You are seeking answers about mTLS.

Firstly, "mTLS" is basically a more recent term for what has previously been called "mutual Authentication" or "mutual TLS" - see wikipedia on this topic.

Release : 15.8

Component :

DLP comes out of the box with default mechanisms to ensure secure communications between servers. Installing DLP to Endpoint Agents also uses mutual authentication.

1. Some of our communications using TLS: 
   1. Enforce server çè Detection Server: Uses Mutual Authentication via self-signed certs, using SSLKEYTOOL, which is configured via command line as per documentation.
   2. Endpoint server ç è Endpoint Agents: This is DLP's self-signed CA mechanism, where each Agent Package has its own certificate as configured via the Enforce Server.
2. “If yes (i.e., only authenticated with client certs), how are the certifications issued to limit excessive access?”
   • As above, each of the certificates using Mutual Authentication are configured by DLP Administrators; they require no secondary authentication by Detection Servers and Endpoint Agents (or their users) once setup.