Hear from Salesforce leaders on how to create and deploy Agentforce agents.
Register now
Contact Us 1-800-596-4880
  1. Homepage
  2. Flex Gateway
  3. Configuring Flex Gateway
  4. Configuring Managed Flex Gateway

  5. Configuring Outbound TLS for Managed Flex Gateway

Configuring Outbound TLS for Managed Flex Gateway

Outbound Transport Layer Security (TLS) encrypts communication between Flex Gateway and upstream services.

Outbound TLS configuration is the same for Managed Flex Gateway and Self-Managed Flex Gateway running in Connected Mode. You can use the same TLS contexts across both modes.

After you create a secret group, you can add a TLS context or a mutual authentication TLS (mTLS) context and apply the TLS context to upstreams in API Manager to encrypt outbound traffic.

By default, Flex Gateway supports outbound TLS to communicate with upstream services that require a secure communication channel. For default outbound communication, Flex Gateway uses only TLS 1.2. To find the default TLS 1.2 ciphers, see Flex Gateway Supported Ciphers. To find the ciphers, see Flex Gateway Supported Ciphers. Applying a TLS context to an upstream overrides the default TLS context for that upstream. Because the default ciphers may change for later Flex Gateway versions, you can apply a TLS context to an upstream to ensure it remains the same.

The Authority Information Access (AIA) certificate extension is not supported when configuring outbound TLS contexts.

Before You Begin

Before configuring the outbound TLS context for a Managed Flex Gateway, complete the following tasks:

Outbound TLS Configuration Options

You can configure your outbound TLS context to support regular TLS or mTLS.

Refer to the following cross reference table for the required TLS context configuration settings in the Add a TLS Context step:

Parameter Outbound TLS Outbound mTLS

Keystore

Not Used

Required

Truststore

Required, unless skip server cert validation is selected

Required to validate upstream certificate

Validate Client certificate

Not Used

Not Used

Skip server certificate validation

Either

Not Selected

A parameter that is "Not Used" for a configuration implies its status does not affect configuration.

To simplify your configurations, create different TLS contexts for the different traffic directions of your API instance. You can also use the same TLS context to support different traffic directions, but you can’t support TLS and mTLS for the same direction by using the same context. Include the required parameters for both directions if you use the same TLS context for different directions.

Add a TLS Context for Flex Gateway

Adding a TLS context to your secret group requires supplying a name, target, version, and keystore or truststore. You can also add context expiration date and ALPN Protocols and configure the outbound settings.

If you edit a secret group, including a TLS context, that is currently applied to an API instance, you must redeploy each API instance to apply the changes. To redeploy API instances, see Redeploy an API Instance.

To add a TLS context:

  1. Go to Anypoint Platform > Secrets Manager.

  2. To apply your TLS context to API instances, make your secret group downloadable.

    To make your secret group downloadable:

    1. Click the pencil icon next to the name of your secret group.

    2. If Secret Group Downloadable is selected, click Cancel.

    3. If Secret Group Downloadable is not selected, select it and click Save.

  3. In the Secret Groups list view, click the Edit button of the secret group to add a TLS context.

  4. Select TLS Context in the menu on the left, and then click Add TLS Context.

  5. In the Create TLS context screen, add the required information:

    • Name
      Enter a name for your TLS context.

    • Target
      Select Flex Gateway to use the TLS context as the SSL validation for Flex Gateway APIs.

    • Min TLS Version and Max TLS Version
      Support a range of TLS versions or a single version by selecting the same version for the minimum and maximum.

    • Keystore
      If necessary for your configuration, select the PEM type keystore to store in the TLS context. The keystore contains the certificate presented by Flex Gateway to the remote party for outbound TLS.

      To comply with security standards, all certificates must be 2048 bits or longer.

    • Truststore
      If necessary for your configuration, select a PEM type truststore to store certificates trusted by the client. The truststore contains the CA path that Flex uses to validate the remote party certificate for outbound TLS.

      Upstream certificates must include the Subject Alternative Name (SAN) extension. The Common Name (CN) field is deprecated.

      Flex Gateway supports the SAN extension of type dNSName.

    • Expiration Date
      Optionally, enter an expiration date for the TLS context.

    • ALPN Protocols
      By default, H2 - HTTP/1.1 are the selected ALPN protocols. Change this value to support different protocols.

    • Outbound Settings
      If you don’t want to support mTLS for outbound traffic, select Skip server certificate validation.

  6. If you want to customize cipher support for your TLS context, Select Ciphers.

    Cipher selection is not available if only supporting TLS version 1.3.

