1 of 20
2 of 20
3 of 20
4 of 20
5 of 20
6 of 20
7 of 20
8 of 20
9 of 20
10 of 20
11 of 20
12 of 20
13 of 20
14 of 20
15 of 20
16 of 20
17 of 20
18 of 20
19 of 20
20 of 20

doc

Support for Mutual Transport Layer Security (mTLS)

Mutual Transport Layer Security (mTLS), also known as Mutual Authentication, is an authentication method that validates the digital certificate on both sides of a request: on the client side and on the Edge.

With mTLS activated, Azion checks the user’s browser certificate and validates it with the Trusted Certificate (Trusted CA), of your Edge Application.

mTLS is optional for applications using TLS protocols. However, it does promise a more secure TLS/SSL handshake and is an Open Banking requirement.

You may need mTLS if your Edge Application offers financial services and payments.

  1. Prerequisites
  2. Digital Certificate with support for mTLS (Trusted CA)
  3. How mTLS works on Azion
  4. Support documentation

1. Prerequisites

It’s necessary that your Edge Application is operating with the Hypertext Transfer Protocol Secure (HTTPS) protocol. [Real-Time Manager] allows you to configure mTLS in applications running with HTTP only (without the TLS encryption layer). However, mTLS requires an HTTPS connection to work.

Protocol options are available on your Edge Application configuration page in RTM.

Note: mTLS will only be available if the service is activated. Contact our Sales Team to activate it.

2. Digital Certificate with support for mTLS (Trusted CA)

To configure mTLS in your Edge Application, you need a Digital Certificate that supports mTLS, generated by a Third-Party Certificate Authority. At Azion, we call this certificate Trusted CA.

Select or add a new Domain and make sure the mTLS option is enabled. Then select the previously added Trusted CA.

Free certificates, generated internally by Azion (Azion [SAN]), don’t support mTLS.

To use mTLS Enforce mode, you must use Server Name Indication (SNI) extension to the traditional TLS protocol.

Connections without SNI are connected to the default configuration, which, at the time of the TLS handshake, delivers the Azion SAN certificate.

When we have requests without SNI for a Domain with mTLS in Enforce mode, the connection will be interrupted before the route of your Edge Application is resolved.

Make sure your Edge Applications always use SNI on requests.

3. How mTLS works at Azion

The default configuration of mTLS blocks accesses whose user identity can’t be verified.

If your application needs special access, it is necessary to configure a permissive check (Permissive mTLS). Permissive checking can be configured on the Domains page.

You can also change and specify the header variables of your mTLS to meet Open Banking requirements. This can be done in the Edge Application configuration page, within Real-Time Manager (RTM).

The list of accepted variables is available on the Rules Engine for Edge Application page.

4. Support documentation


Didn’t find what you were looking for? Open a ticket.