Skip to content

Add docs for client-gw mtls support #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lasanthaS wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add docs for client-gw mtls support #123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a725fd3
Add docs for client-gw mtls support
lasanthaS Dec 19, 2025
7f9f204
Add authenticator ballerina app
lasanthaS Dec 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
*.war
*.nar
*.ear
*.zip
*.tar.gz
*.rar

Expand Down
Binary file added en/docs/assets/files/develop-api-proxy/policy/authenticator-mtls.zip
View file
Open in desktop
Binary file not shown.
Binary file added en/docs/assets/img/develop-api-proxy/policy/mtls-auth-policy.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions en/docs/develop-api-proxy/policy/policies.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Bijira supports a set of inbuilt mediation policies that can handle common API t
- **Rewrite Resource Path**: Modifies the resource path of an HTTP request by replacing the original path with a new relative path. You can apply this policy multiple times, but only the last instance will take effect. The new path must be static, but you can use placeholders to configure different values for different environments. For example, `${myResourcePath}`.
- **Log Message**: Logs the payload and headers of a request or response. Attaching this policy multiple times results in duplicate log entries. By default, headers and payloads are not logged. To log them, you can enable `Log Headers` and `Log Payload` parameters. To exclude specific headers when logging, you can use the `Excluded Headers` parameter, which takes a comma-separated list of header names. An error will occur if payload logging is enabled but the payload cannot be read.
- **Permissions (Scopes)**: Defines fine-grained access control by assigning permissions (scopes) to API resources. Each resource can have one or more scopes, and only users or applications with the required scope in their access token can invoke the resource.
- **MTLS Authenticator**: Secures the communication between the client application and the gateway through mutual TLS (mTLS). This policy enforces that both the client and the gateway authenticate each other using certificates, ensuring encrypted and authenticated connections. It validates client certificates against configured certificate authorities. Follow the step mentioned in [Secure Client-Gateway Communication with mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure the MTLS Authenticator policy.
Copy link

@coderabbitai coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix grammatical error: "step" should be "steps".

The phrase "Follow the step mentioned" should be "Follow the steps mentioned" since the referenced guide contains multiple configuration steps.

🔎 Proposed fix 
-- **MTLS Authenticator**: Secures the communication between the client application and the gateway through mutual TLS (mTLS). This policy enforces that both the client and the gateway authenticate each other using certificates, ensuring encrypted and authenticated connections. It validates client certificates against configured certificate authorities. Follow the step mentioned in [Secure Client-Gateway Communication with mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure the MTLS Authenticator policy.
+- **MTLS Authenticator**: Secures the communication between the client application and the gateway through mutual TLS (mTLS). This policy enforces that both the client and the gateway authenticate each other using certificates, ensuring encrypted and authenticated connections. It validates client certificates against configured certificate authorities. Follow the steps mentioned in [Secure Client-Gateway Communication with mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure the MTLS Authenticator policy.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- **MTLS Authenticator**: Secures the communication between the client application and the gateway through mutual TLS (mTLS). This policy enforces that both the client and the gateway authenticate each other using certificates, ensuring encrypted and authenticated connections. It validates client certificates against configured certificate authorities. Follow the step mentioned in [Secure Client-Gateway Communication with mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure the MTLS Authenticator policy.
- **MTLS Authenticator**: Secures the communication between the client application and the gateway through mutual TLS (mTLS). This policy enforces that both the client and the gateway authenticate each other using certificates, ensuring encrypted and authenticated connections. It validates client certificates against configured certificate authorities. Follow the steps mentioned in [Secure Client-Gateway Communication with mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure the MTLS Authenticator policy.
🤖 Prompt for AI Agents 
In en/docs/develop-api-proxy/policy/policies.md around line 30, the sentence
"Follow the step mentioned in [Secure Client-Gateway Communication with
mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure
the MTLS Authenticator policy." contains a grammatical error; change "step" to
"steps" so it reads "Follow the steps mentioned in [Secure Client-Gateway
Communication with
mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure
the MTLS Authenticator policy."


These inbuilt mediation policies provide flexibility to manage API requests and responses, allowing for custom transformations and logic without requiring custom code.

Expand Down
93 changes: 93 additions & 0 deletions en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
# Secure Client-Gateway Communication with Mutual TLS

Mutual TLS (mTLS) adds client-side certificate authentication to ensure only trusted clients can call an API. In WSO2 Bijira you enable mTLS at the API proxy level by configuring the MTLS Authenticator mediation policy to validate client certificates or an intermediate CA chain during the TLS handshake.

This guide walks through the end-to-end steps on configuring mTLS for an API proxy to consume the API Proxy.
Comment on lines +3 to +5
Copy link

@coderabbitai coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Improve grammar and clarity.

