MTLS
Mutual TLS(mTLS), is a method for mutual authentication. mTLS ensures that the parties at each end of a network connection are who they claim to be by verifying that they both have the correct private key. The information within their respective TLS certificates provides additional verification.
By adopting mTLS, LivePerson is looking to adhere to industry standards and offer more secure connections between brands and their consumers.
By verifying both the identity of the LivePerson server and the identity of the brand, we can make sure that there's no man in the middle attacks, fraud, phishing or other security risks.
The optimal flow looks like this:
html:
Client Server (LivePerson)
+------------+ +----------------------+
| | | |
| Initiate |-------------->| |
| Connection | | |
| | | Perform Server-side|
| | | mTLS Authentication|
| | | (Verify Client's |
| | | Certificate) |
| | |-------------------->|
| | | |
| | | Respond with |
| | | Server Certificate|
| | |<---------------------|
| Perform | | Perform Client-side |
| Client-side|<--------------| mTLS Authentication|
| mTLS | | (Verify Server's |
| Authentication| | Certificate) |
| (Verify | |<---------------------|
| Server's | | |
| Certificate)| | Secure Connection |
| | | Established |
+------------+ +----------------------+
- The client initiates a connection to the server (LivePerson).
- The server performs server-side mTLS authentication, verifying the client's certificate.
- If the client's certificate is valid, the server responds with its own certificate.
- The client then performs client-side mTLS authentication, verifying the server's certificate.
- If the server's certificate is valid, a secure connection is established between the client and the server.
This flow ensures mutual authentication between the client and the server, providing a secure connection that protects against man-in-the-middle attacks, fraud, phishing, and other security risks.
To set up mTLS:
1. Enable mTLS in Houston
Navigate to Supportal. The Supportal page appears.
Click Houston. The Mission Control page appears.
Click AC Features. The AC Features page appears.
Search for mTLS in the search bar at top right corner. Ensure that the following services are enabled.
- Common.lp-mtls-ui.MTLS.Self_Service
- Common.MTLS_enabled
Click UPDATE FEATURES. The settings are saved.
2. Configure mTLS in Conversation Cloud
Sign in to your Conversation Cloud account. The Homepage appears.
Click Hamburger Menu > Manage > Management Console. The Management Console appears.
Search for mTLS and select it from the suggestion that follows. The mTLS Self Service page appears.
Click Add Certificate. The Add Certificate fields appear.
2.1 Add New Certificate
Utilize this option when the Client has opted to configure their own certificate instead of using a LivePerson provided certificate.
Ensure that the Auto generate certificate toggle is turned off.
Provide the required information:
- Certificate Name: Input the name of the certificate as provided by the client.
- Certificate Password: Input the certificate password as provided by the client.
- Certificate (P12): Upload the client provided certificate in p12 format here.
Click Confirm. The new certificate is added.
2.2 Add New LP Certificate
Utilize this option when the client decides to use the LivePerson Certificate.
Ensure that the Auto generate certificate toggle is turned on.
Provide the required information:
- Certificate Name: Input the name of the certificate as provided by the client.
- Certificate Password: Input the certificate password as provided by the client.
Click Confirm & download certificate. The Certificate is downloaded in zip format.
Unzip the the zip file using the certificate password provided earlier.
The new certificate is added.
3. Configure URL Mapping
Once a certificate is newly added, it must be validated.
Navigate to mTLS Self service home page.
Click the Validate option next to the newly added certificate. The Validate Certificate confirmation page appears.
Click Confirm installation. The Activate Certificate page appears.
Provide the following information:
- Service: Input the service name for which mTLS needs to be configured.
- URL/Endpoint: Input the endpoint URL for which the mTLS needs to be configured.
- Validate mapping: The Validate Mapping checkbox is automatically selected to test the URL before mapping configuration. If you prefer to skip testing, simply uncheck it.
Click Activate certificate.
URL mapping is created and status is updated to Active.
4. Update URL with New Certificate
Update an already existing URL and map it with a new certificate.
Navigate to mTLS Self service home page.
Click the Validate option next to the newly added certificate. The Validate Certificate confirmation page appears.
Click Confirm installation. The Activate Certificate page appears.
Provide the following information:
- Service: Input the service name for which mTLS needs to be configured.
- URL/Endpoint: Input the endpoint URL for which the mTLS needs to be configured.
- Validate mapping: The Validate Mapping checkbox is automatically selected to test the URL before mapping configuration. If you prefer to skip testing, simply uncheck it.
Since the URL already exists, a prompt indicates that you are updating the mapping with a new certificate.
Click Renew certificate.
URL mapping has been successfully renewed, and the status has been updated to Active.
5. Reuse Certificate
If you intend to apply the same certificate to multiple URLs, you can take advantage of the reuse feature.
Navigate to mTLS Self service home page.
Click the ellipses option on the certificate you wish to reuse, click Reuse. The Edit Activation screen appears.
Provide the following information:
- Service: Input the service name for which mTLS needs to be reused.
- URL/Endpoint: Input the endpoint URL for which the mTLS needs to be reused.
Click Save.
URL mapping has been successfully reused, and the status has been updated to Active.
6. Delete Certificate
Utilize this option to remove any unwanted URLs from the system.
