# Collocated One-way and Mutual TLS CybusMQ can receive connections from both one-way TLS and mutual TLS clients on the same listener, eliminating the need for separate TCP ports for different TLS authentication modes. Clients connecting with different TLS authentication types arrive at configurable mount points in the broker: * **One-way TLS clients**: Standard TLS where only the server certificate is validated. * **Mutual TLS clients**: Both server and client certificates are validated. Based on whether successful client certificate validation takes place, clients are routed to different mount points. With additional configuration, clients can be moved to the same mount point so they can communicate. ## Enabling TLS CybusMQ automatically enables the TLS listener when certificate files are provided. {% tabs %} {% tab title="Kubernetes" %} ### Enabling TLS on Kubernetes **Prerequisite** * Your Helm chart is version 1.5.0 or later. * TLS certificates are configured as Kubernetes secrets. **Procedure** 1. Open your `values.yaml` file. 2. Configure the certificate file paths. {% code lineNumbers="true" %} ```yaml global: broker: env: - name: DOCKER_VERNEMQ_LISTENER_CERT_FILE value: /cybusmq_certs/server.crt - name: DOCKER_VERNEMQ_LISTENER_KEY_FILE value: /cybusmq_certs/server.key - name: DOCKER_VERNEMQ_LISTENER_CA_FILE value: /cybusmq_certs/ca.crt ``` {% endcode %} {% endtab %} {% tab title="Docker" %} ### Enabling TLS on Docker 1. Create or modify a `docker-compose.override.yml` file. 2. Set the certificate environment variables. {% code lineNumbers="true" %} ```yaml services: broker: environment: DOCKER_VERNEMQ_LISTENER_CERT_FILE: /certs/server.crt DOCKER_VERNEMQ_LISTENER_KEY_FILE: /certs/server.key DOCKER_VERNEMQ_LISTENER_CA_FILE: /certs/ca.crt volumes: - ./certs:/certs:ro ``` {% endcode %} {% endtab %} {% endtabs %} ## Mount Point Routing By default, one-way TLS and mutual TLS clients are assigned to different mount points, preventing cross-communication. In Connectware deployments, the Auth-Server webhooks endpoint automatically moves clients to the same mount point, enabling communication between both authentication types. For custom deployments without Connectware's Auth-Server, you can enable communication between authentication types by: 1. Configure the system to use the same mount point for both connection types through a custom configuration file 2. Implement logic in a webhooks-based authentication server to assign mount points dynamically For detailed information on webhooks and authentication plugins, refer to the [official VerneMQ documentation](https://docs.vernemq.com/1.13.0). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cybus.io/broker/cybusmq/configuration/collocated-tls-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.