MACRO NEPAL
Mutual TLS (mTLS) in Service Mesh for Java Applications
awiskar acharya
November 11, 2025
8:24 am

Mutual TLS (mTLS) provides two-way authentication between client and server in a service mesh environment, ensuring both parties verify each other's identities before establishing a connection. This is crucial for zero-trust security architectures in microservices.

Core mTLS Concepts in Service Mesh

Understanding mTLS Flow

// mTLS handshake process representation
public class MutualTlsHandshake {
private static final Logger logger = LoggerFactory.getLogger(MutualTlsHandshake.class);
public Connection establishSecureConnection(ClientIdentity client, ServerIdentity server) {
// Step 1: Client Hello with supported ciphers
logger.info("Initiating mTLS handshake between {} and {}", client.getId(), server.getId());
// Step 2: Server presents certificate
X509Certificate serverCert = server.getCertificate();
if (!validateCertificate(serverCert, server.getTrustStore())) {
throw new SecurityException("Server certificate validation failed");
}
// Step 3: Client presents certificate
X509Certificate clientCert = client.getCertificate();
if (!validateCertificate(clientCert, client.getTrustStore())) {
throw new SecurityException("Client certificate validation failed");
}
// Step 4: Key exchange and cipher establishment
CipherSuite cipherSuite = negotiateCipherSuite(client, server);
// Step 5: Secure connection established
logger.info("mTLS handshake completed successfully with cipher: {}", cipherSuite);
return new SecureConnection(client, server, cipherSuite);
}
private boolean validateCertificate(X509Certificate certificate, KeyStore trustStore) {
try {
CertificateFactory factory = CertificateFactory.getInstance("X.509");
// Validate certificate chain, expiration, and trust
return true;
} catch (Exception e) {
logger.error("Certificate validation failed", e);
return false;
}
}
}

Istio Service Mesh Implementation

Service-to-Service mTLS with Istio

# istio-mtls-config.yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: my-apps
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: DestinationRule
metadata:
name: enable-mtls
namespace: my-apps
spec:
host: "*.my-apps.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL

Java Application with Istio mTLS

@Service
public class SecureProductService {
private static final Logger logger = LoggerFactory.getLogger(SecureProductService.class);
private final RestTemplate restTemplate;
private final String inventoryServiceUrl;
public SecureProductService(@Value("${inventory.service.url}") String inventoryServiceUrl) {
this.inventoryServiceUrl = inventoryServiceUrl;
this.restTemplate = createSecureRestTemplate();
}
private RestTemplate createSecureRestTemplate() {
try {
// In Istio, the sidecar handles mTLS automatically
// We just need to ensure proper service discovery
return new RestTemplate();
} catch (Exception e) {
throw new RuntimeException("Failed to create secure REST template", e);
}
}
public Product getProductWithInventory(String productId) {
String url = String.format("%s/inventory/%s", inventoryServiceUrl, productId);
try {
// The actual mTLS is handled by Istio sidecar
ResponseEntity<Inventory> response = restTemplate.getForEntity(url, Inventory.class);
if (response.getStatusCode().is2xxSuccessful() && response.getBody() != null) {
return buildProductWithInventory(productId, response.getBody());
}
} catch (ResourceAccessException e) {
logger.error("mTLS connection failed to inventory service", e);
throw new ServiceCommunicationException("Secure connection failed", e);
}
throw new ProductNotFoundException("Product not found: " + productId);
}
// Extract mTLS client certificate information (if needed)
@GetMapping("/secure/user-info")
public ResponseEntity<Map<String, String>> getUserInfo(HttpServletRequest request) {
X509Certificate[] certificates = (X509Certificate[]) 
request.getAttribute("javax.servlet.request.X509Certificate");
if (certificates != null && certificates.length > 0) {
X509Certificate clientCert = certificates[0];
Map<String, String> userInfo = extractUserInfoFromCertificate(clientCert);
return ResponseEntity.ok(userInfo);
}
return ResponseEntity.status(401).body(Map.of("error", "No client certificate provided"));
}
private Map<String, String> extractUserInfoFromCertificate(X509Certificate certificate) {
Map<String, String> info = new HashMap<>();
try {
String subjectDN = certificate.getSubjectX500Principal().getName();
info.put("subject", subjectDN);
info.put("issuer", certificate.getIssuerX500Principal().getName());
info.put("serialNumber", certificate.getSerialNumber().toString());
info.put("validFrom", certificate.getNotBefore().toString());
info.put("validUntil", certificate.getNotAfter().toString());
// Extract common name
String cn = extractCommonName(subjectDN);
info.put("commonName", cn);
} catch (Exception e) {
logger.warn("Failed to extract certificate information", e);
}
return info;
}
private String extractCommonName(String subjectDN) {
// Parse subject DN to extract CN
String[] parts = subjectDN.split(",");
for (String part : parts) {
if (part.trim().startsWith("CN=")) {
return part.trim().substring(3);
}
}
return "unknown";
}
}

