Inbound TLS Policy

Important: This page describes Classic APIM. For APIM 3.0, refer to API Management 3.0.

Verifies the client's TLS certificate with a Groundplex truststore. This policy applies only to requests routed to Groundplexes.

Important: APIM 3.0 generates OAS 3.0 specifications for Services. The Mutual Transport Layer Security (mTLS) authentication scheme is only supported by OAS 3.1, so Inbound TLS Rules don’t currently support the mTLS authentication scheme.

Prerequisites

As described in Configure Groundplex truststores:

Your CSM must enable the APIMClientCertificateValidator feature flag.
An admin with root permissions for the Groundplex node hosts must configure the truststores.
After adding truststores, restart the Groundplex nodes.

Policy fields include:


Field/Field set	Description
When this policy should be applied	An expression that defines one or more conditions that must be true for the policy to execute. Example: The expression `request.method == "POST"` causes the policy to execute only on `POST` requests.
Description	Default value: Requests are being verified by TLS certificates

Policy execution order

The client provides their certificate during TLS/SSL authentication.
The policy checks the HTTP request for the certificate.
If the client supplies a certificate that matches an entry in the Groundplex truststore, and isn't expired, the Snaplex continues processing the request.