Add MTLS mode with updated example requests

[elisherer]

Hi,
Can you make an "MTLS Mode" that will:

• Remove the required X-Client-Certificate header from API calls
• Change the "Example request" (e.g. curl to include --cert REPLACE_WITH_CERT --key REPLACE_WITH_KEY)
• I don't have an idea on how to handle the Try It (Maybe cancel it if this mode is on, clients would probably not like putting their private keys on public websites)

Screenshot of current:

[redlanne]

@elisherer thanks for the issue - we aware of work being required in this area and are coordinating with the security architects to determine the best approach.

[redlanne]

it is worth noting that the TryIt tab can be disabled by setting the tryIt option to false

[redlanne]

@elisherer the first part of what you have requested is available in current release of explorer (just not documented - which will be rectified in next release) an option showMTLSHeader, which is set by default to true, if set to false will hide the required X-Client-Certificate header from the operation details and from the test tool.

Additionally:
If you have set the tryIt option to false as mentioned above the TryIt tab will not show. (Alternatively for an individual API the yaml can specify that the API is not testable e.g.

x-ibm-configuration:
  testable: false

)

If the test tool is still used and invoked the CORS message will indicate its limitations, e.g.:

[elisherer]

Do you have a suggestion on how to handle the "Example request" section?
(If tried the example code there it will fail unless the client certificate will be added, causing confusion and need for support)