Spring Boot with mTLS Configuration

Server-Side mTLS Configuration

@Configuration
@EnableWebSecurity
public class MtlsSecurityConfig {
@Value("${server.ssl.trust-store:classpath:truststore.jks}")
private Resource trustStore;
@Value("${server.ssl.trust-store-password:changeit}")
private String trustStorePassword;
@Value("${server.ssl.client-auth:need}")
private String clientAuth;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authz -> authz
.requestMatchers("/public/**").permitAll()
.anyRequest().authenticated()
)
.x509(x509 -> x509
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
.userDetailsService(userDetailsService())
)
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.csrf(csrf -> csrf.disable());
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
return new MtlsUserDetailsService();
}
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
tomcat.addAdditionalTomcatConnectors(createSslConnector());
return tomcat;
}
private Connector createSslConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
try {
connector.setScheme("https");
connector.setSecure(true);
connector.setPort(8443);
protocol.setSSLEnabled(true);
protocol.setKeystoreFile(getKeystorePath());
protocol.setKeystorePass("changeit");
protocol.setKeystoreType("JKS");
protocol.setKeyPass("changeit");
// Enable client certificate authentication
protocol.setClientAuth(Boolean.parseBoolean(clientAuth) ? "true" : "false");
protocol.setTruststoreFile(trustStore.getFile().getAbsolutePath());
protocol.setTruststorePass(trustStorePassword);
protocol.setTruststoreType("JKS");
return connector;
} catch (Exception e) {
throw new IllegalStateException("Failed to create SSL connector", e);
}
}
private String getKeystorePath() {
try {
return new ClassPathResource("keystore.jks").getFile().getAbsolutePath();
} catch (Exception e) {
throw new IllegalStateException("Keystore not found", e);
}
}
}
@Service
public class MtlsUserDetailsService implements UserDetailsService {
private static final Logger logger = LoggerFactory.getLogger(MtlsUserDetailsService.class);
@Override
public UserDetails loadUserByUsername(String commonName) throws UsernameNotFoundException {
logger.info("Authenticating client with CN: {}", commonName);
// Validate the common name against authorized clients
if (isAuthorizedClient(commonName)) {
return new User(commonName, "", 
AuthorityUtils.createAuthorityList("ROLE_CLIENT"));
}
throw new UsernameNotFoundException("Client not authorized: " + commonName);
}
private boolean isAuthorizedClient(String commonName) {
// Check against authorized client list
Set<String> authorizedClients = Set.of(
"inventory-service",
"order-service", 
"payment-service"
);
return authorizedClients.contains(commonName);
}
}

