Use JWT security instead of mTLS between subsystems
If your network requires TLS termination on load-balancers located between your API Connect subsystems, then disable mTLS and enable JWT to provide application layer security.
JWT security provides application layer security and can be used instead of mTLS when there are load-balancers located between subsystems that require TLS termination. For more information about JWT security, see Enable JWT instead of mTLS.
- To enable JWT and disable mTLS, first identify the JWKS URL from the
apicup subsys get <management subsystem> ... jwks-url https://appliance1.apic.acme.com/api/cloud/oauth2/certs JWKS URL for Portal and Analytics subsystems to validate JWT -- this is unsettable and is generated based on the platform-api endpoint ...
- Disable mTLS and enable JWT on portal and analytics by setting the
jwks-urlvalues with apicup:
apicup subsys set <portal> mtls-validate-client=false apicup subsys set <portal> jwks-url=appliance1.apic.acme.com/api/cloud/oauth2/certs apicup subsys set <analytics> mtls-validate-client=false apicup subsys set <analytics> jwks-url=appliance1.apic.acme.com/api/cloud/oauth2/certs
- Apply the change to portal and analytics with
apicup subsys install:
apicup subsys install <subsystem_name>
- To enable JWT and disable mTLS on the gateway appliance, see Configuring the API Connect gateway service in the DataPower documentation.
Note: Do not disable mTLS without enabling JWT.