Several issues affect readability:

  • Line 3: Missing comma after "WSO2 Bijira"
  • Line 5: "steps on configuring" should be "steps for configuring"
  • Line 5: "to consume the API Proxy" is redundant (already mentioned as "for an API proxy")
🔎 Proposed fixes 
-Mutual TLS (mTLS) adds client-side certificate authentication to ensure only trusted clients can call an API. In WSO2 Bijira you enable mTLS at the API proxy level by configuring the MTLS Authenticator mediation policy to validate client certificates or an intermediate CA chain during the TLS handshake. 
+Mutual TLS (mTLS) adds client-side certificate authentication to ensure only trusted clients can call an API. In WSO2 Bijira, you enable mTLS at the API proxy level by configuring the MTLS Authenticator mediation policy to validate client certificates or an intermediate CA chain during the TLS handshake.

-This guide walks through the end-to-end steps on configuring mTLS for an API proxy to consume the API Proxy.
+This guide walks through the end-to-end steps for configuring mTLS for an API proxy.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Mutual TLS (mTLS) adds client-side certificate authentication to ensure only trusted clients can call an API. In WSO2 Bijira you enable mTLS at the API proxy level by configuring the MTLS Authenticator mediation policy to validate client certificates or an intermediate CA chain during the TLS handshake.
This guide walks through the end-to-end steps on configuring mTLS for an API proxy to consume the API Proxy.
Mutual TLS (mTLS) adds client-side certificate authentication to ensure only trusted clients can call an API. In WSO2 Bijira, you enable mTLS at the API proxy level by configuring the MTLS Authenticator mediation policy to validate client certificates or an intermediate CA chain during the TLS handshake.
This guide walks through the end-to-end steps for configuring mTLS for an API proxy.
🤖 Prompt for AI Agents 
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around lines 3 to 5: add a comma after "WSO2 Bijira", change "steps on
configuring" to "steps for configuring", and remove the redundant phrase "to
consume the API Proxy" so the final sentence reads succinctly (e.g., "This guide
walks through the end-to-end steps for configuring mTLS for an API proxy.").


## Prerequisites

1. Set up [ Ballerina 2201.5.5](https://ballerina.io/downloads/swan-lake-release-notes/swan-lake-2201.5.5).
Copy link

@coderabbitai coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Update Ballerina to 2201.12.0 or later.

The documentation references Ballerina 2201.5.5, which was released in 2023. Update to Swan Lake Update 12 (2201.12.0), which includes significant compiler, runtime, and library improvements. mTLS is supported across all recent Ballerina versions.

🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

9-9: Spaces inside link text

(MD039, no-space-in-links)

🤖 Prompt for AI Agents 
In
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around line 9, the Ballerina version is pinned to 2201.5.5; update the
documentation to reference Ballerina Swan Lake Update 12 (2201.12.0) or later.
Replace the version string and any linked release notes URL with the appropriate
2201.12.0 (or newer) download/release-note link and, if present, adjust any
version-specific notes to indicate mTLS is supported across recent Ballerina
releases.

2. Open the `~/.ballerina/settings.toml` file and ensure you have configured an access token to Ballerina Central. If you have not configured an access token, follow the steps given below to configure one:
1. Generate a token via [https://central.ballerina.io/dashboard?tab=token](https://central.ballerina.io/dashboard?tab=token).
2. Download the generated `Settings.toml` file and copy it to your local `~/.ballerina` directory.

Alternatively, you can set the access token via the `BALLERINA_CENTRAL_ACCESS_TOKEN` environment variable.

``` bash
export BALLERINA_CENTRAL_ACCESS_TOKEN=<access-token>
```

## Configure mTLS Policy

1. Mutual SSL will be configured through a mediation. Please download the mediation app from [here](../../assets/files/develop-api-proxy/policy/authenticator-mtls.zip).
Copy link

@coderabbitai coderabbitai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use a more descriptive link text.

The link text "[here]" is non-descriptive and doesn't convey what the user will download. Update to explicitly indicate the mediation app.

🔎 Proposed fix 
-1. Mutual SSL will be configured through a mediation. Please download the mediation app from [here](../../assets/files/develop-api-proxy/policy/authenticator-mtls.zip).
+1. Mutual SSL will be configured through a mediation. Please download the [MTLS Authenticator mediation app](../../assets/files/develop-api-proxy/policy/authenticator-mtls.zip).
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
1. Mutual SSL will be configured through a mediation. Please download the mediation app from [here](../../assets/files/develop-api-proxy/policy/authenticator-mtls.zip).
1. Mutual SSL will be configured through a mediation. Please download the [MTLS Authenticator mediation app](../../assets/files/develop-api-proxy/policy/authenticator-mtls.zip).
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

22-22: Link text should be descriptive

(MD059, descriptive-link-text)

🤖 Prompt for AI Agents 
In
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around line 22, the download link uses non-descriptive anchor text "[here]";
replace it with explicit link text like "download the authenticator-mtls
mediation app" (or similar) so the link clearly indicates the file being
downloaded and its purpose.

