I've been investigating the security options within the Genesys Platform actually just as the latest Tech Tutorial was coming up.
I've been able to enable mutual-tls between GAX and Config Server, Message Server and SCS correctly, but was looking to do the same with Genesys Administrator (version 8.1.311.03) but have limited success.
If I define tls-mutual=0 on the ports for Config Server and SCS then a secure connection is successfully made, but if I attempt to have tls-mutual=1, then it fails to connect.
I have updated. the Web.Config for GA with the below (thumbprint partially masked):
<!-- Client certificate thumbprint which will be using for establishing of GA secured connections in mutual mode -->
<add key="ClientCertificate" value="8e ee cb 9....... 0c 7d a3 f9" />

1. When reviewing the GA logs, it doesn't looks like this is even used when connecting to Config Server.  Additionally when I check the config server logs I see the below, which I worked out during the GAX work meant there was no certificate being offered back from the client (GA in this case).  For GAX it was because I missed the mf_tls_mutual=true option in gax.properties.
   error 8009030e querying client certificate
No credentials are available in the security package
2. When connecting to SCS, I can see the below in the GA logs.  It doesn't note if it found the certificate, which I've tried making available at the Local Machine and Local User store in Windows, and given I have pretty much the same settings for GAX, would hope it would work.
   2019-03-14 19:48:32,826 [5] DEBUG App.Monitoring.Management.GScsNetConnection [Jason McLennan] - The client certificate thumbprint '8e ee cb.....7d a3 f9' is retrieved from settings
2019-03-14 19:48:32,858 [Genesyslab.PCT.Invoker.AbstractChannelDefault] INFO App.Monitoring.Management.GScsNetConnection [(Unauthenticated user)] -
SCS connection -842452685 is broken: protocol has been closed
2019-03-14 19:48:32,858 [Genesyslab.PCT.Invoker.AbstractChannelDefault] INFO App.Monitoring.Management.GScsNetConnection [(Unauthenticated user)] -
SCS connection closing reason: Exception occured during channel opening
2019-03-14 19:48:32,858 [Genesyslab.PCT.Invoker.AbstractChannelDefault] INFO App.Monitoring.Management.GScsNetConnection [(Unauthenticated user)] -
SCS connection closing details: Authentication failed because the remote party has closed the transport stream.

Is mutual TLS even an option for either of these connections in GA?
#PlatformAdministration
#Security

------------------------------
Jason Mclennan
Commonwealth Bank of Australia
------------------------------

Just an update that I did manage to solve this.
I had my IIS application pool running as a different user (A Group Managed Service Account) and had not loaded the certificate with private key under that user.  I had expected it'd be able to pick it up from the Local Machine Certificate store.
To import it under the specific user, you will need to use psexec to load the certificate store for that user (not the user currently logged in)

• psexec -i -u <domain/user> mmc.exe

------------------------------
Jason Mclennan
Commonwealth Bank of Australia
------------------------------

Original Message:
Sent: 03-14-2019 05:13
From: Jason Mclennan
Subject: Mutual-TLS with Genesys Administrator

I've been investigating the security options within the Genesys Platform actually just as the latest Tech Tutorial was coming up.
I've been able to enable mutual-tls between GAX and Config Server, Message Server and SCS correctly, but was looking to do the same with Genesys Administrator (version 8.1.311.03) but have limited success.
If I define tls-mutual=0 on the ports for Config Server and SCS then a secure connection is successfully made, but if I attempt to have tls-mutual=1, then it fails to connect.
I have updated. the Web.Config for GA with the below (thumbprint partially masked):
<!-- Client certificate thumbprint which will be using for establishing of GA secured connections in mutual mode -->
<add key="ClientCertificate" value="8e ee cb 9....... 0c 7d a3 f9" />

1. When reviewing the GA logs, it doesn't looks like this is even used when connecting to Config Server.  Additionally when I check the config server logs I see the below, which I worked out during the GAX work meant there was no certificate being offered back from the client (GA in this case).  For GAX it was because I missed the mf_tls_mutual=true option in gax.properties.
   error 8009030e querying client certificate
No credentials are available in the security package
2. When connecting to SCS, I can see the below in the GA logs.  It doesn't note if it found the certificate, which I've tried making available at the Local Machine and Local User store in Windows, and given I have pretty much the same settings for GAX, would hope it would work.
   2019-03-14 19:48:32,826 [5] DEBUG App.Monitoring.Management.GScsNetConnection [Jason McLennan] - The client certificate thumbprint '8e ee cb.....7d a3 f9' is retrieved from settings
2019-03-14 19:48:32,858 [Genesyslab.PCT.Invoker.AbstractChannelDefault] INFO App.Monitoring.Management.GScsNetConnection [(Unauthenticated user)] -
SCS connection -842452685 is broken: protocol has been closed
2019-03-14 19:48:32,858 [Genesyslab.PCT.Invoker.AbstractChannelDefault] INFO App.Monitoring.Management.GScsNetConnection [(Unauthenticated user)] -
SCS connection closing reason: Exception occured during channel opening
2019-03-14 19:48:32,858 [Genesyslab.PCT.Invoker.AbstractChannelDefault] INFO App.Monitoring.Management.GScsNetConnection [(Unauthenticated user)] -
SCS connection closing details: Authentication failed because the remote party has closed the transport stream.

Is mutual TLS even an option for either of these connections in GA?
#PlatformAdministration
#Security

------------------------------
Jason Mclennan
Commonwealth Bank of Australia
------------------------------