Mutual TSL /Client Certifcate authentication

I have a requirement to expose a PASOE for WEB & AppServer to the internet.
The security requirement is that the client's public certificate is loaded into PASOE/tomcat.
So as part of TLS handshake process the client will present their public certificate (Client Certificate Authentication / mutual TLS) and we match that certificate with what we already have loaded.

Is this something that PASOE supports by allowing multiple public certificates to be loaded on the server?

It does, but is version dependent. It looks like you need at least 12.2 for the server side. See Progress Documentation

For the ABL client side, support for client certificates was added a few releases later. Like 12.4 and 12.5 if memory serves.

PASOE 12.x uses Tomcat 9.0.

Apache Tomcat 9 (9.0.73) - SSL/TLS Configuration How-To contains:

Using name-based virtual hosts on a secured connection requires careful configuration of the names specified in a single certificate or Tomcat 8.5 onwards where Server Name Indication (SNI) support is available. SNI allows multiple certificates with different names to be associated with a single TLS connector.

Click to expand...

Currently running on OE 11.7.x. Upgrading to 12.x is not an option at this stage.

I am wondering whether to use Cloudflare to act as the first line of defence and it can handle the Client Certificate authentication for inbound request.

Follow up question, can 11.7.x PASOE/tomcat handle IP address whitelisting?

> Follow up question, can 11.7.x PASOE/tomcat handle IP address whitelisting?

Yep. This page refers to it, using the remote address valve in Tomcat.