Additional Resources Security & Authentication

MTLS

Mutual TLS(mTLS), is a method for mutual authentication. mTLS ensures that the parties at each end of a network connection are who they claim to be by verifying that they both have the correct private key. The information within their respective TLS certificates provides additional verification.

By adopting mTLS, LivePerson is looking to adhere to industry standards and offer more secure connections between brands and their consumers.

By verifying both the identity of the LivePerson server and the identity of the brand, we can make sure that there's no man in the middle attacks, fraud, phishing or other security risks.

The optimal flow looks like this:

  Client                       Server (LivePerson)
+------------+               +----------------------+
|            |               |                      |
|  Initiate  |-------------->|                      |
| Connection |               |                      |
|            |               |  Perform Server-side|
|            |               |  mTLS Authentication|
|            |               |  (Verify Client's  |
|            |               |  Certificate)      |
|            |               |-------------------->|
|            |               |                      |
|            |               |  Respond with       |
|            |               |  Server Certificate|
|            |               |<---------------------|
| Perform    |               | Perform Client-side |
| Client-side|<--------------| mTLS Authentication|
| mTLS       |               | (Verify Server's   |
| Authentication|            | Certificate)        |
| (Verify    |               |<---------------------|
| Server's   |               |                      |
| Certificate)|               |  Secure Connection |
|            |               |  Established        |
+------------+               +----------------------+

The server performs server-side mTLS authentication, verifying the client's certificate.
If the client's certificate is valid, the server responds with its own certificate.
The client then performs client-side mTLS authentication, verifying the server's certificate.
If the server's certificate is valid, a secure connection is established between the client and the server.

This flow ensures mutual authentication between the client and the server, providing a secure connection that protects against man-in-the-middle attacks, fraud, phishing, and other security risks.

To set up mTLS:

1. Enable mTLS in Houston

Reach out to your LivePerson Account Manager to set up and enable mTLS on Houston.

2. Configure mTLS in Conversation Cloud

Click Hamburger Menu > Manage > Management Console. The Management Console appears.

Search for mTLS and select it from the suggestion that follows. The mTLS Self Service page appears.

Click Add Certificate. The Add Certificate fields appear.

2.1 Add New Certificate

Utilize this option when the Client has opted to configure their own certificate instead of using a LivePerson provided certificate.

Before configuring mTLS using a client-provided certificate in p12 format, it's crucial to have the credentials for the client certificate. Additionally, confirm that the client certificate has been correctly uploaded to the client server.

Ensure that the Auto generate certificate toggle is turned off.

Provide the required information:

Certificate Name: Input the name of the certificate as provided by the client.
Certificate Password: Input the certificate password as provided by the client.
Certificate (P12): Upload the client provided certificate in p12 format here.

Click Confirm. The new certificate is added.

2.2 Add New LP Certificate

Utilize this option when the client decides to use the LivePerson Certificate.

Ensure that the Auto generate certificate toggle is turned on.

Provide the required information:

Certificate Name: Input the name of the certificate as provided by the client.
Certificate Password: Input the certificate password as provided by the client.

Make a note of the password used here as it will be required to unlock the certificate zip file.

Click Confirm & download certificate. The Certificate is downloaded in zip format.

Unzip the the zip file using the certificate password provided earlier.

Ensure that you upload the downloaded certificate to the client server to ensure smooth operation.

The new certificate is added.

3. Configure URL Mapping

Once a certificate is newly added, it must be validated.

Navigate to mTLS Self service home page.

Click the Validate option next to the newly added certificate. The Validate Certificate confirmation page appears.

Click Confirm installation. The Activate Certificate page appears.

Provide the following information:

Service: Input the service name for which mTLS needs to be configured.
URL/Endpoint: Input the endpoint URL for which the mTLS needs to be configured.
Validate mapping: The Validate Mapping checkbox is automatically selected to test the URL before mapping configuration. If you prefer to skip testing, simply uncheck it.

Click Activate certificate.

URL mapping is created and status is updated to Active.

4. Update URL with New Certificate

Update an already existing URL and map it with a new certificate.

Navigate to mTLS Self service home page.

Click the Validate option next to the newly added certificate. The Validate Certificate confirmation page appears.

Click Confirm installation. The Activate Certificate page appears.

Provide the following information:

Service: Input the service name for which mTLS needs to be configured.
URL/Endpoint: Input the endpoint URL for which the mTLS needs to be configured.
Validate mapping: The Validate Mapping checkbox is automatically selected to test the URL before mapping configuration. If you prefer to skip testing, simply uncheck it.

Since the URL already exists, a prompt indicates that you are updating the mapping with a new certificate.

Click Renew certificate.

URL mapping has been successfully renewed, and the status has been updated to Active.

5. Reuse Certificate

If you intend to apply the same certificate to multiple URLs, you can take advantage of the reuse feature.

Navigate to mTLS Self service home page.

Screenshot 2024-02-07 at 10.11.49 PM.png

Click the ellipses option on the certificate you wish to reuse, click Reuse. The Edit Activation screen appears.

The selected Certificate must be in Active status.

Provide the following information:

Service: Input the service name for which mTLS needs to be reused.
URL/Endpoint: Input the endpoint URL for which the mTLS needs to be reused.

Click Save.

URL mapping has been successfully reused, and the status has been updated to Active.

