Add changes from code review

adapter/internal/operator/controllers/dp/api_controller.go

@@ -769,14 +769,14 @@ func (apiReconciler *APIReconciler) getAPIPolicyChildrenRefs(ctx context.Context
 
 func (apiReconciler *APIReconciler) resolveAuthentications(ctx context.Context,
 	authentications map[string]dpv1alpha1.Authentication) (*dpv1alpha1.MutualSSL, error) {
-	var resolvedMutualSSL *dpv1alpha1.MutualSSL
+	resolvedMutualSSL := dpv1alpha1.MutualSSL{}
 	for _, authentication := range authentications {
-		if resolvedMutualSSL == nil {
-			resolvedMutualSSL = &dpv1alpha1.MutualSSL{}
+		err := utils.GetResolvedMutualSSL(ctx, apiReconciler.client, authentication, &resolvedMutualSSL)
+		if err != nil {
+			return nil, err
 		}
-		utils.GetResolvedMutualSSL(ctx, apiReconciler.client, authentication, resolvedMutualSSL)
 	}
-	return resolvedMutualSSL, nil
+	return &resolvedMutualSSL, nil
 }
 
 func (apiReconciler *APIReconciler) getResolvedBackendsMapping(ctx context.Context,

adapter/internal/operator/synchronizer/synchronizer.go

@@ -161,13 +161,6 @@ func GenerateAdapterInternalAPI(apiState APIState, httpRoute *HTTPRouteState, en
 	adapterInternalAPI.SetAPIDefinitionFile(apiState.APIDefinitionFile)
 	adapterInternalAPI.SetAPIDefinitionEndpoint(apiState.APIDefinition.Spec.DefinitionPath)
 	adapterInternalAPI.SetSubscriptionValidation(apiState.SubscriptionValidation)
-	if apiState.MutualSSL != nil && apiState.MutualSSL.Required != "" && !adapterInternalAPI.IsSystemAPI {
-		adapterInternalAPI.SetDisableMtls(apiState.MutualSSL.Disabled)
-		adapterInternalAPI.SetMutualSSL(apiState.MutualSSL.Required)
-		adapterInternalAPI.SetClientCerts(apiState.APIDefinition.Name, apiState.MutualSSL.ClientCertificates)
-	} else {
-		adapterInternalAPI.SetDisableMtls(true)
-	}
 
 	adapterInternalAPI.EnvType = envType
 
@@ -198,6 +191,15 @@ func GenerateAdapterInternalAPI(apiState APIState, httpRoute *HTTPRouteState, en
 		loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2632, logging.MAJOR, "Error validating adapterInternalAPI intermediate representation. %v", err))
 		return nil, err
 	}
+
+	if apiState.MutualSSL != nil && apiState.MutualSSL.Required != "" && !adapterInternalAPI.GetDisableAuthentications() {
+		adapterInternalAPI.SetDisableMtls(apiState.MutualSSL.Disabled)
+		adapterInternalAPI.SetMutualSSL(apiState.MutualSSL.Required)
+		adapterInternalAPI.SetClientCerts(apiState.APIDefinition.Name, apiState.MutualSSL.ClientCertificates)
+	} else {
+		adapterInternalAPI.SetDisableMtls(true)
+	}
+
 	vHosts := getVhostsForAPI(httpRoute.HTTPRouteCombined)
 	labels := getLabelsForAPI(httpRoute.HTTPRouteCombined)
 	listeners, relativeSectionNames := getListenersForAPI(httpRoute.HTTPRouteCombined, adapterInternalAPI.UUID)

adapter/internal/operator/utils/utils.go

@@ -458,30 +458,32 @@ func getResolvedBackendSecurity(ctx context.Context, client k8client.Client,
 }
 
