1. Message Scenario Configuration Guide
  2. Configure mTLS Connection

Configure mTLS Connection

You can configure the application to send the messages using mTLS connection. With mutual TLS authentication (mTLS), not only does the service side prove its identity by exposing a certificate, but also the clients prove their identity to the servers by exposing a client-side certificate.

In this reference the term "client" refers to Applications Interface, which performs an API call to a "server" (external system), which receives the message and provides the result back in the response. To use mTLS connection, perform these steps and settings:

  • Generate root certificate (root ca) and private key for the certificate.
  • Generate client private key and client certificate signed with root ca.
  • Generate server private key and client certificate signed with root ca.

To set up a channel through Oracle Field Service, follow these steps.

  1. Click Configuration, Message scenarios, Delivery Channels to open the Delivery Channels screen. Select or create the necessary delivery channel.
    For more information see How do I add a delivery channel?.
  2. Configure the connection point with the host and port of the server.
  3. Set "TLS 1.2" value in the Connection menu.
  4. For the x509 Trust File set content of the root ca file.
  5. Set content of client certificate for Client Certificate.
  6. Set content of client private key for Client Private Key
    Note: root ca, client certificate and client key files must be in pem format.
  7. Check if your server uses mTLS connection:
    1. To check that server supports mtls, run the following command (in linux terminal) against the server: 
      openssl s_client -connect 
SERVER_HOST:PORT -key 
/path_to_client_key_dir/client.key.pem -cert 
/path_to_client_cert_dir/client.cert.pem -CAfile 
/path_to_rootca_cert_dir/cacert.pem -state
      Open ssl will print information about mtls connection establishing, the output should not have any error messages.
    2. To check that generated certificates are ok, run openssl server: 
      openssl s_server -accept PORT -CAfile 
/path_to_rootca_dir/cacert.pem -cert 
/path_to_server_cert_dir/server.cert.pem -key 
/path_to_server_key_dir/server.key.pem -state
    3. Make request from openssl client and then check logs.