6. Delete Certificate

Utilize this option to remove any unwanted URLs from the system.

Navigate to mTLS Self service home page.

Click the ellipses option on the certificate you wish to reuse, click Delete.

It's important to note that users cannot delete any certificate that is currently mapped to an active URL.

The Certificate is deleted and removed from the page.

7. Download Certificate

Utilize this option to download the certificate of an added URL.

Navigate to mTLS Self service home page.

Click the ellipses option on the certificate you wish to reuse, click Download. A Password-protected zip file is automatically downloaded.

Open the zip file with the password that was provided at time of certificate creation.

mTLS Use Cases

Our mTLS methods allow you to add an additional layer of security to all communications between yourself, LivePerson, and your customers. You should use these methods to create mTLS certified conversations which provide this added layer of security. mTLS serves outbound traffic only. Traffic flow is LP Service –> mTLS –> Client Url.

mTLS in LP

At this moment (September 2022) is supported for the following LP services:

IdP (via LP mTLS Gateway);
Webhooks (via LP mTLS Gateway);
FaaS (via mTLSClient);
Conversation Builder (via Bot Accounts → Credentials);

Certificates Provisioning

Certificates for the mTLS service can be provisioned in 2 ways:

Brand generates certificate chain and shares .pfx/.p12 with LP;
LP generates certificate chain for the brand and shares public cert with the brand.
- To generate the certificate, email should be sent to paas-ops-lp@liveperson.com

mTLS Onboarding

mTLS Gateway (for LP IdP and Webhooks services)

Authentication:

Types:

Bearer token, which can be retrieved from Login API
Service level keys, which are for internal usage only, should be requested from mTLS team.

To configure mTLS on the account, it is enough to leverage the API methods, which require only bearer token authentication:

Create/upload cert;
Create cert mapping;
Update cert mapping;
Get list of certificates;

Service level keys are used to service requests:

Check cert mapping params;
Check cert mapping setup;
Test mTLS against configured endpoint(GET, POST, PUT, DELETE);

Create (upload) certificate to the account;

curl --location --request POST 'https://va.mtls.liveperson.net/mtls/account/{{ACCOUNT_ID}}/certificates/by-file' \

--header 'Authorization: Bearer {{BEARER}}' \

--form 'file=@"/Users/…./certs/2021/prod.client.liveperson.net.p12"' \

--form 'certificate="{\"name\":\"prodcert_20211027\", \"password\":\"...\"}"'

Create certificate mapping

curl --location --request POST 'https://va.ac.liveperson.net/api/account/{{ACCOUNT_ID}}/configuration/ac-common/mtls?v=3.0' \

--header 'Authorization: Bearer {{BEARER}}' \

--header 'Content-Type: application/json' \

--data-raw '[

   {

       "certificationId": "3566393530",

       "serviceId": "2",

       "enable": true,  

       "url": "https://example.com/webhooks/endpoint",

       "siteId": "{{ACCOUNT_ID}}",

       "name": "webhooks_cert_20220922",

       "deleted": false

   }

]

'

Update certificate mapping

curl --location --request PUT 'https://va.ac.liveperson.net/api/account/{{ACCOUNT_ID}}/configuration/ac-common/mtls?v=3.0' \

--header 'If-Match: 6' \

--header 'Authorization: Bearer {{BEARER}}\

--header 'Content-Type: application/json' \

--data-raw '[

   {

       "deleted": false,

       "certificationId": "3548345830",

       "enable": true,

       "name": "uatcert",

       "siteId": "{{ACCOUNT_ID}}",

       "id": 2501742230,

       "serviceId": "2",

       "url": "https://example.com/webhooks/endpoint"

   }

]

'

Get list of certificates

curl --location --request GET 'https://va.mtls.liveperson.net/mtls/account/{{ACCOUNT_ID}}/certificates' \

--header 'Authorization: Bearer {{BEARER}}

Conversation Builder

Configuration

Usage

Configured mTLS credentials should be selected in the relevant integration

NOTE: Conversation Builder currently does not support combined authentication, where mTLS is combined with other authentication methods, like OAuth 2.0. If a specific API requires a combined authentication method, then FaaS option should be chosen.

FaaS

Notes:

PEM format of the certificate is only allowed;
Key/Cert should look like in terminal. So linebreaks should be visible in the editor and not be encoded with “\n”;

Example:

const { Toolbelt } = require("lp-faas-toolbelt");
let cert = key = undefined;

async function lambda(input, callback) {
    console.info("TEST");
    try {
        const [clientCert, clientKey] = await lazyLoadClientBundle();
        const client = Toolbelt.MTLSClient({cert: clientCert, key: clientKey});
        const {statusCode, body} = await client.get('https://certauth.idrix.fr/json');
        console.info('Status Code', statusCode);
        console.info('Body', body)
        return callback(null, body);
    } catch(err) {
        console.error('Warn', err.message);
        console.error('Stack', err.stack);
        console.error('Name', err.name);
        return callback(null, `MTLS Failed`);
    }
}

async function lazyLoadClientBundle() {
    if (cert && key) {
        return [cert, key];
    }

    const client = Toolbelt.SecretClient();

    if (cert === undefined) {
        const {value} = await client.readSecret('cert');
        cert = value;
    }

    if (key === undefined) {
        const {value} = await client.readSecret('key');
        key = value;
    }

    return [cert, key];
}