 // GetResolvedMutualSSL resolves mTLS related security configurations.
-func GetResolvedMutualSSL(ctx context.Context, client k8client.Client, authentication dpv1alpha1.Authentication, resolvedMutualSSL *dpv1alpha1.MutualSSL) {
-	var err error
-	var certificate string
+func GetResolvedMutualSSL(ctx context.Context, client k8client.Client, authentication dpv1alpha1.Authentication, resolvedMutualSSL *dpv1alpha1.MutualSSL) error {
 	var mutualSSL *dpv1alpha1.MutualSSLConfig
 	if authentication.Spec.Default != nil && authentication.Spec.Default.AuthTypes != nil && authentication.Spec.Default.AuthTypes.MutualSSL != nil {
 		mutualSSL = authentication.Spec.Default.AuthTypes.MutualSSL
 	} else if authentication.Spec.Override != nil && authentication.Spec.Override.AuthTypes != nil && authentication.Spec.Override.AuthTypes.MutualSSL != nil {
 		mutualSSL = authentication.Spec.Override.AuthTypes.MutualSSL
 	}
 	if mutualSSL != nil {
-		resolvedCertificates := ResolveAllmTLSCertificates(ctx, mutualSSL, certificate, err, client, authentication.Namespace)
+		resolvedCertificates, err := ResolveAllmTLSCertificates(ctx, mutualSSL, client, authentication.Namespace)
 		resolvedMutualSSL.Disabled = mutualSSL.Disabled
 		resolvedMutualSSL.Required = mutualSSL.Required
 		resolvedMutualSSL.ClientCertificates = append(resolvedMutualSSL.ClientCertificates, resolvedCertificates...)
-	}
 
-	if err != nil {
-		loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2622, logging.TRIVIAL, "Error in resolving mutual SSL %v in authentication", certificate))
+		if err != nil {
+			loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2622, logging.TRIVIAL, "Error in resolving mutual SSL %v in authentication", mutualSSL))
+			return err
+		}
 	}
+	return nil
 }
 
 // ResolveAllmTLSCertificates resolves all mTLS certificates
-func ResolveAllmTLSCertificates(ctx context.Context, mutualSSL *dpv1alpha1.MutualSSLConfig, certificate string, err error, client k8client.Client, namespace string) []string {
+func ResolveAllmTLSCertificates(ctx context.Context, mutualSSL *dpv1alpha1.MutualSSLConfig, client k8client.Client, namespace string) ([]string, error) {
 	var resolvedCertificates []string
+	var err error
+	var certificate string
 	if mutualSSL.CertificatesInline != nil {
 		for _, cert := range mutualSSL.CertificatesInline {
 			certificate, err = ResolveCertificate(ctx, client, namespace, cert, nil, nil)
@@ -500,7 +502,7 @@ func ResolveAllmTLSCertificates(ctx context.Context, mutualSSL *dpv1alpha1.Mutua
 			resolvedCertificates = append(resolvedCertificates, certificate)
 		}
 	}
-	return resolvedCertificates
+	return resolvedCertificates, err
 }
 
 // ResolveCertificate reads the certificate from TLSConfig, first checks the certificateInline field,

common-go-libs/apis/dp/v1alpha1/authentication_types.go

@@ -75,6 +75,8 @@ type MutualSSLConfig struct {
 
 	// Required indicates whether mutualSSL is mandatory or optional
 	// +kubebuilder:validation:Enum=mandatory;optional
+	// +kubebuilder:default=optional
+	// +optional
 	Required string `json:"required"`
 
 	// CertificatesInline is the Inline Certificate entry

common-go-libs/apis/dp/v1alpha1/authentication_webhook.go

@@ -78,23 +78,38 @@ func (r *Authentication) ValidateAuthentication() error {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("targetRef").Child("kind"), r.Spec.TargetRef.Kind,
 			"Invalid Kind is provided"))
 	}
+	var mutualSSL *MutualSSLConfig
 
