Use JWT security instead of mTLS between subsystems

If your network requires TLS termination on load-balancers located between your API Connect subsystems, then disable mTLS and enable JWT to provide application layer security.

JWT security provides application layer security and can be used instead of mTLS when there are load-balancers located between subsystems that require TLS termination. For more information about JWT security, see Enable JWT instead of mTLS.

  1. To enable JWT and disable mTLS, first identify the JWKS URL from the management subsystem:
    apicup subsys get <management subsystem name>
    
    ...
    jwks-url     https://appliance1.apic.acme.com/api/cloud/oauth2/certs  JWKS URL for Portal and analytics subsystems to validate JWT -- this is unsettable and is generated based on the platform-api endpoint 
    ...
  2. Disable mTLS and enable JWT on portal and analytics by setting the mtls-validate-client and jwks-url values with apicup:
    apicup subsys set <portal> mtls-validate-client=false
    apicup subsys set <portal> jwks-url=appliance1.apic.acme.com/api/cloud/oauth2/certs
    
    apicup subsys set <analytics> mtls-validate-client=false
    apicup subsys set <analytics> jwks-url=appliance1.apic.acme.com/api/cloud/oauth2/certs
  3. Apply the change to portal and analytics with apicup subsys install:
    apicup subsys install <subsystem_name>
  4. To enable JWT and disable mTLS on the gateway appliance, see Configuring the API Connect gateway service in the DataPower documentation.
Note: Do not disable mTLS without enabling JWT.