mTLS Edge Server to Origin
Limited Availability
This feature is only available to select customers. Talk to your account team about eligibility.
With the mTLS Edge Server to Origin behavior enabled, you can configure your delivery property to establish an mTLS connection between the edge server and the origin to authenticate requests. This ensures that the requests to your origin server come directly from the Akamai network.
Before you begin
Create a client certificate in the Mutual TLS Origin Keystore application if you haven't done so yet. When you're done, enable this setting in your property. For details, see Implementation.
How it works
The behavior uses a client certificate as a reference in your property manager configuration to authenticate Akamai edge servers with the origin you forward requests to. An important detail of the mTLS protocol is that the origin must ask the edge server to present its identity, that is the client certificate. This means the edge server can’t independently present the client certificate without the origin requesting it. For this negotiation to work, either the origin needs to be configured for mTLS sessions, or the edge server is allowed to proceed without the request, effectively performing a standard (non-mutual) TLS connection to the origin.
Features and options
Field | What it does |
---|---|
Enable | Enables or disables the behavior. The default is On. |
Client certificate | Identifies the Akamai network to verify authentication between edge servers and origins when negotiating an mTLS session. All available client certificates are listed by name, type, and version. This field is required. |
Require client authentication | When the behavior is enabled, it controls the edge server’s forward connection to the origin as follows:
|
Implementation
- Log in to Control Center, go to ☰ > CDN > mTLS Origin Keystore.
- Create a client certificate in the mTLS Origin Keystore application.
- In your property manager configuration:
- Enable the mTLS Edge Server to Origin behavior.
- Select your client certificate.
- Turn on the Require client authentication option.
If your origin isn’t configured for mTLS sessions, turn off the Require client authentication option, configure your origin for mTLS, then turn on the Require client authentication option.
Updated about 2 months ago