This article provides guidelines for configuring Mutual TLS (mTLS) authentication in Temenos Journey Manager. It explains the differences between one-way and two-way TLS authentication and outlines the steps required for a successful setup.
Applicable To
- Product: Temenos Journey Manager
- Versions: Applicable to versions
Use Case
Mutual TLS (mTLS) is a security protocol that ensures both the client and server authenticate each other using certificates. This article outlines the key guidelines for setting up mTLS, including both one-way and two-way authentication mechanisms.
One-way Authentication
- In one-way authentication, the endpoint provider does not require private key authentication to access the endpoint.
- We trust the provided client public certificate on our server.
- We provide our JM outbound IP address to the endpoint provider for whitelisting.
Two-Way Authentication (Mutual TLS)
In two-way TLS authentication, both the client and server present certificates to authenticate each other. This is a more secure setup and is recommended for sensitive integrations.
- Both the client and server require their own private key and associated public certificate.
- During the TLS handshake, each side verifies the other's certificate without accessing the private keys.
- Since Temenos utilizes AWS infrastructure, we cannot provide the private key, the client needs to provide a .jks file bundled with a self-signed private key and associated public certificate.
- Temenos will trust the client certificate on its side to enable mutual authentication.
Verification
You can check the certificate connection response using the groovy console using the code below:
import com.avoka.tm.http.*
import com.avoka.core.groovy.GroovyLogger as logger
import com.avoka.tm.util.XmlDoc
import org.apache.http.conn.socket.LayeredConnectionSocketFactory
import org.apache.http.conn.ssl.SSLConnectionSocketFactory
import org.apache.http.ssl.SSLContexts
import javax.net.ssl.SSLContext
import java.security.KeyStore
String jksFilePath = "/data/avoka/transact/manager/keystores/client.jks"
String jksKeystorepass = "password"
String[] TLS_CYPHERS = ["TLSv1", "TLSv1.1", "TLSv1.2"]
String endPoint = "https://endpoint/"
//String payload = ""
File keystoreFile = new File(jksFilePath)
byte[] keystoreBytes = keystoreFile.bytes
InputStream is = new ByteArrayInputStream(keystoreBytes)
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
keyStore.load(is, jksKeystorepass as char[])
SSLContext sslContext = SSLContexts.custom()
.loadKeyMaterial(keyStore, jksKeystorepass as char[])
.build()
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
sslContext,
TLS_CYPHERS,
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier())
HttpRequest postRequest = new PostRequest(endPoint)
//postRequest.setMessage(payload)
postRequest.setUseSystemProxy(true)
postRequest.setSocketFactory(socketFactory)
HttpResponse response = postRequest.execute()
logger.info response
logger.info response.getTextContent()
Resolution
Temenos:
- Whitelist the third-party endpoint.
- Trust the .jks, public certificate provided by client and provide .jks path to client.
Client:
- Trust the public certificate provided by Temenos.
- Whitelist Temenos' Non-prod Proxy IP at the provider’s/third-party end.
- Provide bundled .jks with private key (to sustain endpoint certificate chain) to Temenos.