In WSO2 Open Banking solution, Mutual Transport Layer Security is enforced by using handlers in order to ensure that the authenticated client uses the pre-registered transport certificate to communicate with APIs.
To enable MTLS validation in the access token requests, add the following entry to <handlers> in <WSO2_OBAM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml.
<handler class="com.wso2.finance.open.banking.mtls.validator.handler.GatewayClientAuthenticationHandler"/> <handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSValidationHandler"/>
If the DCR method is used for TPP onboarding, the following configuration should be added to the <handlers> section of the velocity template located in <WSO2_OBAM_HOME>/repository/resources/api_templates/velocity_template.xml.
<handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSValidationHandler"/> <handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSClientTokenValidationHandler"/>
If the API's are already published, the above should be added to the <handlers> in the synapse configurations of the published APIs, which are located in <WSO2_OBAM_HOME>/repository/deployment/server/synapse-configs/default/api.