- Property Manager name: Enforce mTLS settings
- Behavior version: The
v2024-10-21
rule format supports theenforceMtlsSettings
behavior v1.0. - Rule format status: GA, stable
- Access: Read/Write
- Allowed in includes: Yes
This behavior repeats mTLS validation checks between a requesting client and the edge network. If the checks fail, you can deny the request or apply custom error handling. To use this behavior, you need to add either the hostname
or clientCertificate
criteria to the same rule.
Option | Type | Description | Requires | |
---|---|---|---|---|
enableAuthSet | boolean | Whether to require a specific mutual transport layer security (mTLS) certificate authority (CA) set in a request from a client to the edge network. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
certificateAuthoritySet | string | Specify the client certificate authority (CA) sets you want to support in client requests. Run the List CA Sets operation in the mTLS Edge TrustStore API to get the | enableAuthSet is true | {"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}} |
enableOcspStatus | boolean | Whether the mutual transport layer security requests from a client should use the online certificate support protocol (OCSP). OCSP can determine the x.509 certificate revocation status during the TLS handshake. | {"displayType":"boolean","tag":"input","type":"checkbox"} | |
enableDenyRequest | boolean | This denies a request from a client that doesn't match what you've set for the options in this behavior. When disabled, non-matching requests are allowed, but you can incorporate a custom handling operation, such as reviewing generated log entries to see the discrepancies, enable the | enableAuthSet is true OR enableOcspStatus is true | {"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"op":"or","params":[{"attribute":"enableAuthSet","op":"eq","value":true},{"attribute":"enableOcspStatus","op":"eq","value":true}]}} |