Santiago | 2020-03-26 14:05:31 UTC | #1
Hi,
Genesys has asked to use MLTS for the data action (https://help.mypurecloud.com/articles/mtls-support-for-data-actions/) for which it has provided a .pem certificate.
I need to know how to install that certificate on an IIS server since when I try to install it it asks me for a private key which I don't have. Also, IIS installs certificates in .pfx format, so I don't know the procedure for Genesys .pem file.
Any help is too much Regards
Jason_Mathison | 2020-03-26 18:39:51 UTC | #2
To setup IIS to verify the certificate that is provided by a Data Action, I don't think that you need to do anything more than add the .pem file to the trusted root certificate area of certificate management. In windows 10 I was able to do that by
- Hit start -> type in certmgr -> Start Manage Computer Certificates
- Right Click on "Trusted Root Certification Authorities" -> All Tasks -> Import
- Clicking the file type dropdown in the lower right and choosing "all files (.)"
- Import the certificate.
Another option is to rename the .pem file to .crt. Windows will now recognize the file as a certificate, and you right click -> import certificate.
Two things to note: First, you are adding the ability for IIS to trust connections from the Data Action Service. This means that we are not providing a private certificate to you, only the public side of the Certificate Authority that generates certificates for Data Actions. That is a long-winded way of saying that you should not be asked for a private certificate as part of setting this up. Second, Genesys added support for MTLS as several customers requested it. While it is a great added layer of protection, it is not required, nor it is likely something we would ever require our customers to implement.
--Jason
Santiago | 2020-03-26 21:07:53 UTC | #3
Thanks Jason for sharing your answer, it has been very valuable. Another question, what would be the correct way to validate that the certificate is correctly installed?
Jason_Mathison | 2020-03-27 12:42:46 UTC | #4
A reasonable approach to me would be to first have a data action working in test mode as well as having a tool like postman setup to directly hit your endpoint.
Setup the certificate.
Verify that the data action continues to work in test mode. Verify that the endpoint now requires a certificate when accessed directly.
[Edited to remove the idea of using the IIS capability to map a certificate to a user. The Data Action certificate can change at any time, so this is a terrible idea.]
Santiago | 2020-03-28 14:40:40 UTC | #5
I performed the tests with the data action, but I never had a requirement for a certificate, but with or without a certificate the data actions worked fine.
Jason_Mathison | 2020-03-30 01:31:02 UTC | #6
If everything is setup correctly you shouldn't need to do anything with the data action to get MTLS to work. If you attempt to hit the route with a tool like postman I would expect that it would ask you about a certificate. Actually, if you just try to connect to the endpoint with a web browser it should ask about a certificate.
If you can give me the name of your data action I should be able to tell if your endpoint is requesting MTLS. You can grab the name from the URL when you are editing/testing it, it should be something like custom-111111-2222-3333-4444-555555555555.
Santiago | 2020-03-31 19:32:30 UTC | #7
Of course you would help me a lot, I send you what you requested: custom-7c4a8717-1911-49e5-ac17-27702083c03a
Jason_Mathison | 2020-03-31 19:51:08 UTC | #8
What I can see is that you executed that action 1 time, at around 12:30 today. According to our metrics your endpoint did request a Client Certificate and the Data Action was successful (returned a 200). It appears that everything is working correctly for you.
--Jason
Jason_Mathison | 2020-04-01 14:08:33 UTC | #9
I went back and rechecked this because I realized if you were testing this action it would return 200 even if there was an error. Your endpoint did return a 200, so that was fine. One other thing I noticed is that the endpoint took 12.5 seconds to respond, which for some applications is a really long time.
system | 2020-05-02 14:08:16 UTC | #10
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 7409