Add docs for client-gw mtls support

.gitignore

@@ -15,7 +15,6 @@
 *.war
 *.nar
 *.ear
-*.zip
 *.tar.gz
 *.rar
 

en/docs/develop-api-proxy/policy/policies.md

@@ -27,6 +27,7 @@ Bijira supports a set of inbuilt mediation policies that can handle common API t
 - **Rewrite Resource Path**: Modifies the resource path of an HTTP request by replacing the original path with a new relative path. You can apply this policy multiple times, but only the last instance will take effect. The new path must be static, but you can use placeholders to configure different values for different environments. For example, `${myResourcePath}`.
 - **Log Message**: Logs the payload and headers of a request or response. Attaching this policy multiple times results in duplicate log entries. By default, headers and payloads are not logged. To log them, you can enable `Log Headers` and `Log Payload` parameters. To exclude specific headers when logging, you can use the `Excluded Headers` parameter, which takes a comma-separated list of header names. An error will occur if payload logging is enabled but the payload cannot be read.
 - **Permissions (Scopes)**: Defines fine-grained access control by assigning permissions (scopes) to API resources. Each resource can have one or more scopes, and only users or applications with the required scope in their access token can invoke the resource.
+- **MTLS Authenticator**: Secures the communication between the client application and the gateway through mutual TLS (mTLS). This policy enforces that both the client and the gateway authenticate each other using certificates, ensuring encrypted and authenticated connections. It validates client certificates against configured certificate authorities. Follow the steps mentioned in [Secure Client-Gateway Communication with mTLS](../policy/secure-client-gateway-communication-with-mtls.md) to configure the MTLS Authenticator policy.
 
 These inbuilt mediation policies provide flexibility to manage API requests and responses, allowing for custom transformations and logic without requiring custom code.
 

en/docs/develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md

@@ -0,0 +1,92 @@
+# Secure Client-Gateway Communication with Mutual TLS
+
+Mutual TLS (mTLS) adds client-side certificate authentication to ensure only trusted clients can call an API. In WSO2 Bijira, you enable mTLS at the API proxy level by configuring the MTLS Authenticator mediation policy to validate client certificates or an intermediate CA chain during the TLS handshake. 
+
+This guide walks through the end-to-end steps to configure mTLS for an API proxy.
+
+## Prerequisites
+
+1. Set up [ Ballerina 2201.5.5](https://ballerina.io/downloads/swan-lake-release-notes/swan-lake-2201.5.5).
+2. Open the `~/.ballerina/settings.toml` file and ensure you have configured an access token to Ballerina Central. If you have not configured an access token, follow the steps given below to configure one.
+    1. Generate a token via [https://central.ballerina.io/dashboard?tab=token](https://central.ballerina.io/dashboard?tab=token).
+    2. Download the generated `Settings.toml` file and copy it to your local `~/.ballerina` directory.
+
+Alternatively, you can set the access token via the `BALLERINA_CENTRAL_ACCESS_TOKEN` environment variable.
+
+``` bash
+export BALLERINA_CENTRAL_ACCESS_TOKEN=<access-token> 
+```
+
+## Configure mTLS Policy
+
+1. Mutual SSL will be configured through a mediation. Please click to download the [mediation app](../../assets/files/develop-api-proxy/policy/authenticator-mtls.zip).
+2. Open the `Ballerina.toml` file in your preferred text editor and modify the `org` parameter to match your current Bijira organization. 
+3. Build the mediation app and publish it to the Ballerina central using the following commands. 
+
+    !!!note
+        If setting up in dev environment use `export BALLERINA_DEV_CENTRAL=true` before following commands.
+
+    ```bash
+    bal pack
+    bal push
+    ```
+
+## Generate a Self-signed Certificate
+
+1. If you don't have a CA-signed certificate, use the following command to generate a self-signed certificate.
+
+    ```bash
+    openssl req -x509 -newkey rsa:2048 -keyout mykey.pem -out mycert.pem -days 365 -nodes
+    ```
+
+2. Open the certificate via the preferred text editor and get the content in PEM format. Convert the content in to URL encoding and copy the content to the clipboard for future use. 
+
+## Apply mTLS to API Proxy
+
+1. Sign in to the [Bijira Console](https://console.bijira.dev/).
+2. In the Proxy Listing pane, click on the API proxy for which you want to enable MTLS. For instructions on how to create an API proxy component, see [Create an API Proxy](../../create-api-proxy/my-apis/http/import-api-contract.md).
+3. Go to Develop, Policy page and click "Resource level policies".
+
+    !!! note
+        If you don't need OAuth2 to be enabled, remove the "OAuth2" mediation policy.
+
+4. Under the policies, select "MTLS Authenticator".
+5. Paste the URL-encoded certificate content you copied to the clipboard at the step 2 of [Generate a Self-signed Certificate](#generate-a-self-signed-certificate) section above and save.
+
+    !!! note
+        If you need to support multiple client certificates, you can use an intermediate CA certificate and add here. Once that is done, all certificates signed by the intermediate certificate will be allowed to access the resource.
+
+    ![MTLS authenticator policy](../../assets/img/develop-api-proxy/policy/mtls-auth-policy.png)
+
+6. Deploy the API to development and then to the production environment.
+
+## Invoke the API Proxy
+
+!!! note
+    If you haven’t removed OAuth2 policy, you will have to subscribe to the API and get access token. 
+
+You can use curl for this. Get the URL for the API from the dev portal and invoke API. 
+
+```bash
+curl --request GET \
+  --url <api_proxy_endpoint_url> \
+  --header 'Accept: application/json' \
+  --cert /<path>/mycert.pem \
+  --key /<path>/mykey.pem
+```
+
+For a failed scenario, you will get the following error.
+
+```json
+{
+    "error_message":"Invalid Credentials", 
+    "code":"900901", 
+    "error_description":"Make sure you have provided the correct security credentials."
+}
+```
+
+## Configure a Custom Domain
+
+To configure a custom domain for an API Proxy, follow the steps mentioned in [Configure a Custom Domain for Your Organization](../../../administer/settings/configure-a-custom-domain-for-your-organization/). 
+
+Once the above step is completed, contact the Bijira team via [bijira-help@wso2.com](mailto:bijira-help@wso2.com) to enable mTLS for the given custom domain.

en/mkdocs.yml

@@ -138,6 +138,7 @@ nav:
           - Overview: develop-api-proxy/policy/overview.md
           - Policies: develop-api-proxy/policy/policies.md
           - Attach and Manage Policies: develop-api-proxy/policy/attach-and-manage-policies.md
+          - Secure Client-Gateway Communication with Mutual TLS: develop-api-proxy/policy/secure-client-gateway-communication-with-mtls.md
         # - Apply Advanced Settings on Mediation Policies: develop-api-proxy/policy/apply-advanced-settings-on-mediation-policies.md
       - Documents: develop-api-proxy/documents.md
       - Lifecycle: develop-api-proxy/lifecycle-management.md