Need open source plugin to access the endpoint using mtls certificate authentication

RE: Need open source plugin to access the endpoint using mtls certificate authentication

Gayathiri Mallikeswaran — Fri, 06 Oct 2023 08:03:17 GMT

Thanks Jesse and Mathieu. Your suggestions are helped me to implement mTLS in our project.

I have followed the below mentioned steps for using mTLS for http calls .

1. Uploaded mTLS certificate in admin console "Client Certificates" section

2. Created Connected Object and Integration Object to call the api.

Note: No idea, How Appian is using appropriate mTLS When we upload more than one mTLS on admin console for different applications.

RE: Need open source plugin to access the endpoint using mtls certificate authentication

Jesse Knight — Wed, 09 Aug 2023 18:12:30 GMT

You shouldn't need to 'consume' the certificate. It will automatically be used by Appian when making a call.

How was the certificate generated? Since you mentioned 'mTLS', this isn't the same thing as 'mutual SSL' mentioned here - https://docs.appian.com/suite/help/23.1/connected_system_authentication.html#none

I'm also generally interested in mTLS, as it's the one transport layer protocol that's preventing our Appian environment from being able to securely connect to a few internal systems / databases.Here are a couple of diagrams that made it clearer for me. Here's what I've found so far:

There are a few key differences between mutual SSL (which Appian supports) and mTLS (which is unknown if we can get it to work):

Mutual SSL certificates are issued by a public trusted CA, but mTLS is issued by the org
mTLS has additional steps compared to typical the SSL handshake to verify

It's unclear (so far) if Appian can indirectly support mTLS, but it may be worth trying:

Add the Root CA (including the full chain of trust) to the uploaded "Client Certificates" section. This effectively means that your .pem file has multiple certificate keys in it.
Add a certificate that contains the Root CA cert (by itself? unclear) to the 'Trusted Servers" section in the admin console
Turn on SSL logging (try this in your dev environment only!) and verify that the sequence of events expected by your mTLS-enabled server happens in the proper order.

RE: Need open source plugin to access the endpoint using mtls certificate authentication

Gayathiri Mallikeswaran — Thu, 27 Jul 2023 04:47:30 GMT

Yes it is working. But How do we consume the uploaded certificate in the connection object? If you have any idea, please let me know. Thanks

RE: Need open source plugin to access the endpoint using mtls certificate authentication

Mathieu Drouin — Fri, 26 May 2023 02:31:26 GMT

Have you tried converting from pfx to pem?

stackoverflow.com/.../converting-pfx-to-pem-using-openssl

RE: Need open source plugin to access the endpoint using mtls certificate authentication

Gayathiri Mallikeswaran — Wed, 24 May 2023 07:36:40 GMT

Thank you Mathieu for your reply, admin console accepts only pem extension certificate and no option to upload the pfx certificate. and also after uploading the certificate, how that will be referred in http calls like basic authentication.

RE: Need open source plugin to access the endpoint using mtls certificate authentication

Mathieu Drouin — Fri, 19 May 2023 12:12:34 GMT

I believe all you need to do is add the certificate in the admin console.

docs.appian.com/.../Appian_Administration_Console.html