Along with OAuth code grant flow, integration models support mutual TLS (mTLS), a variation on transport layer security (TLS) that extends secure communications by adding additional authentication between client and server. In mTLS, both the client and server have a certificate, and both sides authenticate using their public/private key pair.
From the securitySchemes object of an example imported integration model, the securityKey sets the mutualTLS authentication type, which supports ca, certificate, and key credentials.
To set up mTLS, you need trusted certificates.
From the integration UI, drag and drop your files into the drag-and-drop area to upload your certificate, key, and ca files. Alternatively, select Click to browse to navigate to the files on your system.
After the files are uploaded, select the enabled checkbox below tls to enforce mTLS and only allow a connection when mTLS authentication is successful.
Tip: To allow a connection to proceed even if mTLS authentication fails, or a request is sent without a mutual client certificate, clear this checkbox.
CyberArk CCP cannot be used to store PEM-formatted key files. This is because CyberArk replaces newlines with spaces in password values, but the PEM file format uses newlines as part of its structure.
To work around this limitation, use one of the following approaches:
key file directly to your integration in Itential Platform.key file in HashiCorp Vault and reference it using a $SECRET or $KEY Vault secret reference.