mTLS Edge Server to Origin

📘
Limited Availability
This feature is only available to select customers. Talk to your account team about eligibility.

With the mTLS Edge Server to Origin behavior enabled, you can configure your delivery property to establish an mTLS connection between the edge server and the origin to authenticate requests. This ensures that the requests to your origin server come directly from the Akamai network.

Before you begin

Create a client certificate in the Mutual TLS Origin Keystore application if you haven't done so yet. When you're done, enable this setting in your property. For details, see Implementation.

How it works

The behavior uses a client certificate as a reference in your property manager configuration to authenticate Akamai edge servers with the origin you forward requests to. An important detail of the mTLS protocol is that the origin must ask the edge server to present its identity, that is the client certificate. This means the edge server can’t independently present the client certificate without the origin requesting it. For this negotiation to work, either the origin needs to be configured for mTLS sessions, or the edge server is allowed to proceed without the request, effectively performing a standard (non-mutual) TLS connection to the origin.

Features and options

Field	What it does
Enable	Enables or disables the behavior. The default is On.
Client certificate	Identifies the Akamai network to verify authentication between edge servers and origins when negotiating an mTLS session. All available client certificates are listed by name, type, and version. This field is required.
Require client authentication	When the behavior is enabled, it controls the edge server’s forward connection to the origin as follows: When On, the edge server requires a prompt from the origin for the client certificate's identity. If the edge server gets the request, it proceeds with the mTLS session and connects to the origin. If the edge server doesn’t get the request, the connection to the origin stops and a client error is reported. When Off, the edge server proceeds without a request for the client certificate, making a standard TLS connection to the origin. The default is Off.

Field

What it does

Enable

Enables or disables the behavior. The default is On.

Client certificate

Identifies the Akamai network to verify authentication between edge servers and origins when negotiating an mTLS session. All available client certificates are listed by name, type, and version. This field is required.

Require client authentication

When the behavior is enabled, it controls the edge server’s forward connection to the origin as follows:

When On, the edge server requires a prompt from the origin for the client certificate's identity. If the edge server gets the request, it proceeds with the mTLS session and connects to the origin. If the edge server doesn’t get the request, the connection to the origin stops and a client error is reported.

When Off, the edge server proceeds without a request for the client certificate, making a standard TLS connection to the origin. The default is Off.

Implementation

Log in to Control Center, go to ☰ > CDN > mTLS Origin Keystore.
Create a client certificate in the mTLS Origin Keystore application.
In your property manager configuration:
1. Enable the mTLS Edge Server to Origin behavior.
2. Select your client certificate.
3. Turn on the Require client authentication option.
  
  📘
  If your origin isn’t configured for mTLS sessions, turn off the Require client authentication option, configure your origin for mTLS, then turn on the Require client authentication option.

Updated 4 months ago

📘Limited Availability

Before you begin

How it works

Features and options

Implementation

📘

📘
Limited Availability