Enable mTLS (mutual TLS)

Overview

Link11 WAAP supports mTLS encryption. This is optional, and can be enabled separately for:

• Communication between Link11 WAAP and customer backends, for one or both ends of the pipeline.

• Communication between clients (end users) and L11WAAP.

To enable mTLS for an end of a pipeline, the appropriate certificate must be supplied. Their names within the system are as follows:

How it works

L11WAAP-to-customer-backend mTLS

Configuring mTLS to the customer backend is straightforward. After enabling this feature (as described below), admins add certificate(s) and assign them to Backend Service(s). Once configured, L11WAAP will use mTLS when communicating with customer origins.

Client-to-L11WAAP mTLS

Configuring mTLS to clients also requires feature enablement. Then, admins add CA Certificates and assign them to Server Groups.

Once client-to-L11WAAP mTLS is configured, end users will be required to present a client certificate at the beginning of each session during the TLS handshake. L11WAAP will validate the date and issuer of the certificate. If validation fails, the user will receive an error, and will not be permitted to connect to the protected system.

Two additional notes about this type of mTLS:

• In the user interface, mTLS is only available when using an AWS NLB (Network Load Balancer). To enable mTLS when using a Link11 load balancer, contact support.

• mTLS verification does not exempt a client from other types of traffic filtering. Even if a client successfully establishes an mTLS connection with L11WAAP, its requests will still be blocked if they originate from a banned source, or exceed rate limits, or match a content filtering signature, etc.

How to configure mTLS for communication with the backend(s)

Follow this process:

• Enable the desired type(s) of server-to-backend certificates within the system.

• Upload the certificate(s) in the Server-to-Backend mTLS Certificates tab and/or Server-to-Backend CA Certificates tab(s) of the Certificates page.

• Publish your changes.

• Assign the appropriate certificate(s) to each Backend Service:

  • Open the Backend Service in the Backend Service Editor page.

  • Select the appropriate certificate(s) in the dropdown list(s).

• Save and publish your changes.

How to configure mTLS for communication with clients

Follow this process:

• Enable CA Certificates within the system.

• Upload the CA Certificate(s) in the CA Certificates tab of the Certificates page.

• Publish your changes.

• Assign the appropriate certificate to each Server Group:

  • Open the Server Group in the Server Group Editor page.

  • Select the appropriate CA certificate in the dropdown list.

  • Select the desired mode.

• Save and publish your changes.