blank by default.

Select this check box to use a specific application IAM Role. If you select this check box, you must provide the specific role information in the Role ARN (Amazon Resource Name) and External ID fields.

This field is enabled only when the Roles check box is selected. When this field is enabled, enter the user-specified application IAM Role ARN. This field is blank by default. This field can have a minimum of 20 characters and a maximum of 2048 characters.

This field is enabled only when the Roles check box is selected. When this field is enabled, enter the user-specified application IAM Role External ID. This field allows all characters and is blank by default. The field can have a minimum of 2 characters and a maximum of 1224 characters.

You can provide the KEK in one of the following four forms Tool used in the Interaction and Analytics application to evaluate employee performance, and to assess the interactions from the customer’s perspective.. The KMS can verify the KEK in any of the forms, all of which can be found in the AWS Console. This field can have a minimum of 20 characters and a maximum of 2048 characters.

• KEK ID - To use the KEK ID, the key must be manually created in the AWS console. The KEK is a 36-character hex GUID with dashes (-). Example: - f6086995-0eb7-4553-991d-b739e1fe9160

• KEK ID ARN - To use the KEK ID ARN, the key must be manually created in the AWS console. The KEK ID ARN begins with ‘arn:aws:kms:’, ‘arn:aws-cn:kms:’, or ‘arn:aws-us-gov:kms:’, followed by a region, colon(:), a 12-digit account number, colon(:), and the KEK ID. Example: arn:aws:kms:us-east-1:089424204844:key/f6086995-0eb7-4553-991d-b739e1fe9160

• KEK Alias - If the KEK does not exist, the KMS creates it for you with this alias. The KEK Alias is a character string starting with ‘alias/’ followed by 1 to 255 characters. The value can include alphanumeric, dash(-), underscore(_), and forward slash(/).Example: alias/kms-created

• KEK Alias ARN - If the KEK does not exist, the KMS creates it for you with this alias. Matches the KEK ID ARN, except the final section is the alias. Example: arn:aws:kms:us-east-1:089424204844:alias/kms-created.

Specify the table name provided when the table was created. If you do not have a table configured, the KMS creates it using the name you enter here. This field supports an alphanumeric character string from 3 to 255 characters long. The dot ( . ), dash ( - ), and underscore ( _ ) characters are also supported.

Encryption Management for Azure KMS (Configurable only from the Enterprise node)

Select the Azure KMS server type.

Select the Azure Authentication Type used in your environment. Options include:

• Service Principal (Certificate) - A Service Principal is a local definition of an Azure Active Directory One of the main user authentication methods supported in the system, allowing customers to leverage Windows Authentication as the authentication mechanism in the system. application. Certificate credentials are added to the Service Principal. A Service Principal, just like a user or group, can be assigned with permissions in Active Directory and roles in Azure. A Service Principal can authenticate to Active Directory and Azure non-interactively.

• Managed Identity - Azure manages Managed Service identities automatically. A Managed Service identity enables you to authenticate to services that support Azure Active Directory authentication without providing authentication details.

  Managed identities use certificate-based authentication. The credential for each managed identity has an expiration of 90 days and it is rolled after 45 days. Azure rolls the credentials that are used by the service instance.

This field is available only when Service Principal (Certificate) is selected as the Authentication Type. Specify the certificate for the service principal.

This field is available only when Service Principal (Certificate) is selected as the Authentication Type. Specify the private key for the service principal. The value in this field is encrypted.

This field is available only when Service Principal (Certificate) is selected as the Authentication Type. Specify the Directory (Tenant) ID of the application/service principal. This field requires a 36-character hex GUID consisting of alphanumeric characters and dashes ( - ).

This field is available only when Service Principal (Certificate) is selected as the Authentication Type. Specify the Application (Client) ID of the application/service principal (ID of an Azure Active Directory). This field requires a 36-character hex GUID consisting of alphanumeric characters and dashes ( - ).

Specify the name of the Azure Key Encryption Key. This value can be an alphanumeric string 1 to 127 characters long that includes dashes ( - ). Lower-case and upper-case characters are supported.

Specify the name that was provided for the Key Vault when the Key Vault was created. The Key Vault is the central component of key management with Azure. If the URL of the Key Vault is https://test-keyvault.vault.azure.net then the name of the Key Vault is test-keyvault. This name can be an alphanumeric string 3 to 24 characters long that includes dashes ( - ). Lower-case and upper-case characters are supported.

Legacy Encryption Management Configurable only from the Enterprise node In an upgrade scenario, where you have upgraded application servers to 15.2 HFR4 (or higher) and you still have servers of the 11.1 release operating in your environment, you can specify the configuration settings for the RSA Key Management Server (KMS) used by the 11.1 servers.

Type the host name or fully qualified domain name (FQDN) of the primary server that hosts the key management system used by the v11.1 servers in your environment. If a Port field displays, type the port number used by the server that hosts the key management system (for example, port 7443 for RSA KMS).

Same as described for Primary Key Management Server, but applies to the secondary (backup) KMS server used by the v11.1 servers in your environment, (Not all environments have a backup RSA KMS.)

Type the export password of the client certificate used to create an identity/application in the RSA KMS used by the v11.1 servers in your environment.

A pre-generated client certificate, I360KMClientCertKey.p12, is installed in theinstall directory\software\conf\securityKMCerts folder during installation. By default, the system is configured to use the pre-generated client certificate.

The default password of the pre-generated client certificate is impact360 (all lowercase).

Application Security (Configurable only from the Enterprise node)

Enhances security by enabling secure gateway web application firewall protection rules. The default setting is enabled.

Specify the number of minutes an application stays active before requiring that the user logon again. When this time interval elapses, a logon prompt displays to the user, and the user must log on again to continue using the application.

The Session Timeout setting is a security precaution. Specifying a Session Timeout interval can prevent unauthorized users from accessing the system through applications left running on unattended computers.

To apply the Session Timeout interval to applications that include pages that automatically refresh themselves, select this option.

Some applications (including Enterprise Manager) contain pages that automatically refresh their contents at user-defined intervals. These pages include a Refresh Rate setting, usually in the upper-right corner of the page.

If you do not select this option, applications that contain auto-refresh pages do not timeout when the Session Timeout interval elapses. (The applications will not require users to log on again after the Session Timeout interval elapses). These applications do not timeout because their pages are refreshed at regular intervals.

Enhances security by enabling secure gateway web application firewall protection rules. The default setting is enabled.