MTLS support for data actions
You can increase the security between the data actions service and your web service with Mutual Transport Layer Security (MTLS). With MTLS, the two services provide one another with trusted certificates.
Configure your service to ask the data actions service for an MTLS certificate and to trust certificates from the private certificate authority (CA) for your Genesys Cloud region. Each certificate includes a certification revocation list (CRL).
When you configure the web services data actions integration, either select Genesys Cloud or Digicert as the certificate authority.
Genesys Cloud as certificate authority
When you select Genesys Cloud as the certificate authority, the client certificate is directly signed by the regional Genesys private certificate authority with no intermediate certificates. The Genesys Cloud private root CA automatically rotates the client certificate every year. Trusting the regional CA ensures that no interruptions occur when the certificate is rotated.
The following table lists the regional domain names of the client certificates for each Genesys Cloud region. Make sure to trust the certificate associated with your region.
| Genesys Cloud region | Regional domain names | Certificate (.zip) |
|---|---|---|
| Americas (Canada) | dataactions.prod-cac1.ca-central-1.mypurecloud.com | CA-Central-1 |
| Americas (São Paulo) | dataactions.prod-sae1.sa-east-1.mypurecloud.com | SA-East-1 |
| Americas (US East) | dataactions.prod.us-east-1.mypurecloud.com | US-East-1 |
| Americas (US East 2) | dataactions.fedramp-use2-core.us-east-2.mypurecloud.com | US-East-2 |
| Americas (US West) | dataactions.prod-usw2.us-west-2.mypurecloud.com | US-West-2 |
| Asia Pacific (Mumbai) | dataactions.prod-aps1.ap-south-1.mypurecloud.com | APS-1 |
| Asia Pacific (Osaka) | dataactions.prod-apne3.ap-northeast-3.mypurecloud.com | APNE-3 |
| Asia Pacific (Seoul) | dataactions.prod-apne2.ap-northeast-2.mypurecloud.com | APNE-2 |
| Asia Pacific (Sydney) | dataactions.prod-apse2.ap-southeast-2.mypurecloud.com | APSE-2 |
| Asia Pacific (Tokyo) | dataactions.prod-apne1.ap-northeast-1.mypurecloud.com | APNE-1 |
| EMEA (Dublin) | dataactions.prod-euw1.eu-west-1.mypurecloud.com | EU-West-1 |
| EMEA (Frankfurt) | dataactions.prod-euc1.eu-central-1.mypurecloud.com | EU-Central-1 |
| EMEA (London) | dataactions.prod-euw2.eu-west-2.mypurecloud.com | EU-West-2 |
| EMEA (Zurich) | dataactions.prod-euc2.eu-central-2.mypurecloud.com | EU-Central-2 |
| Middle East (UAE) | dataactions.prod-mec1.me-central-1.mypurecloud.com |
Digicert as certificate authority
When you select Digicert as the certificate authority, the data action MTLS client certificate is signed by a Digicert intermediate certificate that is rooted on a publicly trusted Digicert certificate authority. Configure your endpoint to trust the current client certificate explicitly and the upcoming certificate during the annual certificate rotation. Genesys Cloud provides an endpoint for all customers to query about the current and upcoming client certificate associated with your region.
The Genesys Cloud public API to retrieve the available MTLS certificates is api/v2/integrations/actions/certificates/. For more information, see API Explorer in Genesys Cloud Developer Center.
The optional query parameters for the public API endpoint are:
| Query param | Possible values |
|---|---|
| Status | Current, Upcoming |
| Signing Authority | Digicert, Genesys |
A sample output of the API call:
{
"entities": [
{
"signingAuthority": "DigiCert",
"certificate": "-----BEGIN CERTIFICATE-----
\r\nMIIFTzCCBDegAwIBAgIQAiR1dObCOTT5eSuynYFC2zANBgkqhkiG9w0BAQsFADBq\r\nMQswCQYDVQQGEwJV
UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwY...
b/BmD0WY51jgQSdTmkU11Mi5XdZ+bqkZL88He\r\n40p5a6E2HGTWd1CfCRz/T6rNOsvNekfSH1PXzTi/sWfx4rr
c4IKOtVbQZIyziLRI\r\nYr0GHu6jLFeGT3ma0v7gdffevw==\r\n-----END CERTIFICATE-----\r\n
-----BEGIN CERTIFICATE-----
\r\nMIIFXzCCBEegAwIBAgIQD/rh8xorQzw9muFtZDtYizANBgkqhkiG9w0BAQsFADBl\r\nMQswCQYDVQQGEwJV
UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\nd3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtE
aWdpQ2VydCBBc3N1cmVkIElEIFJv\r\nb3QgRzIwHhcNMTkwOTIzMTIyNTMyW...
oECzez2y/1IVTPl\r\nh57zBfjHJQFqLWzHdou8M+ucdJtr2swXII6s3nkq4pfEn7KnbzMS9quFSuyOGILc\r\ng
/3qVwaHNLM5R+8nB5gPI5+u5Uh56w1i+9Ds1pjYAiTHdeU=\r\n-----END CERTIFICATE-----\r\n
-----BEGIN CERTIFICATE-----
\r\nMIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBl\r\nMQswCQYDVQQGEwJV
UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\nd3cuZGlnaWNlcnQuY29tMSQ...
WhsI6yLETcDbYz+70CjTVW0z9\r\nB5yiutkBclzzTcHdDrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0MjomZmWz
wPDCv\r\nON9vvKO+KSAnq3T/EyJ43pdSVR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwo\r\nIhNzbM8m9Yo
p5w==\r\n-----END CERTIFICATE-----",
"status": "Current",
"type": "Client"
},
{
"signingAuthority": "Genesys",
"certificate": "-----BEGIN CERTIFICATE-----
\nMIIFYTCCA0mgAwIBAgIRAJksgLAGZ8Mor/v3MOmYwA0wDQYJKoZIhvcNAQELBQAw\ngZUxCzAJBgNVBAYTAlVT
MRAwDgYDVQQIDAdJbmRpYW5hMRUwEwYDVQQHDAx...
GT5KD0ruJX5KfqTxxShjV1Thkk2dxcg2l8ZcZJu2v58T+Xy9/\nvQ435njK19evaXXoTum7cxHJjF2DislWkhPii
fz/ID5/UP365Q==\n-----END CERTIFICATE-----\n\n",
"status": "Current",
"type": "Client"
}
].,
"pageSize": 20,
"pageNumber": 1,
"total": 2,
"pageCount": 1
}
An upcoming certificate is provided only for the DigiCert authority, and only if the current certificate has less than 90 days of validity remaining.
For more information about the integration, see About the web services data actions integration.
[NEXT] Was this article helpful?
Get user feedback about articles.