Configuring an HTTPS Destination with MTLS (Mutual TLS, aka Client Certs)

When configuring an HTTPS Destination for outbound messaging, it is possible to configure the destination for Mutual TLS (MTLS), also known as "client certificates". In an MTLS configuration, the server expects the client to have a key pair. The server has the client's public key (as a one-time activity, you mail this to the server administrator), and the client has the private key (the client NEVER shares the private key). When the client connects to the server, the server presents a challenge that only the holder of the private key can respond to successfully.

To configure an HTTPS Destination for MTLS, we must configure the JSON for the destination with four additional attributes (described fully in the HTTP/S Enqueue and Dequeue section):

  • keystoreFile

  • keystorePass

  • truststoreFile

  • truststorePass

Creating the KeyStore

Complete the following steps to create the KeyStore file using a free GUI application called "Keystore Explorer". (If you prefer, you can do this via the java command line tool "keytool" instead):

  1. Download and install Keystore Explorer from https://keystore-explorer.org/

  2. Click Create a new KeyStore.

    images/portal.onenetwork.com/download/attachments/220423786/image2023-4-4_8-1-51-version-1-modificationdate-1680613285000-api-v2.png

    The New Keystore Type popup appears.

    images/download/attachments/144835992/image-2023-4-11_11-53-0-version-1-modificationdate-1681228380000-api-v2.png

  3. Select JKS as the format and click OK.

  4. Select the Import Key Pair button.

    images/download/attachments/144835992/image-2023-4-11_12-4-31-version-1-modificationdate-1681229071000-api-v2.png



    The Import Key Pair Type popup appears.

    images/download/attachments/144835992/image-2023-4-11_11-53-47-version-1-modificationdate-1681228427000-api-v2.png



  5. Select the key pair format you have on hand. In this example, we have a file KeyPair.p12, so we are selecting PKCS#12.
    A password prompt appears for the existing key.

    images/download/attachments/144835992/image-2023-4-11_11-54-31-version-1-modificationdate-1681228471000-api-v2.png



  6. Enter the Decryption Password and click Import.
    The New Key Pair Entry Alias popup appears.

  7. Enter an alias for the key pair and click OK. This must be unique within your keystore.

    images/download/attachments/144835992/image-2023-4-11_11-55-29-version-1-modificationdate-1681228529000-api-v2.png



    The New Key Pair Entry Password popup appears.

    images/download/attachments/144835992/image-2023-4-11_11-56-15-version-1-modificationdate-1681228575000-api-v2.png



  8. Enter a new password for the key pair and click OK.

    Whatever password you choose, carefully note it down because we must ensure it matches the password we assign to the key store file as a whole later.

    A success message appears.

    images/download/attachments/144835992/image-2023-4-11_11-56-56-version-1-modificationdate-1681228616000-api-v2.png

  9. Select File > Save to save the keystore file itself.

    images/download/attachments/144835992/image-2023-4-11_12-5-12-version-1-modificationdate-1681229112000-api-v2.png



    The Set KeyStore Password screen appears.

    images/download/attachments/144835992/image-2023-4-11_11-57-39-version-1-modificationdate-1681228659000-api-v2.png



  10. Enter the same password you chose for the new key pair entry earlier in this workflow.

    NEO assumes the keystore password and key pair password always match.

  11. Click OK.
    The Save KeyStore As popup appears.

    images/download/attachments/144835992/image-2023-4-11_11-58-17-version-1-modificationdate-1681228697000-api-v2.png

  12. Click Save.

    Ensure you save the file with a ".jks" extension.

Creating the TrustStore

Complete the following steps to create the TrustStore file using a free GUI application called "Keystore Explorer". (If you prefer, you can do this via the java command line tool "keytool" instead):

  1. Download and install Keystore Explorer: https://keystore-explorer.org/

  2. Click Create a new KeyStore.

    images/portal.onenetwork.com/download/attachments/220423786/image2023-4-4_8-1-51-version-1-modificationdate-1680613285000-api-v2.png

    The New Keystore Type popup appears.

    images/download/attachments/144835992/image-2023-4-11_11-53-0-version-1-modificationdate-1681228380000-api-v2.png

  3. Select JKS as the format and click OK.

  4. The customer should have provided a URL to which you are supposed to post your messages. Visit that URL in your browser. An error message will likely appear because the URL is not meant to be visited by a browser, but that's OK.

  5. Click the Secure icon in the browser to view the certificate.

    images/portal.onenetwork.com/download/attachments/220423786/image2023-4-4_8-26-9-version-1-modificationdate-1680614743000-api-v2.png

    A ONE URL is shown above, but your URL will not be a ONE URL; it is just provided for demo purposes in this workflow.

    A dropdown appears.

  6. Click Connection is secure.

    images/portal.onenetwork.com/download/attachments/220423786/image2023-4-4_8-26-27-version-1-modificationdate-1680614760000-api-v2.png

    The popup updates.

    images/portal.onenetwork.com/download/attachments/220423786/image2023-4-4_8-26-35-version-1-modificationdate-1680614769000-api-v2.png

  7. Click Certificate is valid.
    A popup appears.

    images/portal.onenetwork.com/download/attachments/220423786/image2023-4-4_8-27-5-version-1-modificationdate-1680614798000-api-v2.png



  8. Click each certificate in the hierarchy on the Details tab of the certificate. Click Export to export them one by one.
    The Save As popup appears.

    images/download/attachments/144835992/image-2023-4-11_11-59-25-version-1-modificationdate-1681228765000-api-v2.png



  9. Name your exported file and click Save.

  10. Once exported, return to your KeyStore Explorer and click the Import Trusted Certificate button to import the certificates one by one. You can accept whatever default aliases are provided.

    images/download/attachments/144835992/image-2023-4-11_11-59-53-version-1-modificationdate-1681228793000-api-v2.png



    After importing all your certificates, your screen should look similar to the following screenshot. Not the number of certificates will vary based on how they are signed.

    images/download/attachments/144835992/image-2023-4-11_12-0-27-version-1-modificationdate-1681228827000-api-v2.png

    Open your original keystore file.
    A new tab is created in the KeyStore Explorer.

    images/download/attachments/144835992/image-2023-4-11_12-1-12-version-1-modificationdate-1681228872000-api-v2.png



  11. Double-click the keystore and Export the certificates one by one by clicking the Export button.
    The Export popup appears.

  12. Select X.509 as the Export Format and click Export.

    images/download/attachments/144835992/image-2023-4-11_12-1-49-version-1-modificationdate-1681228909000-api-v2.png



  13. Now, return to the TrustStore tab, and import each of those certificates using Import Trusted Certificate. You should end up with something like the following screenshot.

    images/download/attachments/144835992/image-2023-4-11_12-2-31-version-1-modificationdate-1681228951000-api-v2.png



  14. Save the TrustStore using File > Save.
    The Set KeyStore Password popup appears.

    images/download/attachments/144835992/image-2023-4-11_12-3-0-version-1-modificationdate-1681228980000-api-v2.png



  15. Enter a password and click OK.
    The Save KeyStore As popup appears.

    images/download/attachments/144835992/image-2023-4-11_12-3-33-version-1-modificationdate-1681229013000-api-v2.png



  16. Click Save.

    Ensure you save the file with a ".jks" extension.