Outbound mTLS

For Stibo Systems SaaS environments, a default truststore and keystore is automatically configured and the SSL Client Certificates functionality can be used to manage certificates and download the client public key provided by Stibo Systems. For more information, refer to the SSL Client Certificates topic.

Configuration properties are required to be set only when using a custom client public key, as defined in the Using a Custom Client Public Key or Multiple Certificates section below.

The mTLS functionality has been tested with the gateway integration endpoint REST plugin, the REST and REST Direct outbound integration endpoint delivery plugins, and the URL Connections directly from JavaScript business rules.

Using a Custom Client Public Key or Multiple Certificates

More than one certificate / keystore is useful when each integration requires a different certificate or integrates with multiple systems that use different CNames (the STEP system name as defined by another system). Also, if it is preferred to not use the default client public key that is provided by Stibo Systems, a custom keystore can be configured and used instead.

As shown in the following table, multiple certificate / keystore properties can be added in the Self-Service UI (SSUI) after the certificates have been created. An alias, indicated by 'Dynamic' in the table, is used to identify a specific certificate.

For example, for certain integrations, instead of using the client public key provided by Stibo Systems, a custom client public key can be used.

Configuration Property	Description
SSL.Dynamic.KeyStore.Password	Password for the keystore. For the 'Dynamic' text, add a unique identifier, for example, 'Cert1'. This case-sensitive text is also required to implement the related location property, RestDirect property, and RestGateway property.
SSL.Dynamic.KeyStore.Location	Full path to the keystore file in the file system. For clusters, the keystore must be in a directory accessible from all environments. For the 'Dynamic' text, add a unique identifier, for example, 'Cert1'. This case-sensitive text is also required to implement the related password property, RestDirect property, and RestGateway property.
RestDirect.Mtls.CertificateKeyStores	Keystores available for mTLS with the REST Direct delivery method.
RestGateway.Mtls.CertificateKeyStores	Keystores available for mTLS with REST gateway integration endpoints.

As an example, the following properties would work together to provide options for selection in the Configuration tab of an OIEP or GIEP:

On the 'Add configuration property value' dialog, the Value field includes the password which is hidden in the table.

Adding a leading comma to the 'CertificateKeyStores' properties (as shown below) allows for selecting no certificate via an empty value in the parameter dropdown.

When the RestDirect.Mtls.CertificateKeyStores or RestGateway.Mtls.CertificateKeyStores properties are not set or when the 'Certificate Key Store' dropdown is left empty, as in the image below, the client public key provided by Stibo Systems will be used for outbound connections. This public key can be ignored by the receiving system if mTLS is not required.

For more information about a GIEP using REST, refer to the Configuring a Gateway Integration Endpoint - REST topic in the Data Exchange documentation.

For more information about an OIEP using REST Direct, refer to the REST Direct Delivery Method topic in the Data Exchange documentation.

Note: The configuration properties SSL.Dynamic.KeyStore.Location and SSL.Dynamic.KeyStore.Password supersede the legacy properties RESTDeliverySSLKeyStoreLocation and RESTDeliverySSLKeyStorePassword when using TLS without mutual authentication. The legacy properties were used in updates prior to 11.0.