Traffic Manager as an HTTPS Server with Mutual SSL

Perform the following steps to set up Traffic Manager as an HTTPS server with mutual SSL.

1. Run the upload_ssl_server_truststore_for_traffic_manager Jenkins job in the Installer to upload the trust store.

   Complete the fields in the Jenkins job as follows:

   • truststore_file - The key store in PKCS#12 format, which holds all Certificate Authority (CA ) certificates which are trusted.
   • truststore_password - The password protecting the trust store.

   

   The upload_ssl_server_truststore_for_traffic_manager Jenkins job uploads the trust store (tml-tm-trust.jks) to the /var/jenkins_home/docker-deploy/properties folder. This trust store holds all trusted CA certificates.

   Note: There is a built-in sample, self-signed root CA certificate. You should upload your own trust store in the Local Edition installer
2. Configure the following property in the /var/jenkins_home/docker-deploy/properties/tml_tm_properties.json file:
   • tm_truststore_password - The password protecting the trust store.

   For example:

   "tm_truststore_password": "changeme",
   

3. Configure the following property in the manifest-onprem-swarm.json file:
   • tml_tm_mhttps_enabled - Set to true to turn on mutual HTTPs authentication.

   For example:

   "tml_tm_mhttps_enabled": false,

4. Verify your mutual HTTPS authentication configuration using the following example curl command:

   curl -k -v --key PATH_TO_KEY/yam_root_.pkcs8 --cert PATH_TO_CERT/yam_root_.cer:changeme -H 'host: calypsoqa.api.mashery.com' https://$LB:443/mock?api_key=mycustomkey

   Note: In yam_root_.cer:changeme, "yam_root_.cer" is the certificate file name, and "changeme" is the trust store password protecting the private key. "LB" is the public IP address of the Load Balancer for Traffic Manager.