2. Open the `Ballerina.toml` file in your preferred text editor and modify the `org` parameter to match with your current Bijira organization.
Copy link

@coderabbitai coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix grammar: remove "with".

The phrase "match with your current" should be "match your current" for proper grammar.

🔎 Proposed fix 
-2. Open the `Ballerina.toml` file in your preferred text editor and modify the `org` parameter to match with your current Bijira organization.
+2. Open the `Ballerina.toml` file in your preferred text editor and modify the `org` parameter to match your current Bijira organization.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
2. Open the `Ballerina.toml` file in your preferred text editor and modify the `org` parameter to match with your current Bijira organization.
2. Open the `Ballerina.toml` file in your preferred text editor and modify the `org` parameter to match your current Bijira organization.
🤖 Prompt for AI Agents 
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around line 23: the sentence "modify the `org` parameter to match with your
current Bijira organization." uses incorrect grammar; remove the word "with" so
it reads "modify the `org` parameter to match your current Bijira organization."
— update that line accordingly.

3. Build the mediation app and publish it to the Ballerina central using the following command.

!!!note
If setting up in dev environment use `export BALLERINA_DEV_CENTRAL=true` before following commands

```bash
bal pack
bal push
```

## Generate a Self-signed Certificate

!!! note
If you don't have a CA-signed certificate, use the following command to generate a self-signed certificate.

```bash
openssl req -x509 -newkey rsa:2048 -keyout mykey.pem -out mycert.pem -days 365 -nodes
```

1. Open the certificate via the preferred text editor and get the content in PEM format. Convert the content in to URL encoding and copy the content to the clipboard for future use.
Copy link

@coderabbitai coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add instructions for URL encoding the certificate.

The documentation instructs users to "Convert the content in to URL encoding" but doesn't explain how to perform this conversion. This is a critical step that may not be obvious to all users.

🔎 Suggested addition

Consider adding specific instructions or a command example for URL encoding, such as:

1. Open the certificate via the preferred text editor and get the content in PEM format. URL-encode the content using one of the following methods:

**Using Python:**
```bash
python3 -c "import urllib.parse; print(urllib.parse.quote(open('mycert.pem').read()))"

Using online tools:
Visit a URL encoder tool and paste the certificate content to encode it.

Copy the encoded content to the clipboard for future use.


Also note: "in to" should be "into" (one word).
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

In
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around line 43, the step telling users to "Convert the content in to URL
encoding" is vague and has a typo ("in to" → "into"); update the sentence to
"Convert the content into URL encoding" and add concrete examples showing how to
URL-encode a PEM file (e.g., a one-liner using Python's urllib.parse.quote and
mention alternative methods like OpenSSL piping or online URL-encoder tools),
then instruct the user to copy the encoded output to the clipboard for future
use.


</details>

<!-- fingerprinting:phantom:poseidon:puma -->

<!-- This is an auto-generated comment by CodeRabbit -->


## Apply mTLS to API Proxy

1. Sign in to the Bijira Console.
2. In the Proxy Listing pane, click on the API proxy for which you want to enable MTLS. For instructions on how to create an API proxy component, see Develop an API Proxy: Step 1.
3. Go to Develop, Policy page and click "Resource level policies".

!!! note
If you don't need OAuth2 to be enabled, remove the "OAuth2" mediation policy.

4. Under the policies, select "MTLS Authenticator".
5. Paste the URL encoded certificate content you copied to the clipboard in the above section and save.
Copy link

@coderabbitai coderabbitai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Use hyphen in compound adjective.

Line 55 uses "URL encoded" as a compound adjective before the noun. For proper grammar, use a hyphen: "URL-encoded".

🔎 Proposed fix 
-5. Paste the URL encoded certificate content you copied to the clipboard in the above section and save.
+5. Paste the URL-encoded certificate content you copied to the clipboard in the above section and save.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
5. Paste the URL encoded certificate content you copied to the clipboard in the above section and save.
5. Paste the URL-encoded certificate content you copied to the clipboard in the above section and save.
🧰 Tools
🪛 LanguageTool

[grammar] ~55-~55: Use a hyphen to join words.
Context: ...t "MTLS Authenticator". 5. Paste the URL encoded certificate content you copied t...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents 
In
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around line 55, the phrase "URL encoded certificate content" should use a hyphen
for the compound adjective; change it to "URL-encoded certificate content" so
the compound modifier is grammatically correct before the noun.


!!! note
If you need to support multiple client certificates, you can use an intermediate CA certificate and add here. Once that is done, all certificates signed by the intermediate certificate will be allowed to access the resource.

![MTLS authenticator policy](../../assets/img/develop-api-proxy/policy/mtls-auth-policy.png)

6. Deploy the API to development and then to the production environment.

## Invoke the API Proxy

!!! note
If you haven’t removed OAuth2 policy, you will have to subscribe to the API and get access token.

You can use curl for this. Get the URL for the API from the dev portal and invoke API.