Client-Side mTLS Configuration

@Configuration
public class MtlsClientConfig {
@Value("${client.ssl.key-store:classpath:client-keystore.jks}")
private Resource keyStore;
@Value("${client.ssl.key-store-password:changeit}")
private String keyStorePassword;
@Value("${client.ssl.trust-store:classpath:client-truststore.jks}")
private Resource trustStore;
@Value("${client.ssl.trust-store-password:changeit}")
private String trustStorePassword;
@Bean
public RestTemplate mtlsRestTemplate() throws Exception {
SSLContext sslContext = sslContext();
HttpClient httpClient = HttpClients.custom()
.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.build();
HttpComponentsClientHttpRequestFactory requestFactory = 
new HttpComponentsClientHttpRequestFactory(httpClient);
return new RestTemplate(requestFactory);
}
@Bean
public SSLContext sslContext() throws Exception {
return SSLContextBuilder.create()
.loadKeyMaterial(
keyStore.getURL(), 
keyStorePassword.toCharArray(), 
keyStorePassword.toCharArray()
)
.loadTrustMaterial(
trustStore.getURL(), 
trustStorePassword.toCharArray()
)
.build();
}
@Bean
public WebClient mtlsWebClient() throws Exception {
SslContext sslContext = SslContextBuilder.forClient()
.keyManager(
new FileSystemResource(keyStore.getFile()),
keyStorePassword,
keyStorePassword
)
.trustManager(new FileSystemResource(trustStore.getFile()))
.build();
HttpClient httpClient = HttpClient.create()
.secure(spec -> spec.sslContext(sslContext));
return WebClient.builder()
.clientConnector(new ReactorClientHttpConnector(httpClient))
.build();
}
}
@Service
public class SecureInventoryClient {
private static final Logger logger = LoggerFactory.getLogger(SecureInventoryClient.class);
private final WebClient webClient;
private final String baseUrl;
public SecureInventoryClient(WebClient mtlsWebClient, 
@Value("${inventory.service.url}") String baseUrl) {
this.webClient = mtlsWebClient;
this.baseUrl = baseUrl;
}
public Inventory getInventory(String productId) {
try {
return webClient.get()
.uri(baseUrl + "/inventory/{productId}", productId)
.retrieve()
.bodyToMono(Inventory.class)
.doOnSuccess(inv -> logger.info("Successfully retrieved inventory for {}", productId))
.doOnError(error -> logger.error("Failed to retrieve inventory", error))
.block();
} catch (WebClientResponseException e) {
if (e.getStatusCode() == HttpStatus.UNAUTHORIZED) {
throw new SecurityException("Client certificate authentication failed", e);
}
throw new ServiceCommunicationException("Inventory service call failed", e);
}
}
public void updateInventory(InventoryUpdate update) {
webClient.put()
.uri(baseUrl + "/inventory")
.bodyValue(update)
.retrieve()
.toBodilessEntity()
.doOnSuccess(response -> 
logger.info("Inventory updated successfully for product {}", update.getProductId()))
.doOnError(error -> 
logger.error("Failed to update inventory for product {}", update.getProductId(), error))
.block();
}
}

Certificate Management

Certificate Generator Utility

@Component
public class CertificateGenerator {
private static final Logger logger = LoggerFactory.getLogger(CertificateGenerator.class);
public void generateServiceCertificate(String serviceName, int validityDays) {
try {
// Generate key pair
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
KeyPair keyPair = keyGen.generateKeyPair();
// Create certificate
X500Name subject = new X500Name("CN=" + serviceName + ", O=MyOrg, L=City, ST=State, C=US");
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
Calendar calendar = Calendar.getInstance();
Date notBefore = calendar.getTime();
calendar.add(Calendar.DAY_OF_YEAR, validityDays);
Date notAfter = calendar.getTime();
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
subject, serial, notBefore, notAfter, subject, keyPair.getPublic());
// Sign certificate
ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")
.build(keyPair.getPrivate());
X509CertificateHolder certHolder = certBuilder.build(signer);
X509Certificate certificate = new JcaX509CertificateConverter()
.getCertificate(certHolder);
// Save to keystore
saveToKeystore(serviceName, keyPair, certificate);
logger.info("Generated certificate for service: {}", serviceName);
} catch (Exception e) {
throw new CertificateGenerationException("Failed to generate certificate", e);
}
}
private void saveToKeystore(String alias, KeyPair keyPair, X509Certificate certificate) 
throws Exception {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
Certificate[] chain = new Certificate[]{certificate};
keyStore.setKeyEntry(alias, keyPair.getPrivate(), "changeit".toCharArray(), chain);
try (FileOutputStream fos = new FileOutputStream(alias + "-keystore.jks")) {
keyStore.store(fos, "changeit".toCharArray());
}
}
}

