enforceMtlsSettings

Property Manager name: Enforce mTLS settings
Behavior version: The latest rule format supports the enforceMtlsSettings behavior v1.0.
Rule format status: Beta, possible breaking changes
Access: Read/Write
Allowed in includes: Not available for latest rule format

This behavior repeats mTLS validation checks between a requesting client and the edge network. If the checks fail, you can deny the request or apply custom error handling. To use this behavior, you need to add either the hostname or clientCertificate criteria to the same rule.

Option	Type	Description	Requires
`enableAuthSet`	boolean	Whether to require a specific mutual transport layer security (mTLS) certificate authority (CA) set in a request from a client to the edge network.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`certificateAuthoritySet`	string	Specify the client certificate authority (CA) sets you want to support in client requests. Run the List CA Sets operation in the mTLS Edge TrustStore API to get the `setId` value and pass it in this option as a string. If a request includes a set not defined here, it will be denied. The preset list items you can select are contingent on the CA sets you've created using the mTLS Edge Truststore, and then associated with a certificate in the Certificate Provisioning System.	`enableAuthSet` is `true`	{"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
`enableOcspStatus`	boolean	Whether the mutual transport layer security requests from a client should use the online certificate support protocol (OCSP). OCSP can determine the x.509 certificate revocation status during the TLS handshake.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`enableDenyRequest`	boolean	This denies a request from a client that doesn't match what you've set for the options in this behavior. When disabled, non-matching requests are allowed, but you can incorporate a custom handling operation, such as reviewing generated log entries to see the discrepancies, enable the `Client-To-Edge` authentication header, or issue a custom message.	`enableAuthSet` is `true` OR `enableOcspStatus` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"op":"or","params":[{"attribute":"enableAuthSet","op":"eq","value":true},{"attribute":"enableOcspStatus","op":"eq","value":true}]}}