  7. Click Save.

Apply a TLS Context to an API

You can apply a TLS context to an upstream service when configuring the upstream configuration of a new API instance or by editing an existing instance’s upstream configuration.

For information about either option, see the relevant tutorial:

To apply a TLS context to an upstream service:

  1. Go to Anypoint Platform > API Manager.

  2. Navigate to either the:

    • Downstream configuration page, if adding a new API instance.

    • Settings page, if editing an existing API instance.

  3. Configure the upstream service, if adding a new API instance.

  4. Click Add TLS Context.

    1. Select a Secret Group.

    2. Select a TLS Context.

    3. Click Ok.

  5. Finish creating the API instance or save the configuration edits.

Edit Secret Groups and Redeploy API Instances

To edit a secret group, see Edit a Secret Group.

If you edit a secret group currently applied to an API instance, to apply the changes to the API instance, you must individually redeploy all instances the changes affect.

To redeploy an API instance:

  1. Go to Anypoint Platform > API Manager.

  2. Click the name of the API instance to redeploy.

  3. Click Runtime & Endpoint Configuration > Save & Apply.

Select Ciphers

When you configure a TLS context, Secrets Manager applies default ciphers based on the TLS versions you select. In addition to the defaults, you can select other ciphers to use with the selected TLS version. Each TLS context can have multiple ciphers.

To select ciphers:

  1. Click Ciphers to see available ciphers.

  2. Select ciphers.

    Cipher selection is not available if only supporting TLS version 1.3.

  3. Click Save

TLS Cipher Support on Flex Gateway

Flex can support a range of TLS Versions from TLS 1.1 to TLS 1.3, and you can also customize some of the ciphers to support.

You cannot customize the list of TLS 1.3 Ciphers. If you support TLS 1.3, you must support the TLS 1.3 default ciphers.

If you support TLS 1.2, the TLS 1.2 default Ciphers are selected. However, unlike TLS 1.3, you can customize different TLS 1.2 ciphers.

There are no default ciphers for TLS 1.1. If you choose to support TLS 1.1, you must select the ciphers you want to support.

For outbound TLS Context, ensure that your API upstream supports the selected ciphers and versions.

Flex Gateway Supported Ciphers

Flex Gateway supports the following TLS Ciphers in Connected Mode and Local Mode:

Cipher TLS Version Default Advice

TLS AES 128 GCM SHA256

1.3

Yes

Secure

TLS AES 256 GCM SHA384

1.3

Yes

Secure

TLS CHACHA20 POLY1305 SHA256

1.3

Yes

Secure

TLS ECDHE ECDSA WITH AES 128 GCM SHA256

1.2

Yes

Recommended

TLS ECDHE ECDSA WITH AES 256 GCM SHA384

1.2

Yes

Recommended

TLS ECDHE ECDSA WITH CHACHA20 POLY1305 SHA256

1.2

Yes

Recommended

TLS ECDHE PSK WITH CHACHA20 POLY1305 SHA256

1.2

No

Recommended

TLS ECDHE RSA WITH AES 128 GCM SHA256

1.2

Yes

Secure

TLS ECDHE RSA WITH AES 256 GCM SHA384

1.2

Yes

Secure

TLS ECDHE RSA WITH CHACHA20 POLY1305 SHA256

1.2

Yes

Secure

TLS RSA WITH AES 128 GCM SHA256

1.2

No

Weak

TLS RSA WITH AES 256 GCM SHA384

1.2

No

Weak

TLS RSA WITH AES 128 CBC SHA

1.1, 1.2

No

Weak

TLS RSA WITH AES 256 CBC SHA

1.1, 1.2

No

Weak

TLS PSK WITH AES 128 CBC SHA

1.1, 1.2

No

Weak

TLS PSK WITH AES 256 CBC SHA

1.1, 1.2

No

Weak

TLS ECDHE ECDSA WITH AES 128 CBC SHA

1.1, 1.2

No

Weak

TLS ECDHE ECDSA WITH AES 256 CBC SHA

1.1, 1.2

No

Weak

TLS ECDHE RSA WITH AES 128 CBC SHA

1.1, 1.2

No

Weak

TLS ECDHE RSA WITH AES 256 CBC SHA

1.1, 1.2

No

Weak

TLS ECDHE PSK WITH AES 128 CBC SHA

1.1, 1.2

No

Weak

TLS ECDHE PSK WITH AES 256 CBC SHA

1.1, 1.2

No

Weak

TLS RSA WITH 3DES EDE CBC SHA

1.1

No

Weak

See Also