Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

相互TLSを設定する

Overview

Thales backend uses mutual authentication (mTLS) for all API traffic (incoming and outgoing).

You receive a customer identifier from Thales.

Thales configures mTLS per customer identifier and per environment.

Configure mTLS before calling any API.

Environments

Set up mTLS for each isolated environment:

  • Sandbox Environment

  • Production Environment

Customer to Thales backend

Endpoints

Environment
Base URL

Sandbox Environment

https://tmg.dbp-stg.thalescloud.io:443/1/sandbox-v2/

Production Environment

https://tmg.dbp.thalescloud.io:443/1/mg/

Requirements

  • Use mTLS 1.2 or later.

  • Use the public internet. Do not rely on IP whitelisting.

  • Trust the Thales server CA: DigiCert SHA2 High Assurance Server CA.

Customer client certificate requirements

Your customer client certificate (self-signed) must be endorsed (certificate pinning) by Thales. This endorsement is done through our Thales portal or manually exchanged.

  • Validity: 2 years maximum.

  • Key type:

    • ECDSA P-256 (prime256v1) or P-384 (secp384r1), or RSA 2048 with SHA-256.

    • ECDSA is preferred over RSA.

  • Common Name (CN): use the exact value provided in the Thales portal for each environment.

Thales backend to customer

Requirements

  • Use mTLS 1.2 or later.

  • Expose your endpoint on port 443 (preferred) or 8443.

  • Use the public internet. Do not rely on IP whitelisting.

  • Trust the Thales Client CA to validate the Thales client certificate.

  • Share your server CA chain with Thales (Thales pins your server certificate chain).

Trust the Thales Client CA.

Do not pin the Thales client certificate.

Thales can rotate the client certificate before expiry.

Assets exchanged

Asset
Description

TSH_TLS_SERVER_CERTIFICATE_CHAIN

Thales server certificate chain. Trust it for outbound connections from your backend to Thales backend.

TSH_TLS_CLIENT_CERTIFICATE

Thales client certificate. Trust it for connections from Thales backend to your backend.

TSH_INBOUND_HOST

Host name to reach Thales backend. Combine it with the relevant API base path.

CUSTOMER_TLS_SERVER_CERTIFICATE_CHAIN

Your server certificate chain. Thales trusts it for connections from Thales backend to your backend.

CUSTOMER_TLS_CLIENT_CERTIFICATE

Your client certificate. Thales trusts it for connections from your backend to Thales backend.

ISSUER_HOST

Host name Thales backend uses to reach your backend. Combine it with the relevant API base path.

前へ初期設定を提供する

最終更新

役に立ちましたか?