Help Center> Application Service Mesh> User Guide> Security> Configuring a Security Policy
Updated on 2023-07-04 GMT+08:00

Configuring a Security Policy

ASM security functions include Access Authorization, Peer Authentication, JWT Authentication to ensure the reliable service communication.


  1. Log in to the ASM console and click the target mesh to go to its details page.
  2. In the navigation pane on the left, choose Service Management. In the upper right corner of the list, select the namespace to which the service belongs.
  3. Select a service, click Security in the Operation column, and configure access authorization and peer authentication on the right.

    Access Authorization

    Access authorization controls the access to services in the mesh and determines whether a request can be sent to the current service.

    Select Access Authorization and click Configure now. In the displayed dialog box, click to select one or more services in a specified namespace for access authorization settings.

    Peer Authentication

    Istio enables communication between service pods using the Policy Enforcement Point (PEP) tunnel between clients and servers. Peer authentication defines how traffic reaches the current service pod through the tunnel (or not through the tunnel). By default, service pods that have sidecars injected communicate with each other through tunnels. Traffic is automatically encrypted using TLS.

    Select Peer Authentication and click Configure now. In the displayed dialog box, select an authentication policy.

    Table 1 Parameter description




    If a peer authentication policy is configured for the parent scope, the service inherits the policy.


    Traffic can be transmitted without passing through the tunnel. Workloads accept both mutual TLS and plain text traffic. By default, the mesh is configured with a peer authentication policy in PERMISSIVE mode.


    Traffic is transmitted only through the tunnel because the request must be encrypted using TLS and must contain the client certificate.

    JWT Authentication

    You can configure JSON Web Token (JWT) in ASM. With JWT, ASM authenticates whether the access token in a request header is trusted and authorize the valid user requests.

    JWT authentication can be configured only for HTTP services.

    Click JWT Authentication > Configure now. In the displayed dialog box, set the following parameters:

    • Issuer: issuer of the JWT.
    • Audiences: Audiences who use the JWT token to access the service. Separate audiences by commas (,). A null value indicates that the service can be accessed by any audiences.
    • JWKS: JWT rule set.

    For details about the principles and application examples of JWT authentication, see JWT Authentication Principles and Authenticating JWT Requests on the Ingress Gateway Using ASM.