-	if r.Spec.Default != nil && r.Spec.Default.Disabled != nil && r.Spec.Default.AuthTypes != nil && r.Spec.Default.AuthTypes.MutualSSL != nil {
+	if r.Spec.Default != nil && r.Spec.Default.AuthTypes != nil && r.Spec.Default.AuthTypes.MutualSSL != nil {
 		isOAuthDisabled = r.Spec.Default.AuthTypes.Oauth2.Disabled
-		isMTLSMandatory = strings.ToLower(r.Spec.Default.AuthTypes.MutualSSL.Required) == "mandatory"
-		isMTLSDisabled = r.Spec.Default.AuthTypes.MutualSSL.Disabled
+		mutualSSL = r.Spec.Default.AuthTypes.MutualSSL
+
+		isMTLSMandatory = strings.ToLower(mutualSSL.Required) == "mandatory"
+		isMTLSDisabled = mutualSSL.Disabled
 		if isOAuthDisabled && (!isMTLSMandatory || isMTLSDisabled) {
-			allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("default").Child("authTypes").Child("authTypes"), r.Spec.Default.AuthTypes,
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("default").Child("authTypes").Child("mtls"), r.Spec.Default.AuthTypes,
 				"invalid authentication configuration - one of mTLS or OAuth2 must be enabled and mandatory"))
 		}
-	} else if r.Spec.Override != nil && r.Spec.Override.Disabled != nil && r.Spec.Override.AuthTypes != nil && r.Spec.Override.AuthTypes.MutualSSL != nil {
+		if len(mutualSSL.CertificatesInline) == 0 && len(mutualSSL.ConfigMapRefs) == 0 && len(mutualSSL.SecretRefs) == 0 {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("default").Child("authTypes").Child("mtls"), r.Spec.Default.AuthTypes.MutualSSL,
+				"invalid mTLS configuration - certificates not provided"))
+		}
+
+	} else if r.Spec.Override != nil && r.Spec.Override.AuthTypes != nil && r.Spec.Override.AuthTypes.MutualSSL != nil {
 		isOAuthDisabled = r.Spec.Override.AuthTypes.Oauth2.Disabled
-		isMTLSMandatory = strings.ToLower(r.Spec.Override.AuthTypes.MutualSSL.Required) == "mandatory"
-		isMTLSDisabled = r.Spec.Override.AuthTypes.MutualSSL.Disabled
+		mutualSSL = r.Spec.Override.AuthTypes.MutualSSL
+
+		isMTLSMandatory = strings.ToLower(mutualSSL.Required) == "mandatory"
+		isMTLSDisabled = mutualSSL.Disabled
 		if isOAuthDisabled && (!isMTLSMandatory || isMTLSDisabled) {
-			allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("override").Child("authTypes").Child("authTypes"), r.Spec.Override.AuthTypes,
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("override").Child("authTypes").Child("mtls"), r.Spec.Override.AuthTypes,
 				"invalid authentication configuration - one of mTLS or OAuth2 must be enabled and mandatory"))
 		}
+
+		if len(mutualSSL.CertificatesInline) == 0 && len(mutualSSL.ConfigMapRefs) == 0 && len(mutualSSL.SecretRefs) == 0 {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("override").Child("authTypes").Child("mtls"), r.Spec.Override.AuthTypes.MutualSSL,
+				"invalid mTLS configuration - certificates not provided"))
+		}
 	}
 
 	if len(allErrs) > 0 {

runtime/config-deployer-service/ballerina/APIClient.bal

@@ -362,7 +362,6 @@ public class APIClient {
                     return e909019();
                 }
                 authTypes.mtls = {disabled: !mtlsAuthentication.enabled, configMapRefs: mtlsAuthentication.certificates, required: mtlsAuthentication.required};
-
             }
         }
         log:printDebug("Auth Types:" + authTypes.toString());
@@ -1394,8 +1393,6 @@ public class APIClient {
     private isolated function validateAndRetrieveAPKConfiguration(json apkconfJson) returns APKConf|commons:APKError? {
         do {
             runtimeapi:APKConfValidationResponse validationResponse = check apkConfValidator.validate(apkconfJson.toJsonString());
-            log:printInfo(apkconfJson.toJsonString());
-            log:printInfo(validationResponse.isValidated().toString());
 
