ITC Infotech acquires Blazeclan Technologies to enhance Multi-Cloud services and fast-track digital transformation

QUALCO Enhanced its Global Financial Security with mTLS Implementation with AWS ALB

About Customer ​

Qualco is a leading software and technology solutions provider in the Credit and Receivables Management sector. With over 25 years of proven experience, the company helps clients realize value through operational platforms, data insights, digital experiences, and domain knowledge. Qualco offers comprehensive solutions in loan origination and management, debt and receivables management, supply chain finance and factoring, and business process management.

Challenges / Problem​

The End Customer (Bank in the Middle East) was facing challenges in implementing the Mutual TLS (mTLS) protocol i.e. “two-way” mutual authentication and encryption that negotiates SSL handshaking between server and client on the application server side.

The mTLS implementation is complicated considering the multi-region infrastructure’s network setup for the End Customer (Bank in the Middle East) as the applications span across 10 countries in regions such as Middle East Asia, Asia-Pacific, Europe, and the United States which was not done previously using ALB.


Ideally, the ALB supports two modes of operation with mTLS i.e.

  1. mTLS verify mode
  2. mTLS passthrough mode

In this case, the End Customer (Bank in the Middle East) is required to manage SSL/TLS certificates on the application server, hence we implemented the mTLS in “Passthrough mode”.

Mutual TLS in Passthrough Mode

In this mode, ALB forwards the entire certificate chain to the backend targets for client authentication in an HTTP header called AMZN-MTLS-CLIENT-CERT. The ALB inserts the entire certificate chain, including the server/client certificates, in URL-encoded PEM format, with +,=, and / as safe characters.

The backend targets must be able to parse this HTTP header, extract the certificate, and perform client authentication making it required to include in application logic/code. Use this mode if you want to retain control of the client authentication process.

Application Load Balancer (ALB) with mTLS in Passthrough mode:

The stages of mTLS using ALB in passthrough mode are as below:​

  • The client initiates a TLS session with the ALB with an HTTPS request. During the TLS handshake, the client presents its TLS certificate.
  • The TLS session terminates once the ALB’s certificates are verified. During the TLS handshake, ALB presents the server-side certificate and receives the client’s certificates.
  • The ALB creates a new HTTPS session with the backend targets. ALB includes the entire certificate chain in an HTTP header called AMZN-MTLS-CLIENT-CERT and passes them to the backend target for further mTLS verification.
  • The backend targets receive the client certificates and use application code logic to parse the client certificate chain from the AMZN-MTLS-CLIENT-CERT HTTP header and to perform client certificate authentication. 

Testing and Validation​

  • Validation of Client Authentication: Ensure that only clients with valid certificates can establish a connection. ​
  • End-to-End Encryption: Verify that all data in transit was encrypted. ​
  • Service Availability: Ensure that mTLS did not impact the availability of services.​


By implementing mTLS with AWS Application Load Balancer, the customer successfully secured its web applications and backend services, enhancing security and ensuring regulatory compliance. This case study highlights the importance of leveraging AWS services for effective and efficient security implementations.

Tools Used​

  • AWS Elastic Compute Cloud (EC2): For deployment of applications.
  • AWS Network Firewall: For network protections of Amazon Virtual Private Clouds (VPCs)
  • AWS Application Load Balancer (ALB): For handling incoming traffic and terminating SSL/TLS.
  • AWS Certificate Manager (ACM): For managing and deploying SSL/TLS certificates.
  • AWS Web Application Firewall (WAF): For an additional layer of protection from web attacks that attempt to exploit vulnerabilities in custom or third-party web applications.
  • AWS Identity and Access Management (IAM): For securing access to resources.
  • AWS CloudWatch: To monitor ALB metrics.

Value Additions

  • Improved Security: Secure communication through encryption and mutual authentication.
  • Regulatory Compliance: Met strict regulatory requirements for secure data transmission.

Key Business Highlights

Operational Efficiency:​ Automated certificate management and streamlined mTLS implementation using AWS services.​

Cost Optimization: ​

  • In this case, the single ALB is deployed across the 10 countries hosted application and decommissions the NLB approach result, reducing the AWS NLB service cost by nearly 50% yearly recurring costs.
  • Previously customer used third-party SSL/TLS certificates, we reduced customer overburden by issuing and renewing of certificates by using AWS ACM service along with saved SSL/TLS costs of approximately 30% yearly costs.

PUBLISHED: 12th July 2024