Inbound TLS rule

Verifies the client's TLS certificate with a Groundplex truststore. This rule applies only to requests routed to Groundplexes.

Prerequisites

As described in Configure Groundplex truststores:

  • Your CSM must enable the APIMClientCertificateValidator feature flag.
  • An admin with root permissions for the Groundplex node hosts must configure the truststores.
  • After adding truststores, restart the Groundplex nodes.

Rule fields include:

Field Description
When this rule should be applied An expression that defines one or more conditions that must be true for the rule to execute.

Example: The expression request.method == "POST" causes the rule to execute only on POST requests.

Description

Default value: Requests are being verified by TLS certificates

Rule execution order

  • The client provides their certificate during TLS/SSL authentication.

  • The rule checks the HTTP request for the certificate.

  • If the client supplies a certificate that matches an entry in the Groundplex truststore, and isn't expired, the Snaplex continues processing the request.