             if validationResponse.isValidated() {
                 APKConf apkConf = check apkconfJson.cloneWithType(APKConf);

runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml

@@ -149,7 +149,7 @@ components:
           properties:
             required:
               type: string
-              default: mandatory
+              default: optional
               enum:
                 - mandatory
                 - optional

runtime/config-deployer-service/ballerina/tests/resources/apk-schema.json

@@ -150,13 +150,15 @@
         },
         "required": {
           "type": "string",
+          "default": "optional",
           "enum": [
             "mandatory",
             "optional"
           ]
         },
         "enabled": {
-          "type": "boolean"
+          "type": "boolean",
+          "default": true
         },
         "certificates": {
           "type": "array",

runtime/config-deployer-service/ballerina/types.bal

@@ -275,7 +275,7 @@ public type APIKeyAuthentication record {|
 # + certificates - The list of config map refs referring to the client certificates
 public type MTLSAuthentication record {|
     *Authentication;
-    string required;
+    string required = "optional";
     ConfigMapRef[] certificates;
 |};
 

runtime/config-deployer-service/docker/config-deployer/conf/apk-schema.json

@@ -150,13 +150,15 @@
         },
         "required": {
           "type": "string",
+          "default": "optional",
           "enum": [
             "mandatory",
             "optional"
           ]
         },
         "enabled": {
-          "type": "boolean"
+          "type": "boolean",
+          "default": true
         },
         "certificates": {
           "type": "array",
@@ -173,6 +175,10 @@
           }
         }
       },
+      "required": [
+        "authType",
+        "certificates"
+      ],
       "additionalProperties": false
     },
     "APIKeyAuthentication": {

runtime/runtime-ui/schema/apk-conf.yaml

@@ -117,9 +117,11 @@ schemas:
       enabled:
         type: boolean
         example: true
+        default: true
         description: Specifies whether mTLS authentication is enabled for the API.
       required:
         type: string
+        default: optional
         enum:
           - mandatory
           - optional

runtime/runtime-ui/schema/apk-schema.json

@@ -150,13 +150,15 @@
         },
         "required": {
           "type": "string",
+          "default": "optional",
           "enum": [
             "mandatory",
             "optional"
           ]
         },
         "enabled": {
-          "type": "boolean"
+          "type": "boolean",
+          "default": true
         },
         "certificates": {
           "type": "array",

test/cucumber-tests/CRs/artifacts.yaml

@@ -767,21 +767,54 @@ metadata:
 data:
   tls.crt: |
     -----BEGIN CERTIFICATE-----
-    MIIDGTCCAgECFANIkLQBkd76qiTXzSXjBS2scPJsMA0GCSqGSIb3DQEBCwUAME0x
-    CzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQKDAR3c28y
-    MQwwCgYDVQQLDANhcGsxDDAKBgNVBAMMA2FwazAeFw0yMzEyMDYxMDEyNDhaFw0y
-    NTA0MTkxMDEyNDhaMEUxCzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRl
-    MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3
-    DQEBAQUAA4IBDwAwggEKAoIBAQCdG90W/Tlk4u9awHPteD5zpVcThUKwMLvAKw9i
-    vVQBC0AG6GzPbakol5gKVm+kBUDFzzzF6eayEXKWbyaZDty66A2+7HLLcKBop5M/
-    a57Q9XtU3lRYvotgutLWuHcI7mLCScZDrjA3rnb/KjjbhZ602ZS1pp5jtyUz6DwL
-    m7w4wQ/RProqCdBj8QqoAvnDDLSPeDfsx14J5VeNJVGJV2wax65jWRjRkj6wE7z2
-    qzWAlP5vDeED6bogYYVDpC8DtgayQ+vKAQLi1uj+I9Yqb/nPUrdUh9IlxudlqiFQ
-    QxyvsXMJEzbWWmlbD0kXYkHmHzetJNPK9ayOS/fJcAcfAb01AgMBAAEwDQYJKoZI
-    hvcNAQELBQADggEBAFmUc7+cI8d0Dl4wTdq+gfyWdqjQb7AYVO9DvJi3XGxdc5Kp
-    1nCSsKzKUz9gvxXHeaYKrBNYf4SSU+Pkdf/BWePqi7UX/SIxNXby2da8zWg+W6Uh
-    xZfKlLYGMp3mCjueZpZTJ7SKOOGFA8IIgEzjJD9Ln1gl3ywMaCwlNrG9RpiD1McT
-    COKvyWNKnSRVr/RvCklLVrAMTJr50kce2czcdFl/xF4Hm66vp7cP/bYJKWAL8hBG
-    zUa9aQBKncOoAO+zQ/SGy7uJxTDUF8SverDsmjOc6AU6IhBGVUyX/JQbYyJfZinB
-    YlviYxVzIm6IaNJHx4sihw4U1/jMFWRXT470zcQ=
+    MIIDkTCCAnmgAwIBAgIUJitjysknJ0nHeLH/mjT1JIpOz4YwDQYJKoZIhvcNAQEL
+    BQAwYDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI
+    WW91ckNpdHkxGTAXBgNVBAoMEFlvdXJPcmdhbml6YXRpb24xDzANBgNVBAMMBllv
+    dXJDQTAeFw0yNDAxMDUwNDAwMjNaFw0yNTAxMDQwNDAwMjNaMGExCzAJBgNVBAYT
+    AlVTMRIwEAYDVQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRkwFwYD
+    VQQKDBBZb3VyT3JnYW5pemF0aW9uMRAwDgYDVQQDDAdjbGllbnQxMIIBIjANBgkq
+    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuJhFZmCVnj6N+/+HHuMvb4vyWqWcorUf
+    pAWO7a3YVsHp3BX+lbGGzh67jbPcFK6K7RqejenFw7sQK8duZlqXmik/JvZMLxY3
+    l/6e8LIAhN7PaX1zg58OU61baQ5VNBhUXkoYN77xqb87Yo7IFyyQ/tyWfRVFEzNj
+    V1+q2MpEinuscViieIQHEpB4i6fsRxomYkR+FwdfCB65MYCYveIB1z9NkmR6Pm6V
+    7zSPp+QYwc6WX4/61fbRje4BJh3j+FGYboJJg1o9O/MkD70RW6mdMV1l5bT9T98W
+    B+hJtN+5dEpSfAwXqlWWxzhDxNsEvdSwuoLz9e58gteR1LSLaJXMjQIDAQABo0Iw