Navigate to mTLS Self service home page.
Click the ellipses option on the certificate you wish to reuse, click Delete.
The Certificate is deleted and removed from the page.
7. Download Certificate
Utilize this option to download the certificate of an added URL.
Navigate to mTLS Self service home page.
Click the ellipses option on the certificate you wish to reuse, click Download. A Password-protected zip file is automatically downloaded.
Open the zip file with the password that was provided at time of certificate creation.
mTLS Use Cases
Our mTLS methods allow you to add an additional layer of security to all communications between yourself, LivePerson, and your customers. You should use these methods to create mTLS certified conversations which provide this added layer of security. mTLS serves outbound traffic only. Traffic flow is LP Service –> mTLS –> Client Url.
mTLS in LP
At this moment (September 2022) is supported for the following LP services:
- IdP (via LP mTLS Gateway);
- Webhooks (via LP mTLS Gateway);
- FaaS (via mTLSClient);
- Conversation Builder (via Bot Accounts → Credentials);
Certificates Provisioning
Certificates for the mTLS service can be provisioned in 2 ways:
- Brand generates certificate chain and shares .pfx/.p12 with LP;
- LP generates certificate chain for the brand and shares public cert with the brand.
- To generate the certificate, email should be sent to paas-ops-lp@liveperson.com
mTLS Onboarding
mTLS Gateway (for LP IdP and Webhooks services)
Authentication:
Types:
- Bearer token, which can be retrieved from Login API
- Service level keys, which are for internal usage only, should be requested from mTLS team.
To configure mTLS on the account, it is enough to leverage the API methods, which require only bearer token authentication:
- Create/upload cert;
- Create cert mapping;
- Update cert mapping;
- Get list of certificates;
Service level keys are used to service requests:
- Check cert mapping params;
- Check cert mapping setup;
- Test mTLS against configured endpoint(GET, POST, PUT, DELETE);
Create (upload) certificate to the account;
html:
curl --location --request POST 'https://va.mtls.liveperson.net/mtls/account/{{ACCOUNT_ID}}/certificates/by-file' \
--header 'Authorization: Bearer {{BEARER}}' \
--form 'file=@"/Users/…./certs/2021/prod.client.liveperson.net.p12"' \
--form 'certificate="{\"name\":\"prodcert_20211027\", \"password\":\"...\"}"'Create certificate mapping
html:
curl --location --request POST 'https://va.ac.liveperson.net/api/account/{{ACCOUNT_ID}}/configuration/ac-common/mtls?v=3.0' \
--header 'Authorization: Bearer {{BEARER}}' \
--header 'Content-Type: application/json' \
--data-raw '[
{
"certificationId": "3566393530",
"serviceId": "2",
"enable": true,
"url": "https://example.com/webhooks/endpoint",
"siteId": "{{ACCOUNT_ID}}",
"name": "webhooks_cert_20220922",
"deleted": false
}
]
'Update certificate mapping
html:
curl --location --request PUT 'https://va.ac.liveperson.net/api/account/{{ACCOUNT_ID}}/configuration/ac-common/mtls?v=3.0' \
--header 'If-Match: 6' \
--header 'Authorization: Bearer {{BEARER}}\
--header 'Content-Type: application/json' \
--data-raw '[
{
"deleted": false,
"certificationId": "3548345830",
"enable": true,
"name": "uatcert",
"siteId": "{{ACCOUNT_ID}}",
"id": 2501742230,
"serviceId": "2",
"url": "https://example.com/webhooks/endpoint"
}
]
'Get list of certificates
html:
curl --location --request GET 'https://va.mtls.liveperson.net/mtls/account/{{ACCOUNT_ID}}/certificates' \
--header 'Authorization: Bearer {{BEARER}}Conversation Builder
Configuration
Step-by-step process is described here.
Usage
Configured mTLS credentials should be selected in the relevant integration
NOTE: Conversation Builder currently does not support combined authentication, where mTLS is combined with other authentication methods, like OAuth 2.0. If a specific API requires a combined authentication method, then FaaS option should be chosen.
FaaS
Notes:
- PEM format of the certificate is only allowed;
- Key/Cert should look like in terminal. So linebreaks should be visible in the editor and not be encoded with “\n”;
Example:
html:
const { Toolbelt } = require("lp-faas-toolbelt");
let cert = key = undefined;
async function lambda(input, callback) {
console.info("TEST");
try {
const [clientCert, clientKey] = await lazyLoadClientBundle();
const client = Toolbelt.MTLSClient({cert: clientCert, key: clientKey});
const {statusCode, body} = await client.get('https://certauth.idrix.fr/json');
console.info('Status Code', statusCode);
console.info('Body', body)
return callback(null, body);
} catch(err) {
console.error('Warn', err.message);
console.error('Stack', err.stack);
console.error('Name', err.name);
return callback(null, `MTLS Failed`);
}
}
async function lazyLoadClientBundle() {
if (cert && key) {
return [cert, key];
}
const client = Toolbelt.SecretClient();
if (cert === undefined) {
const {value} = await client.readSecret('cert');
cert = value;
}
if (key === undefined) {
const {value} = await client.readSecret('key');
key = value;
}
return [cert, key];
}