Contact Us 1-800-596-4880
  1. Homepage
  2. Flex Gateway (1.0)
  3. Included Policies Directory

  4. Transport Layer Security (TLS) - Inbound

Transport Layer Security Policy - Inbound

Policy Name

Transport Layer Security (TLS) - Inbound

Summary

Enables authentication between a client and the API proxy

Category

Security

First Flex Gateway version available

v1.0.0 (inbound mTLS: v1.3.0)

Returned Status Codes

No return codes exist for this policy.

The following document applies only to Flex Gateway running in Local Mode. To configure TLS in Connected Mode, see Configuring TLS Context for Flex Gateway in Connected Mode.

Summary

Flex Gateway supports inbound Transport Layer Security (TLS) and inbound mutual authentication TLS (mTLS) in Local Mode.

To apply inbound TLS in Local Mode, use the Configuring TLS Context for Flex Gateway in Local Mode tutorial and refer to the following configuration files in this documentation.

You can configure an inbound TLS context to enable authentication between a client and the API Instance (HTTPS) by binding the TLS policy to your API instance or to all instances in your Flex Gateway.

TLS policies do not support policy ordering.

Configuring Policy Parameters

To use HTTPS as your schema when creating an API Instance using Flex Gateway as your runtime, you must manually configure the TLS context in a YAML configuration file.

Refer to the following policy definition and table of parameters:

- policyRef:
    name: tls
  config:
    requireClientCertificate: <boolean> // OPTIONAL
    trustedCA: <string> // OPTIONAL
    certificate: // REQUIRED
        key: <string> // REQUIRED
        crt: <string> // REQUIRED
    alpn: <array> // OPTIONAL
    minversion: <string> // OPTIONAL
    maxversion: <string> // OPTIONAL
    ciphers: <array> // OPTIONAL

Not including optional parameters in your configuration file applies the parameters default values to your TLS context.

When configuring the ciphers parameter, see TLS Cipher Support on Flex Gateway for the supported ciphers.

Parameter Required or Optional Default Value Description

requireClientCertificate

Optional

false

Enables/disables inbound mTLS

trustedCA

Optional, unless requireClientCertificate is true

N/A

The client certificate used in mTLS

certificate

Required

N/A

A TLS certificate key pair

certificate.key

Required

N/A

The private key part of the certificate

certificate.crt

Required

N/A

The public key part of the certificate

alpn

Optional

h2 and http/1.1

A prioritized list of supported application level protocols; for example, h2, http/1.1, and so forth.

minversion

Optional

1.2

The minimum TLS version allowed

maxversion

Optional

1.3

The maximum TLS version allowed

ciphers

Optional

For the default and other supported ciphers, see TLS Cipher Support on Flex Gateway.

A list of supported TLS ciphers (IANA format). For the supported ciphers, see TLS Cipher Support on Flex Gateway.

Resource Configuration Examples

You can format the YAML file to configure TLS either for a specific API Instance or or for all API Instances running on your Flex Gateway.

Apply TLS Configuration to All API Instances

Sample configuration for adding TLS context for all API Instances running on this Flex Gateway:

apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
  name: ingress-https-tls
spec:
  targetRef:
    kind: Selector
    selector:
      kind: ApiInstance
  policyRef:
    name: tls
  config:
    certificate:
      key: |
        # -----BEGIN PRIVATE KEY-----
        # insert certificate key
        # -----END PRIVATE KEY-----
      crt: |
        # -----BEGIN CERTIFICATE-----
        # insert certificate
        # -----END CERTIFICATE-----
    alpn:
      - http/1.1
      - h2
    minversion: "1.1"
    maxversion: "1.3"
    ciphers:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      - TLS_RSA_WITH_AES_128_GCM_SHA256
      - TLS_RSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      - TLS_RSA_WITH_AES_256_GCM_SHA384
      - TLS_RSA_WITH_AES_256_CBC_SHA

Apply TLS Configuration to a Specific API Instance

Sample configuration for adding TLS context for a specific API Instance:

apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
  name: ingress-https-tls
spec:
  targetRef:
    kind: ApiInstance
    name: ingress-https
  policyRef:
    name: tls
  config:
    certificate:
      key: |
        # -----BEGIN PRIVATE KEY-----
        # insert certificate key
        # -----END PRIVATE KEY-----
      crt: |
        # -----BEGIN CERTIFICATE-----
        # insert certificate
        # -----END CERTIFICATE-----
    alpn:
      - http/1.1
      - h2
    minversion: "1.1"
    maxversion: "1.3"
    ciphers:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      - TLS_RSA_WITH_AES_128_GCM_SHA256
      - TLS_RSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      - TLS_RSA_WITH_AES_256_GCM_SHA384
      - TLS_RSA_WITH_AES_256_CBC_SHA

Unresolved include directive in modules/ROOT/pages/policies-included-tls.adoc - include::anypoint-security::partial$flex-tls-cipher.adoc[]

See Also