Please note our general information about our modules. ContentGeneral informationThe call recording module is basically designed in such a way that it can be operated several times on one system, i.e. several module configurations can be created. All module configurations share the integrated protocol database as well as the plant-specific certificate and key pair for cryptographic signatures. However, individual memory targets can be specified for each module configuration. When executing the module configurations, please note that a call that has already been recorded by one configuration will not be recorded again by another configuration. When configuring the module for the first time, please make sure that you set the module level to at least "INFO". In this log level, the module outputs information about the test certificate and the OneDrive connection. |
Recording settingsThe Recording Settings section deals with the configuration of which conversations and which audio channels are to be recorded and the optional playback of recording instructions. Audio recordingIncoming calls: Calls that are directed directly to the group to be recorded (destination is a group phone number) or to the user to be recorded (destination is the personal phone number of a user) are recorded. If several groups are to be recorded, they can be redirected to the group to be recorded using always redirection. Outgoing calls: Calls of a user who is an active group member of the group to be recorded or who was explicitly selected as the user to be recorded are recorded. In the case of group membership, a user can log out of the recording group - e.g. by pressing a key - in order to conduct a call that is not to be recorded. Record direct calls to active group members: Incoming calls are normally only recorded if they directly target the group or user to be recorded. If the setting "Record direct calls to active group members" is activated, additional calls are recorded that are not directed to the group or user to be recorded, but directly to the personal extension of a user who is also an active member of the group to be recorded. The module checks separately for each incoming and outgoing call whether the recording requirements are met. If yes, an optional message is played and the recording is then started automatically. The following options are available for the audio channels to be recorded: - Caller
- Called party
- Both (in one file)
- Both (in separate files)
When recording both parties to a file, both parties are saved as one channel each of a stereo WAV file. The channels are merged immediately after the end of the call, but before the audio data is signed. For calls between two STARFACE users , STARFACE Version 6.4.3 does not signal an outgoing call (from the caller) to the module system, but only the incoming call (from the called party). A recording therefore only takes place if the called party is in a recording group. In other words: It is not sufficient for the calling STARFACE user to be a member of a recording group. |
Information for callersDepending on how and where this module is used, it is possible that you are required to inform the participants of the recording of their conversation. Different audio instructions can be configured for incoming and outgoing calls. For example, your own employees, who are generally aware of the recording, can be notified of a recording being made with a simple beep, while external callers are informed in more detail. Announcements are only played back to the respective caller (not to the called party). This means that the called party does not hear an announcement for outgoing calls. It is assumed that in the case of outgoing calls to be recorded, the called party was informed of the recording in advance. |
Testability and archivingIn the area of verifiability and archiving, checksum signatures can be activated in order to allow subsequent verification of the integrity of the recorded metadata and audio recordings. The module creates an individual 2048-bit RSA key pair (private and public keys) on initial installation. The private key is encrypted with a secret, customer-specific password and stored in a password-protected and 3DES-encrypted KeyStore. The private key is only available within the module. After a recording, a checksum file containing the SHA256 checksums of the meta and all audio files is created within the module. The checksum file is format compatible to shasum(Digest-SHA). If all meta and audio data as well as the checksum file are located in one directory, the integrity can be verified using shasum -a 256 < checksum file> . Then a base64-encoded and SHA256-based RSA signature (based on the individual private key) of the checksum file is generated and stored in a file named <Sum file >.SHA256withRSA.sig. This signature ensures that the specified checksums are calculated within the module and have not been changed subsequently. The public key of the RSA key pair is required for signature verification. This is encoded within the test certificate, which is displayed in the module configuration and output in the module log at each start. The test certificate is <Modul-ID>issued</Modul-ID> by and for the owner "Fluxpunkt Gesprächaufzeichnung<Modul-ID>" and is valid for 100 years from the date of generation.</Modul-ID> The authenticity of the certificate can be verified via the module log. All certificate details will be displayed there at each start. The complete check of a recording now consists of - the comparison of the checksums stored in the checksum file with the checksums of the audio and metadata files
- checking the signature of the checksum file with the public key of the check certificate.
