mTLS origination from sidecar failing to an egress service (outside the OCP cluster) and giving the 403 forbidden error

Question

From couple of days I'm facing an issue while trying to make the connectivity with a web server which uses a rest api F5 URL from my application which is deployed into openShift cluster and using service mesh product istio.

Things were working fine when we were on simple TLS, the issue came when we switched to mTLS.

So what we're doing:-

Basically we are trying to make mTLS connectivity from a react application (deployed into opneshift cluster) to IBM FileNet server (which support mTLS and outside the cluster).

I followed the istio docs and trying to originate TLS from sidecar ( https://istio.io/latest/docs/tasks/traffic-management/egress/egress-tls-origination/).

We have created the below mesh resources as per the docs:-

Service entry:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: originate-mtls-for-my-service
spec:
  hosts:
  - my-external-host-name
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
    targetPort: external-host-port
  - number: external-host-port
    name: https-port
    protocol: HTTPS
  resolution: DNS


apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-mtls-for-my-service
spec:
  workloadSelector:
    matchLabels:
      app: my-app-label
  host: my-external-host-name
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 80
      tls:
        mode: MUTUAL
        credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
        sni: my-external-host-name

However after trying above configs react app (deployed on OCP) can't able to talk to external service and we are getting "403 Forbidden error"

While we hit the curl URL from sidecar proxy we got below response.

curl -iv FileNet_host:FileNet_port

connected to FileNet_host:FileNet_port
ALPN offering h2
ALPN offering http/1.1
successfully set certificates verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
TLS1.3 (OUT), TLS handshake, client hello (1):
TLS1.3 (IN), TLS handshake, server hello (2):
TLS1.3 (IN), TLS handshake, [no content] (0):
TLS1.3 (IN), TLS handshake, Encrypted Extension (8):
TLS1.3 (IN), TLS handshake, Request CERT (13):
TLS1.3 (IN), TLS handshake, Certificate (11):
TLS1.3 (OUT), TLS handshake, unknown CA (560):
SSL certificate Problem: self signed certificate in Chain
Closing connection (0)

I tried to see such issue on istio/discuss page however couldn't be able to find anything like what i'm If facing. If somebody please look at on this and suggest me on right direction that would really help, Thanks in advance!!