mtls_origin_keystore
Version: v2025-01-13 | Includes use: Yes |
---|
Behavior name: mTLS Edge Server to Origin
Establish a Mutual TLS (mTLS) connection between the edge server and the origin to authenticate requests. This ensures that the requests to your origin server come directly from the Akamai network. In the mTLS protocol, the origin asks the edge server to present its identity certificate. For this negotiation to work, either the origin needs to be configured for mTLS sessions, or the edge server is allowed to proceed without the edge certificate, effectively performing a standard (non-mutual) TLS connection to the origin.
Default behavior
These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.
data "akamai_property_rules_builder" "mtls_origin_keystore" {
rules_v2025_02_18 {
name = "mTLS Edge Server to Origin"
comments = "Ensures that the requests to your origin server come directly from the Akamai network."
behavior {
mtls_origin_keystore {
enable = true
client_certificate_version_guid = ""
auth_client_cert = false
}
}
}
}
"behaviors": [
{
"name": "mtlsOriginKeystore",
"options": {
"enable": true,
"clientCertificateVersionGuid": "",
"authClientCert": false
}
}
]
Options
Option | Description |
---|---|
enable |
Allows a specific mutual transport layer (mTLS) client certificate in a request from the edge server to the origin.
|
client_certificate_version_guid |
Specifies the client certificate to authenticate your origin with the edge server. You need to create client certificates using the Mutual TLS Origin Keystore API or application.
|
auth_client_cert |
When enabled, the edge server requires a prompt from the origin for the client certificate's identity. If the edge server gets the request, it proceeds with the mTLS session and connects to the origin. If the edge server doesn’t get the request, the connection to the origin stops and a client error is reported. When disabled, the edge server proceeds without a request for the client certificate, making a standard TLS connection to the origin. Disabled by default.
|
Updated about 1 hour ago