Our test script is available to you as an example implementation verify.sh are at your disposal. Please save the test certificate displayed in the module. It does not contain any secret information, but is indispensable for a later integrity check! Without the certificate, it cannot be guaranteed that the checksums of the meta and audio data were generated by the module itself. It is recommended to have the generated certificate digitally signed by a trustworthy CA in a timely manner. |
On request we offer to check your installation of call recording and to digitally sign the authenticity of the generated certificate so that a certificate chain up to a trustworthy Root-CA results. |
Storage targetsIn the Storage Targets area, you can enable uploads to SMB shares, SFTP servers, and Microsoft OneDrive. It is possible to activate several different storage destinations so that the recording data is stored in several locations. Windows shareSpecify the destination network share server as the hostname or IP address only. No protocol information or similar is required (and not supported). The user name does not require a domain specification (there is a separate field for this). The registered user needs read/write permissions for the specified share and the right to create new directories/files. The share name must not contain any subdirectory information. The SMB subdirectory field can contain static and dynamic directory information (separated by "/"). An example of a static specification would be the directory structure "Recording/Starface". Dynamic directory specifications consist of a composition of variables with optional static name parts, e.g. "Record-$Y_$M_$D_$h_$m_$s". Non-existent directories are created. The following placeholders can be used in the variable name components: - $Y = Year
- $M = Month
- $D = Day
- $h = Hour
- $m = Minute
- $s = Second
The variable components are replaced by the time stamp from the beginning of the recording. Dynamic subdirectories can not only archive chronologically, but also prevent too many audio files from accumulating in one directory, which can lead to server-side performance problems. The "SMB Security" field is currently a placeholder and is not yet actively considered. SFTPEnter the SFTP server as host name or IP address here. No further protocol information or similar is required (and not supported). The SFTP directory should be specified relative to the home directory of the SFTP user. Please use ASCII characters only without any special characters for the directory specification. The SFTP library used by STARFACE sometimes has problems with nested directories. If there are problems with the upload, please try specifying only one directory or a dot (".") to select the home directory of the SSH user. On the module side, the same variable name components are supported within the directory specification as for Windwows shares. Microsoft OneDriveCustomers of Microsoft GermanCloud (Office 365 Deutschland or OneDrive Plan Deutschland; special and somewhat more expensive tariff for increased data protection requirements) must activate the GermanCloud option in the module configuration and use the newly generated authorisation link (identifiable by the target host login.microsoftonline.de
). For customers of the international cloud the option must be deactivated (the generated link will contain login.microsoftonline.com
). It is neither possible to log on to the GermanCloud with access data from the international cloud, nor vice versa. If there are problems granting access rights, please try logging in with an administrative Office 365 account. |
If you want to use Microsoft OneDrive as your storage destination, click the "Authorize Call Recording for OneDrive Use" button in the Module Configuration tab "Storage Destinations". Copy the displayed link and open it with a web browser of your choice. You will be redirected to a Microsoft login page and prompted to enter your Office 365/OneDrive credentials. You then have the option of giving the Call Recording module access to your OneDrive directory. If you confirm the access, you will be redirected to a page without content. In the browser address line you will find a parameter code= <OneDrive Authorisierungscode>. Copy the authorization code (only the code without any other parameters) into the "OneDrive for Business Authorization Code" field within the module configuration. The "OneDrive for Business Subdirectory" field supports the same syntax as subdirectories for Windows shares. Nested data and variable name components can be used here. If the upload to OneDrive fails, please check the entered authorization code. If the upload still fails, repeat the OneDrive logon procedure described above. Create retention policies in Microsoft Office 365We recommend that you use a separate Office 365 user for the Call Recording module. In this way, the configured retention policy can be selectively applied only to this user's files, without all other content being subject to the retention policy. |
Notification in case of memory errorsIf you would like to be notified of problems with uploading your call records, please provide an email address for notifications. The successful sending of e-mails requires that the STARFACE e-mail configuration has been carried out correctly. For each upload attempt where at least one file could not be uploaded correctly, an email is sent. Since the files in this case remain on the STARFACE and are recorded again with the next upload attempt, it can come in short intervals to a lot of emails. Known restrictionsThe length of a telephone call in WAV format must not exceed 2GB (corresponds to a call of about 33h), otherwise the recording for this call will fail. |
No STARFACE backup process may be carried out during a call recording, otherwise the target drive for the recording will be included in the backup (affects STARFACE 6.4.2.x) or ongoing recording processes will be disturbed or interrupted, whereby recorded subscribers can no longer be called (also affects other STARFACE versions). Please schedule the backup time so that no call recording takes place during this time. Since the STARFACE redundancy module also technically triggers backup processes, the aforementioned restriction also applies to the STARFACE redundancy module. It is not compatible with the Call Recording module! If it cannot be excluded that calls to be recorded during a backup will take place, STARFACE backups must be deactivated and a STARFACE VM edition must be used that allows external backups of the VM to be performed (snapshot-based backups) that are transparent to the application to be executed (the STARFACE system). The STARFACE default backup can currently only be deactivated by executing the following SQL statement within the STARFACE database (please contact your STARFACE partner): UPDATE backup_schedules SET type = 'MANUAL' WHERE id = 0; |
|
Information on recording according to WpHG (Status 03.01.2018)Investment service providers must inform new and existing customers as well as their own employees and authorised persons in advance in an appropriate manner about the recording of telephone conversations. Where an investment firm has not informed its clients in advance of the recording of telephone or electronic communications, or where the client has objected to the recording, the investment firm may not provide investment services to the client initiated by telephone or electronic communications, if those services relate to the acceptance, transmission and execution of client orders. It is therefore advisable to inform customers in advance, preferably in writing, of the obligation to keep records in accordance with the German Securities Trading Act by means of a separate notification. At the end of the required retention period, the records shall be deleted. Please understand that we are not allowed to offer any legal advice. If you have any questions regarding the legally compliant implementation of legal requirements in a specific case, please contact a person you trust who is entitled to legal advice. |
SourcesDirective 2014/65/EU recast - MiFID IIDelegated Ordinance (EU) of 25.04.20162. FiMaNoG (Second Financial Market Amendment Act) |