Zato supports SSL/TLS out of the box, including client certificates. It also offers means for configuring REST channels to require for client certificates to contain specific, previously configured, fields and values, which can be used for client certificates pinning.

If traffic from external applications to a Zato cluster is encrypted, it is terminated at the load-balancer and connections from the load-balancer to servers and back may optionally use a separate encrypted link.

It is also possible for user services to transparently access SSL/TLS-protected resources, including ones secured with client certificates.

There are 3 aspects of the SSL/TLS configuration discussed in subsequent task-oriented chapters: