REST Resource: projects.locations.serverTlsPolicies

Resource: ServerTlsPolicy

ServerTlsPolicy is a resource that specifies how a server should authenticate incoming requests. This resource itself does not affect configuration unless it is attached to a target HTTPS proxy or endpoint config selector resource.

ServerTlsPolicy in the form accepted by Application Load Balancers can be attached only to TargetHttpsProxy with an EXTERNAL, EXTERNAL_MANAGED or INTERNAL_MANAGED load balancing scheme. Traffic Director compatible ServerTlsPolicies can be attached to EndpointPolicy and TargetHttpsProxy with Traffic Director INTERNAL_SELF_MANAGED load balancing scheme.

JSON representation 
{
  "name": string,
  "description": string,
  "createTime": string,
  "updateTime": string,
  "labels": {
    string: string,
    ...
  },
  "allowOpen": boolean,
  "serverCertificate": {
    object (CertificateProvider)
  },
  "mtlsPolicy": {
    object (MTLSPolicy)
  }
}
Fields
name

string

Required. Name of the ServerTlsPolicy resource. It matches the pattern projects/*/locations/{location}/serverTlsPolicies/{serverTlsPolicy}
description

string

Free-text description of the resource.
createTime

string (Timestamp format)

Output only. The timestamp when the resource was created.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
updateTime

string (Timestamp format)

Output only. The timestamp when the resource was updated.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
labels

map (key: string, value: string)

Set of label tags associated with the resource.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
allowOpen

boolean

This field applies only for Traffic Director policies. It is must be set to false for Application Load Balancer policies.

Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility.

Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80.
serverCertificate

object (CertificateProvider)

Optional if policy is to be used with Traffic Director. For Application Load Balancers must be empty.

Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allowOpen as a permissive mode that allows both plain text and TLS is not supported.
mtlsPolicy

object (MTLSPolicy)

This field is required if the policy is used with Application Load Balancers. This field can be empty for Traffic Director.

Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allowOpen and mtlsPolicy are set, server allows both plain text and mTLS connections.

MTLSPolicy

Specification of the MTLSPolicy.

JSON representation 
{
  "clientValidationMode": enum (ClientValidationMode),
  "clientValidationCa": [
    {
      object (ValidationCA)
    }
  ],
  "clientValidationTrustConfig": string,
  "tier": enum (Tier)
}
Fields
clientValidationMode

enum (ClientValidationMode)

When the client presents an invalid certificate or no certificate to the load balancer, the clientValidationMode specifies how the client connection is handled.

Required if the policy is to be used with the Application Load Balancers. For Traffic Director it must be empty.
clientValidationCa[]

object (ValidationCA)

Required if the policy is to be used with Traffic Director. For Application Load Balancers it must be empty.

Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate.
clientValidationTrustConfig

string

Reference to the TrustConfig from certificatemanager.googleapis.com namespace.

If specified, the chain validation will be performed against certificates configured in the given TrustConfig.

Allowed only if the policy is to be used with Application Load Balancers.
tier

enum (Tier)

Mutual TLS tier.

Allowed only if the policy is to be used with Application Load Balancers.

ClientValidationMode

Mutual TLS certificate validation mode.

Enums
CLIENT_VALIDATION_MODE_UNSPECIFIED Not allowed.
ALLOW_INVALID_OR_MISSING_CLIENT_CERT Allow connection even if certificate chain validation of the client certificate failed or no client certificate was presented. The proof of possession of the private key is always checked if client certificate was presented. This mode requires the backend to implement processing of data extracted from a client certificate to authenticate the peer, or to reject connections if the client certificate fingerprint is missing.
REJECT_INVALID

Require a client certificate and allow connection to the backend only if validation of the client certificate passed.

If set, requires a reference to non-empty TrustConfig specified in clientValidationTrustConfig.

Tier

Mutual TLS tier for XLB.

Enums
TIER_UNSPECIFIED If tier is unspecified in the request, the system will choose a default value - STANDARD tier at present.
STANDARD Default Tier. Primarily for Software Providers (service to service/API communication).
ADVANCED Advanced Tier. For customers in strongly regulated environments, specifying longer keys, complex certificate chains.

Methods

create

 Creates a new ServerTlsPolicy in a given project and location.

delete

 Deletes a single ServerTlsPolicy.

get

 Gets details of a single ServerTlsPolicy.

list

 Lists ServerTlsPolicies in a given project and location.

patch

 Updates the parameters of a single ServerTlsPolicy.