Though this is a late reply, I am trying to list out the steps that we need to do for configuring mutual SSL on Webmethods, hoping it may be useful for other developers in future. All the below steps are applicable when Integration Server is acting as SSL Server.
i) Obtain the Private Key and Public Key (SSL Certificate) from Certification Authority (CA). You can also generate your own certificates using tools like OpenSSL. (Generating your own certificates may not be a good option in case if the SSL client is an internet facing application like a browser).
ii) Also obtain the certificate of the authority who is providing your SSL certificate (root certificate). (you can do this by opening your SSL certificate in Windows and exporting the root certificates from certificate dialogue).
iii) Generate the Keystore file using the private key and public key (step i) either in JKS or PKCS12 (.pfx) formats using Keytool (which ships with JDK).
iv) Create a Truststore file using the root certificates (obtained in step ii) using the Keytool.
iv) Create Keystore alias in admin console through Security => Keystore => Create Keystore alias selecting the Keystore file which you created in step iii
v) Create Truststore alias in admin console through Security => Keystore => Create Truststore alias selecting the Truststore file which you created in step iv.
vi) For mutual SSL you have to obtain the below certificates from client.
a. Client SSL Certificate
b. Certificate of the CA which is issuing your client certificate
vii) Create a user through Security => User Management granting him the access which he needs to access the resources over SSL link.
viii) Configure your client certificates (obtained in step vi) through Security => Certificates => Configure Client Certificates assigning it to the user which you created in step vii and choosing SSL Authentication in usage.
ix) Create a SSL Port through Security => Port => Add Port => webMethods/HTTPS using the Keystore and Truststore aliases created in the above steps. Choose whether to Deny by Default/Allow by Default based on your requirements. If you choose Deny by Default, you have to add the resources which you want to expose over the port have to be added in the Allow List.
x) Enable the port and share your SSL certificate and the Certificate of your signing CA (root certificate) with your client and you are all set to go…
Hope this helps…