mTLS security | Itential

Along with OAuth code grant flow, integration models support mutual TLS (mTLS), a variation on transport layer security (TLS) that extends secure communications by adding additional authentication between client and server. In mTLS, both the client and server have a certificate, and both sides authenticate using their public/private key pair.

mTLS security schema

From the securitySchemes object of an example imported integration model, the securityKey sets the mutualTLS authentication type, which supports ca, certificate, and key credentials.

How to apply mutual TLS authentication

To set up mTLS, you need trusted certificates.

Navigate to your integration

Go to Itential Platform > Admin Essentials > Integrations and select your integration from the left navigation.

Upload your certificate files

From the integration UI, drag and drop your files into the drag-and-drop area to upload your certificate, key, and ca files. Alternatively, select Click to browse to navigate to the files on your system.

Enable mTLS

After the files are uploaded, select the enabled checkbox below tls to enforce mTLS and only allow a connection when mTLS authentication is successful.

Tip: To allow a connection to proceed even if mTLS authentication fails, or a request is sent without a mutual client certificate, clear this checkbox.

Save your changes

Click Save to retain your changes.

CyberArk CCP limitation for PEM key files

CyberArk CCP cannot be used to store PEM-formatted key files. This is because CyberArk replaces newlines with spaces in password values, but the PEM file format uses newlines as part of its structure.

To work around this limitation, use one of the following approaches:

Upload directly: Upload your key file directly to your integration in Itential Platform.
Use HashiCorp Vault: Store your key file in HashiCorp Vault and reference it using a $SECRET or $KEY Vault secret reference.