+    QDAdBgNVHQ4EFgQULaoslUgyglywztd95CkL6sU5wa4wHwYDVR0jBBgwFoAUGUkK
+    +QXBjeGMy7XVnrXfrvVJUNswDQYJKoZIhvcNAQELBQADggEBABodQ1Y7zt7kvDI8
+    jQUfLLkZZAPnVpjYpG7P1dLjOzUxqDNmyZAzoBMENXy/Zu81sRQt+Bs5NKsx1pu5
+    z2TRk9ddxhszD1FKu9Hb6hqLcGHF7GnwPGVXJlHctkMp4QYvXc942VDk7c59/knC
+    PXAul7832cPTUMvFHdzRxBwJruK9xuvNLj2I24+Fji1ELPO7M/e8KZ1NrIS0Fdwn
+    DuDDw3kMkl0BlSrmvMBreSaIOU4mFhmepC97awZ/wZZ+4mpIdWIagZf01txue8o0
+    +8kdGkFsmoCpnJjNjpoQFAYLEdif00iLcRpwwW/saUuxqZC0aDnQCIeo0GSNet8t
+    HOXCkvQ=
+    -----END CERTIFICATE-----
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mtls-test-configmap3
+  namespace: apk-integration-test
+data:
+  tls.crt: |
+    -----BEGIN CERTIFICATE-----
+    MIIDkTCCAnmgAwIBAgIUJitjysknJ0nHeLH/mjT1JIpOz4cwDQYJKoZIhvcNAQEL
+    BQAwYDELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwI
+    WW91ckNpdHkxGTAXBgNVBAoMEFlvdXJPcmdhbml6YXRpb24xDzANBgNVBAMMBllv
+    dXJDQTAeFw0yNDAxMDUwNDE0MTlaFw0yNTAxMDQwNDE0MTlaMGExCzAJBgNVBAYT
+    AlVTMRIwEAYDVQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MRkwFwYD
+    VQQKDBBZb3VyT3JnYW5pemF0aW9uMRAwDgYDVQQDDAdjbGllbnQyMIIBIjANBgkq
+    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2JQ8LITwayvjrrHUmFT44lH3IF3fdPhr
+    pQgKx7Z295QD9Ocka2rOFu47tuIeNcLiBTSyRLOFDRwjW9WXfWk9ALtxbedJfDyy
+    us/kLxY+SdzHW7/5dFbupGOcs58A/sxMyGTJgiCBxsgsRFfhet7ekq/ypmj5B8L3
+    5FlGg5NS0mbZlTM6aapLnkqU907RcsmzpFQBfWOHlDdWJocKEHECBXcxiTQk72C7
+    s2tndES5ltX/Wc8U/kX/M9LDXhn1Ew+roeFf0HCpdg6BlnTknhYU9S1c4aYKB2Yx
+    LNx74CsKsnxPPcePTXPqZEtZ4EsjF4PSToVFyceMBKvD6C6WPQoRNwIDAQABo0Iw
+    QDAdBgNVHQ4EFgQUWE8btMihi5eZXLJOeiNfh7XHaI0wHwYDVR0jBBgwFoAUGUkK
+    +QXBjeGMy7XVnrXfrvVJUNswDQYJKoZIhvcNAQELBQADggEBAJmXn/gefez7mq1b
+    iKpPLPeHUncIgVaru03v8YCX14pHFAsVuLgZ1lANelSrq+PR/HBJbQj8iloV938o
+    YFppe/fb96D8a2u90dnGwWipMRSDo3wgcInL38xfcH5UEPBVJVLa3IUkfwDjjEqK
+    3O0GXVSpjyv3RW+E9wfPfGSysRX66cTo5Uh3z3hTAloDc8uhCYRPcxG7S9eKD6jW
+    Z3MlFlw4U8CdO90L0nB1KFhz1Et0Sl9u/LDsUYq6mE+XhTngPs8qwR/o43s1DUID
+    y5Oi4A4+id+xO0XnHIkkqCfPtFzxl3hwytcy8EqISynzzHWNJ8bFZIYX4tgX+PLq
+    u0/ITEw=
     -----END CERTIFICATE-----

