We setup key-store and trust-store in common platform to enable Mtls, and this is the example of Api call to common: the The client must send its client certificate and private key, client verifies the server’s certificate and server verifies the client certificate, then the api call begins.
Next, common platform verifies whether the system id of the application is in the white list, if so, it generates the access token which is required for api calling through APIGW. And here is the config and the workflow. We set the downstream application’s system id in whitelist, and we have a cache which lasts for 30 mins, if no cache for the system id, common platform uses its certificate and private key to generate an access token by calling Azure AD’s api, then caches the access token and call the api provided by APIGW with the access token.
We have setup the AAD SPNs (Service Principal Name) is a unique identifier for Genpop as API provider, and one for COD as API producer
