> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/merchant-tokenization/ja/onbdingu/set-up-mutual-tls.md). # 相互TLSを設定 ## Overview Thales backend uses **mutual authentication (mTLS)** for all API traffic (incoming and outgoing). You receive a **customer identifier** from Thales. Thales configures mTLS per customer identifier and per environment. Configure mTLS before calling any API. ### Environments Set up mTLS for each isolated environment: * Sandbox Environment * Production Environment ## Customer to Thales backend #### Endpoints | Environment | Base URL | | ---------------------- | -------------------------------------------------------------------------------------------------------- | | Sandbox Environment | [https://tmg.dbp-stg.thalescloud.io:443/1/sandbox-v2/](https://tmg.dbp-stg.thalescloud.io/1/sandbox-v2/) | | Production Environment | [https://tmg.dbp.thalescloud.io:443/1/mg/](https://tmg.dbp.thalescloud.io/1/mg/) | #### Requirements * Use mTLS 1.2 or later. * Use the public internet. Do not rely on IP whitelisting. * Trust the Thales server CA: **DigiCert SHA2 High Assurance Server CA**. #### Customer client certificate requirements Your customer client certificate (self-signed) must be endorsed (certificate pinning) by Thales. This endorsement is done through our Thales portal or manually exchanged. * Validity: 2 years maximum. * Key type: * ECDSA P-256 (`prime256v1`) or P-384 (`secp384r1`), or RSA 2048 with SHA-256. * ECDSA is preferred over RSA. * Common Name (CN): use the exact value provided in the Thales portal for each environment. ## Thales backend to customer #### Requirements * Use mTLS 1.2 or later. * Expose your endpoint on port 443 (preferred) or 8443. * Use the public internet. Do not rely on IP whitelisting. * Trust the **Thales Client CA** to validate the Thales client certificate. * Share your server CA chain with Thales (Thales pins your server certificate chain). {% hint style="warning" %} Trust the Thales Client CA. Do **not** pin the Thales client certificate. Thales can rotate the client certificate before expiry. {% endhint %} #### Assets exchanged | Asset | Description | | --------------------------------------- | ------------------------------------------------------------------------------------------------------- | | `TSH_TLS_SERVER_CERTIFICATE_CHAIN` | Thales server certificate chain. Trust it for outbound connections from your backend to Thales backend. | | `TSH_TLS_CLIENT_CERTIFICATE` | Thales client certificate. Trust it for connections from Thales backend to your backend. | | `TSH_INBOUND_HOST` | Host name to reach Thales backend. Combine it with the relevant API base path. | | `CUSTOMER_TLS_SERVER_CERTIFICATE_CHAIN` | Your server certificate chain. Thales trusts it for connections from Thales backend to your backend. | | `CUSTOMER_TLS_CLIENT_CERTIFICATE` | Your client certificate. Thales trusts it for connections from your backend to Thales backend. | | `ISSUER_HOST` | Host name Thales backend uses to reach your backend. Combine it with the relevant API base path. | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.payments.thalescloud.io/merchant-tokenization/ja/onbdingu/set-up-mutual-tls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.