test/cucumber-tests/src/test/java/org/wso2/apk/integration/api/MTLSClientCertSteps.java

@@ -22,9 +22,13 @@
 import org.wso2.apk.integration.utils.Utils;
 import org.wso2.apk.integration.utils.clients.SimpleHTTPClient;
 
+import com.google.common.io.Resources;
+
 import io.cucumber.java.Before;
 import io.cucumber.java.en.Then;
 
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -47,8 +51,8 @@ public void setup() throws Exception {
                 httpClient = sharedContext.getHttpClient();
         }
 
-        @Then("I have a valid subscription with a valid client certificate")
-        public void getValidClientCertificateForMTLS() throws Exception {
+        @Then("I have a valid token with a client certificate {string}")
+        public void getValidClientCertificateForMTLS(String clientCertificatePath) throws Exception {
 
                 Map<String, String> headers = new HashMap<>();
                 headers.put(Constants.REQUEST_HEADERS.HOST, Constants.DEFAULT_IDP_HOST);
@@ -60,24 +64,10 @@ public void getValidClientCertificateForMTLS() throws Exception {
                                 Constants.CONTENT_TYPES.APPLICATION_X_WWW_FORM_URLENCODED);
                 sharedContext.setAccessToken(Utils.extractToken(httpResponse));
                 sharedContext.addStoreValue("accessToken", sharedContext.getAccessToken());
-                sharedContext.addStoreValue("clientCertificate",
-                                "-----BEGIN CERTIFICATE-----MIIDGTCCAgECFANIkLQBkd76qiTXzSXjBS2scPJsMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQKDAR3c28yMQwwCgYDVQQLDANhcGsxDDAKBgNVBAMMA2FwazAeFw0yMzEyMDYxMDEyNDhaFw0yNTA0MTkxMDEyNDhaMEUxCzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdG90W/Tlk4u9awHPteD5zpVcThUKwMLvAKw9ivVQBC0AG6GzPbakol5gKVm+kBUDFzzzF6eayEXKWbyaZDty66A2+7HLLcKBop5M/a57Q9XtU3lRYvotgutLWuHcI7mLCScZDrjA3rnb/KjjbhZ602ZS1pp5jtyUz6DwLm7w4wQ/RProqCdBj8QqoAvnDDLSPeDfsx14J5VeNJVGJV2wax65jWRjRkj6wE7z2qzWAlP5vDeED6bogYYVDpC8DtgayQ+vKAQLi1uj+I9Yqb/nPUrdUh9IlxudlqiFQQxyvsXMJEzbWWmlbD0kXYkHmHzetJNPK9ayOS/fJcAcfAb01AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFmUc7+cI8d0Dl4wTdq+gfyWdqjQb7AYVO9DvJi3XGxdc5Kp1nCSsKzKUz9gvxXHeaYKrBNYf4SSU+Pkdf/BWePqi7UX/SIxNXby2da8zWg+W6UhxZfKlLYGMp3mCjueZpZTJ7SKOOGFA8IIgEzjJD9Ln1gl3ywMaCwlNrG9RpiD1McTCOKvyWNKnSRVr/RvCklLVrAMTJr50kce2czcdFl/xF4Hm66vp7cP/bYJKWAL8hBGzUa9aQBKncOoAO+zQ/SGy7uJxTDUF8SverDsmjOc6AU6IhBGVUyX/JQbYyJfZinBYlviYxVzIm6IaNJHx4sihw4U1/jMFWRXT470zcQ=-----END CERTIFICATE-----");
-        }
-
-        @Then("I have a valid subscription with an invalid client certificate")
-        public void getInvalidClientCertificateForMTLS() throws Exception {
 
-                Map<String, String> headers = new HashMap<>();
-                headers.put(Constants.REQUEST_HEADERS.HOST, Constants.DEFAULT_IDP_HOST);
-                headers.put(Constants.REQUEST_HEADERS.AUTHORIZATION,
-                                "Basic NDVmMWM1YzgtYTkyZS0xMWVkLWFmYTEtMDI0MmFjMTIwMDAyOjRmYmQ2MmVjLWE5MmUtMTFlZC1hZmExLTAyNDJhYzEyMDAwMg==");
+                URL url = Resources.getResource("artifacts/certificates/" + clientCertificatePath);
+                String clientCertificate = Resources.toString(url, StandardCharsets.UTF_8);
+                sharedContext.addStoreValue("clientCertificate", clientCertificate);
 
-                HttpResponse httpResponse = httpClient.doPost(Utils.getTokenEndpointURL(), headers,
-                                "grant_type=client_credentials&scope=" + Constants.API_CREATE_SCOPE,
-                                Constants.CONTENT_TYPES.APPLICATION_X_WWW_FORM_URLENCODED);
-                sharedContext.setAccessToken(Utils.extractToken(httpResponse));
-                sharedContext.addStoreValue("accessToken", sharedContext.getAccessToken());
-                sharedContext.addStoreValue("clientCertificate",
-                                "-----BEGIN CERTIFICATE-----MIIDJDCfeXw==-----END CERTIFICATE-----");
         }
 }