We are in Pega Cloud. The upstream system communicated with third party system with mTLS. They want to pass the certificate as it is to Pega using mTLS.
Need to know if pega cloud supports mTLS to communicate via services. If yes, what are the steps to achieve that.
@GOURABKETAN Pega Cloud does not currently support Mutual TLS (mTLS). Please check the latest Pega Cloud documentation or contact Pega Support for the most recent information. The Connect-REST rule form has both truststore and keystore which enables support for mTLS does not apply to every connector type, there are some gaps that still need to be documented.
This is a GenAI-powered tool. All generated answers require validation against the provided references.
*** Updated for clarity ****
This post is asking for INBOUND mTLS.
We don’t support inbound to Pega, where the client is exposing a service.
We do support mTLS for OUTBOUND requests, e.g: from connect-REST for an integration. In point-10, update server cert chain the Truststore (step 10.a) and Client cert chain in the Keystore (step 10.b). To implement mTLS on cloud, we require the certificate, public key, and private key of the hosting environment (Pega Cloud). However, for security reasons, the cloud team cannot share the private key. The client application is connecting to an external service provider so if they were to cut their own certs and put into our keystore/truststore it would identify itself as long as the other side trusts it.
If an issue is encountered in this supported use case (connect-REST), the actual action has to be performed by cloudops teams i.e. enable ssl debug run the test and share the logs to the client who can then debug further. With -Djavax.net.debug=ssl:handshake jvm argument, every client and server handshake requests need to be logged at app server /tomcat level .
FDBK-116105 (‘Update documentation with Connect Rest with mTLS support’) exists as documentation bug to clarify what is, and is not, supported.
EPIC-91368 (mTLS support for INBOUND (Pega service pattern) exists to support inbound mTCS in the product in the future.
