Inbound TLS rule

Verifies the client's TLS certificate with a Groundplex truststore. This rule applies only to requests routed to Groundplexes.

Important: APIM 3.0 generates OAS 3.0 specifications for Services. The Mutual Transport Layer Security (mTLS) authentication scheme is only supported by OAS 3.1, so Inbound TLS Rules don’t currently support the mTLS authentication scheme.

Prerequisites

As described in Configure Groundplex truststores:

Your CSM must enable the APIMClientCertificateValidator feature flag.
An admin with root permissions for the Groundplex node hosts must configure the truststores.
After adding truststores, restart the Groundplex nodes.

Rule fields include:


Field	Description
When this rule should be applied	An expression that defines one or more conditions that must be true for the rule to execute. Example: The expression `request.method == "POST"` causes the rule to execute only on `POST` requests.
Description	Default value: Requests are being verified by TLS certificates

Rule execution order

The client provides their certificate during TLS/SSL authentication.
The rule checks the HTTP request for the certificate.
If the client supplies a certificate that matches an entry in the Groundplex truststore, and isn't expired, the Snaplex continues processing the request.