Enable JWT instead of mTLS

Use JWT to authenticate communication between API Connect subsystems, instead of mTLS.

If your network infrastructure requires that load-balancers implement TLS termination, then mTLS between API Connect subsystems can be disabled and JSON Web Token (JWT) security can be used instead.

Note: Although mTLS is disabled, the network communication is still secured with standard TLS, which does not require passthrough to be enabled on the load-balancers.

The following communication flows can be secured with JWT:

Management initiated communication to portal, analytics, and gateway subsystems. From v10.0.5.3 and later.
Analytics ingestion: The flow of API event records from the gateway to the analytics subsystem. From v10.0.5.4 and later.
Note: If the gateway is under a high transaction load and sending many API events to the analytics subsystem, the enablement of JWT might impact the performance of your analytics subsystem. It is recommended to run performance tests under your expected analytics load before you decide to use JWT for the analytics ingestion path.

With JWT enabled, the portal, gateway, and analytics subsystems verify the JSON Web Token (JWT) sent from the management subsystem when it initiates communication with them. The analytics subsystem verifies the JWT sent from the gateway with incoming API event data. The subsystems that receive the token contact a JSON Web Key Set (JWKS) URL to verify it. The JWKS URL is hosted by the management subsystem, in a subpath of the management subsystem's platform REST API.

You can configure JWT instead of mTLS during installation, as documented in Installing API Connect, or you can configure JWT after installation: Use JWT security instead of mTLS between subsystems.

If you disable mTLS, you must enable JWT. It is not possible to configure API Connect with both mTLS and JWT disabled.