```bash
curl --request GET \
--url <api_proxy_endpoint_url> \
--header 'Accept: application/json' \
--cert /<path>/mycert.pem \
--key /<path>/mykey.pem
```

For a failed scenario, you will get the following error.

```json
{
"error_message":"Invalid Credentials",
"code":"900901",
"error_description":"Make sure you have provided the correct security credentials."
}
```

## Configure a Custom Domain

To configure a custom domain for an API Proxy, follow the steps mentioned in [Configure a Custom Domain for Your Organization](../../../administer/settings/configure-a-custom-domain-for-your-organization/).
Copy link

@coderabbitai coderabbitai bot Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the custom domain configuration file exists

# First, let's see what files exist with "custom-domain" in the name
echo "=== Searching for custom domain configuration files ==="
find . -type f -name "*custom-domain*" 2>/dev/null

echo ""
echo "=== Checking directory structure under en/docs ==="
# Show the structure of en/docs to understand the organization
find en/docs -type d | head -30

echo ""
echo "=== Looking for administer directories ==="
find . -type d -name "administer" 2>/dev/null

echo ""
echo "=== File path resolution check ==="
# From the file location: en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
# Let's calculate where ../../../ goes
# Starting from: en/docs/develop-api-proxy/policy/
# Up 3 levels would be: en/
# Then: administer/settings/configure-a-custom-domain-for-your-organization/

echo "Resolved path should be: en/administer/settings/configure-a-custom-domain-for-your-organization/"
if [ -d "en/administer/settings/configure-a-custom-domain-for-your-organization" ]; then
  echo "Directory EXISTS at calculated location"
  ls -la "en/administer/settings/configure-a-custom-domain-for-your-organization/"
else
  echo "Directory DOES NOT EXIST at calculated location"
fi

echo ""
echo "=== Checking if docs directory structure has administer section ==="
ls -la en/docs/ 2>/dev/null | head -20

Repository: wso2/docs-bijira

Length of output: 2845

Correct the relative path in the link.

The link path has one too many directory levels. Change ../../../administer/settings/configure-a-custom-domain-for-your-organization/ to ../../administer/settings/configure-a-custom-domain-for-your-organization/.

🤖 Prompt for AI Agents 
In
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around line 91, the relative link to the custom domain doc uses one extra ../
segment; update the path from
../../../administer/settings/configure-a-custom-domain-for-your-organization/ to
../../administer/settings/configure-a-custom-domain-for-your-organization/ so
the link resolves to the correct location.


Once the above step is completed, contact the Bijira team via [email protected] to enable mTLS for the given custom domain.
Copy link

@coderabbitai coderabbitai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Format email address as a proper markdown link.

The email address appears as plain text without markdown formatting. Format it as a mailto link for better readability and compliance with markdown standards.

🔎 Proposed fix 
-Once the above step is completed, contact the Bijira team via [email protected] to enable mTLS for the given custom domain.
+Once the above step is completed, contact the Bijira team via [[email protected]](mailto:[email protected]) to enable mTLS for the given custom domain.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Once the above step is completed, contact the Bijira team via [email protected] to enable mTLS for the given custom domain.
Once the above step is completed, contact the Bijira team via [[email protected]](mailto:[email protected]) to enable mTLS for the given custom domain.
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

93-93: Bare URL used

(MD034, no-bare-urls)

🤖 Prompt for AI Agents 
In
en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
around line 93, the Bijira team email is plain text; replace it with a Markdown
mailto link (e.g., use [[email protected]](mailto:[email protected])) so
the address is clickable and conforms to markdown standards.

1 change: 1 addition & 0 deletions en/mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ nav:
- Overview: develop-api-proxy/policy/overview.md
- Policies: develop-api-proxy/policy/policies.md
- Attach and Manage Policies: develop-api-proxy/policy/attach-and-manage-policies.md
- Secure Client-Gateway Communication with Mutual TLS: develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
# - Apply Advanced Settings on Mediation Policies: develop-api-proxy/policy/apply-advanced-settings-on-mediation-policies.md
- Documents: develop-api-proxy/documents.md
- Lifecycle: develop-api-proxy/lifecycle-management.md
Expand Down