Certificate Validation Service

@Service
public class CertificateValidationService {
private static final Logger logger = LoggerFactory.getLogger(CertificateValidationService.class);
private final CrlService crlService;
private final OcspService ocspService;
public CertificateValidationService(CrlService crlService, OcspService ocspService) {
this.crlService = crlService;
this.ocspService = ocspService;
}
public ValidationResult validateCertificate(X509Certificate certificate) {
ValidationResult result = new ValidationResult();
try {
// Check expiration
certificate.checkValidity();
result.setExpired(false);
// Check revocation via CRL
result.setRevoked(crlService.isRevoked(certificate));
// Check via OCSP
result.setOcspStatus(ocspService.checkStatus(certificate));
// Validate certificate chain
result.setChainValid(validateCertificateChain(certificate));
logger.debug("Certificate validation completed for: {}", 
certificate.getSubjectX500Principal());
} catch (CertificateExpiredException e) {
result.setExpired(true);
logger.warn("Certificate expired: {}", certificate.getSubjectX500Principal());
} catch (CertificateNotYetValidException e) {
result.setNotYetValid(true);
logger.warn("Certificate not yet valid: {}", certificate.getSubjectX500Principal());
} catch (Exception e) {
result.setValid(false);
logger.error("Certificate validation failed", e);
}
return result;
}
private boolean validateCertificateChain(X509Certificate certificate) {
try {
// Build and validate certificate chain
CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) 
certPathBuilder.build(new PKIXBuilderParameters(getTrustAnchors(), 
new X509CertSelector() {{
setCertificate(certificate);
}}));
return true;
} catch (Exception e) {
logger.warn("Certificate chain validation failed", e);
return false;
}
}
private Set<TrustAnchor> getTrustAnchors() throws Exception {
Set<TrustAnchor> trustAnchors = new HashSet<>();
// Load trusted CA certificates
KeyStore trustStore = KeyStore.getInstance("JKS");
try (InputStream is = new FileInputStream("truststore.jks")) {
trustStore.load(is, "changeit".toCharArray());
Enumeration<String> aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (trustStore.isCertificateEntry(alias)) {
X509Certificate cert = (X509Certificate) trustStore.getCertificate(alias);
trustAnchors.add(new TrustAnchor(cert, null));
}
}
}
return trustAnchors;
}
public static class ValidationResult {
private boolean valid = true;
private boolean expired;
private boolean notYetValid;
private boolean revoked;
private String ocspStatus;
private boolean chainValid;
// getters and setters
public boolean isValid() {
return valid && !expired && !notYetValid && !revoked && chainValid;
}
}
}

Service Mesh Integration Patterns

Istio mTLS with Custom Headers

@Component
public class IstioMtlsHeaderPropagator implements ClientHttpRequestInterceptor {
@Override
public ClientHttpResponse intercept(HttpRequest request, byte[] body, 
ClientHttpRequestExecution execution) throws IOException {
// Extract mTLS information and propagate as headers
ServletRequestAttributes attributes = 
(ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
if (attributes != null) {
HttpServletRequest servletRequest = attributes.getRequest();
X509Certificate[] certificates = (X509Certificate[]) 
servletRequest.getAttribute("javax.servlet.request.X509Certificate");
if (certificates != null && certificates.length > 0) {
X509Certificate clientCert = certificates[0];
// Propagate client identity
request.getHeaders().add("X-Client-Cert-Subject", 
clientCert.getSubjectX500Principal().getName());
request.getHeaders().add("X-Client-Cert-Issuer", 
clientCert.getIssuerX500Principal().getName());
}
}
return execution.execute(request, body);
}
}
@Configuration
public class HeaderPropagationConfig {
@Bean
public RestTemplate headerPropagatingRestTemplate() {
RestTemplate restTemplate = new RestTemplate();
restTemplate.setInterceptors(List.of(new IstioMtlsHeaderPropagator()));
return restTemplate;
}
}

mTLS with JWT Token Exchange

@Service
public class MtlsJwtService {
private static final Logger logger = LoggerFactory.getLogger(MtlsJwtService.class);
private final JwtEncoder jwtEncoder;
private final CertificateValidationService certValidationService;
public MtlsJwtService(JwtEncoder jwtEncoder, CertificateValidationService certValidationService) {
this.jwtEncoder = jwtEncoder;
this.certValidationService = certValidationService;
}
public String generateServiceToken(X509Certificate clientCertificate) {
// Validate client certificate first
CertificateValidationService.ValidationResult validation = 
certValidationService.validateCertificate(clientCertificate);
if (!validation.isValid()) {
throw new SecurityException("Client certificate validation failed");
}
// Extract service identity from certificate
String serviceName = extractServiceName(clientCertificate);
// Generate JWT token
Instant now = Instant.now();
JwtClaimsSet claims = JwtClaimsSet.builder()
.issuer("mtls-token-service")
.subject(serviceName)
.audience(List.of("target-service"))
.issuedAt(now)
.expiresAt(now.plusSeconds(300)) // 5 minutes
.claim("scope", "service-to-service")
.claim("cert-subject", clientCertificate.getSubjectX500Principal().getName())
.build();
JwtEncoderParameters parameters = JwtEncoderParameters.from(claims);
return jwtEncoder.encode(parameters).getTokenValue();
}
private String extractServiceName(X509Certificate certificate) {
String subject = certificate.getSubjectX500Principal().getName();
// Extract CN from subject DN
return subject.split(",")[0].replace("CN=", "");
}
}

