enforce_mtls_settings

Suggest Edits

Version: `v2025-01-13`	Includes use: Yes

Behavior name: Enforce mTLS settings

This behavior repeats mTLS validation checks between a requesting client and the edge network. If the checks fail, you can deny the request or apply custom error handling. To use this behavior, you need to add either the hostname or client_certificate criteria to the same rule.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "enforce_mtls_settings" {
  rules_v2025_02_18 {
    name     = "Enforce mTLS settings"
    comments = "Repeats mTLS validation checks between a requesting client and the edge network."
    behavior {
      enforce_mtls_settings {
        enable_auth_set    = false
        enable_ocsp_status = false
      }
    }
  }
}

"behaviors": [
  {
  "name": "enforceMtlsSettings",
  "options": {
    "enableAuthSet": false,
    "enableOcspStatus": false
    }
  }
]

Options

Option	Description
`enable_auth_set`	Boolean Whether to require a specific mutual transport layer security (mTLS) certificate authority (CA) set in a request from a client to the edge network.
`certificate_authority_set`	String \| Requires: `enable_auth_set` is `true` Specify the client certificate authority (CA) sets you want to support in client requests. Run the List CA Sets operation in the mTLS Edge TrustStore API to get the `setId` value and pass it in this option as a string. If a request includes a set not defined here, it will be denied. The preset list items you can select are contingent on the CA sets you've created using the mTLS Edge Truststore, and then associated with a certificate in the Certificate Provisioning System.
`enable_ocsp_status`	Boolean Whether the mutual transport layer security requests from a client should use the online certificate support protocol (OCSP). OCSP can determine the x.509 certificate revocation status during the TLS handshake.
`enable_deny_request`	Boolean Requires Requires both: `enable_auth_set` is `true` `enable_ocsp_status` is `true` This denies a request from a client that doesn't match what you've set for the options in this behavior. When disabled, non-matching requests are allowed, but you can incorporate a custom handling operation, such as reviewing generated log entries to see the discrepancies, enable the `Client-To-Edge` authentication header, or issue a custom message.

Updated about 1 hour ago