Monitoring and Observability

mTLS Metrics Collection

@Component
public class MtlsMetricsCollector {
private final MeterRegistry meterRegistry;
private final Map<String, Counter> certificateCounters;
public MtlsMetricsCollector(MeterRegistry meterRegistry) {
this.meterRegistry = meterRegistry;
this.certificateCounters = new ConcurrentHashMap<>();
}
public void recordHandshakeSuccess(String clientId, String serverId) {
meterRegistry.counter("mtls.handshake.success",
"client", clientId,
"server", serverId
).increment();
}
public void recordHandshakeFailure(String clientId, String serverId, String reason) {
meterRegistry.counter("mtls.handshake.failure",
"client", clientId,
"server", serverId,
"reason", reason
).increment();
}
public void recordCertificateValidation(String subject, boolean valid) {
String status = valid ? "valid" : "invalid";
certificateCounters
.computeIfAbsent(status, k -> meterRegistry.counter("mtls.certificate.validation",
"status", k))
.increment();
}
public void recordConnectionDuration(String clientId, Duration duration) {
meterRegistry.timer("mtls.connection.duration",
"client", clientId
).record(duration);
}
}
@Aspect
@Component
public class MtlsMonitoringAspect {
private static final Logger logger = LoggerFactory.getLogger(MtlsMonitoringAspect.class);
private final MtlsMetricsCollector metricsCollector;
public MtlsMonitoringAspect(MtlsMetricsCollector metricsCollector) {
this.metricsCollector = metricsCollector;
}
@Around("execution(* com.example..*(..)) && @annotation(MonitorMtls)")
public Object monitorMtlsConnection(ProceedingJoinPoint joinPoint) throws Throwable {
String methodName = joinPoint.getSignature().getName();
long startTime = System.currentTimeMillis();
try {
Object result = joinPoint.proceed();
metricsCollector.recordHandshakeSuccess("client", methodName);
return result;
} catch (SecurityException e) {
metricsCollector.recordHandshakeFailure("client", methodName, "authentication_failed");
throw e;
} catch (Exception e) {
metricsCollector.recordHandshakeFailure("client", methodName, "other_error");
throw e;
} finally {
long duration = System.currentTimeMillis() - startTime;
metricsCollector.recordConnectionDuration("client", Duration.ofMillis(duration));
}
}
}

Testing mTLS Configurations

Integration Tests with Test Containers

@SpringBootTest
@Testcontainers
class MtlsIntegrationTest {
@Container
static GenericContainer<?> istioProxy = new GenericContainer<>("istio/proxyv2:1.17.0")
.withExposedPorts(15001, 15006)
.withEnv("ISTIO_META_MESH_ID", "test-mesh");
@Autowired
private TestRestTemplate testRestTemplate;
@Test
void testMtlsConnection() {
// Given mTLS configured services
// When making secure request
ResponseEntity<String> response = testRestTemplate
.withBasicAuth("client-cert", "password")
.getForEntity("/secure/data", String.class);
// Then verify successful mTLS connection
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
}
@Test
void testCertificateValidationFailure() {
// Given invalid client certificate
// When making request with invalid cert
// Then expect authentication failure
assertThatThrownBy(() -> 
testRestTemplate.getForEntity("/secure/data", String.class))
.isInstanceOf(HttpClientErrorException.Unauthorized.class);
}
}

Best Practices

1. Certificate Management

  • Use short-lived certificates with automatic rotation
  • Implement certificate revocation checking
  • Use separate CAs for different environments
  • Monitor certificate expiration

2. Security Configuration

  • Use strong cipher suites (TLS 1.3 preferred)
  • Implement proper certificate validation
  • Use secure key storage
  • Enable perfect forward secrecy

3. Service Mesh Integration

  • Leverage service mesh for automatic mTLS
  • Use appropriate mTLS modes (STRICT, PERMISSIVE)
  • Implement proper traffic policies
  • Monitor mTLS handshake success rates

4. Observability

  • Log certificate validation results
  • Monitor mTLS connection metrics
  • Alert on authentication failures
  • Track certificate expiration

Conclusion

mTLS in service mesh provides robust security for microservices communication:

  • Strong Authentication: Both client and server verify each other
  • Encryption: All traffic is encrypted in transit
  • Zero-Trust Security: No implicit trust between services
  • Automatic Management: Service mesh handles certificate lifecycle

Key implementation considerations:

  • Proper certificate management and rotation
  • Service mesh configuration for automatic mTLS
  • Comprehensive monitoring and alerting
  • Graceful degradation for certificate issues

mTLS is essential for securing service-to-service communication in modern cloud-native architectures, providing the foundation for zero-trust security models.

Category : JAVA

Leave a Reply

Your email address will not be published. Required fields are marked *


Macro Nepal Helper