Configure SSL mutual authentication

This topic provides an overview of SSL mutual authentication and explains how to set up mutual authentication between a Deployment Automation server and its agents.

SSL overview

SSL (Secure Socket Layer) technology enables clients and servers to communicate securely by encrypting all communications. Data is encrypted before being sent, and decrypted by the recipient so that communications cannot be deciphered or modified by third-parties.

Deployment Automation enables the server to communicate with its agents using SSL in mutual authentication mode.

Back to top

Mutual authentication overview

In mutual authentication mode, communications are encrypted as usual, but users are also required to authenticate themselves by providing digital certificates. A digital certificate is a cryptographically signed document intended to assure others as to the identity of the certificate's owner. Deployment Automation certificates are self-signed.

Note: Make sure to set the server and agent properties before configuring mutual authentication and exchanging keys.

When mutual authentication mode is active, Deployment Automation uses it for JMS-based server/agent communication. In this mode, the Deployment Automation server provides a digital certificate to each agent, and each agent provides one to the server.

To activate mutual authentication, the Deployment Automation server provides a digital certificate to each local agent and agent relay, and each local agent and agent relay provides one to the server.

Agent relays, in addition to swapping certificates with the server, must swap certificates with the remote agents that use the relay. Remote agents do not have to swap certificates with the server, only with the agent relay they will use to communicate with the server.

You can implement mutual authentication during installation or activate it afterward.

Note: When using mutual authentication mode, you must turn it on for the server, agents, and agent relays. Otherwise, they will not be able to connect to one another. If one party uses mutual authentication mode, all other parties must use it as well.

Back to top

Set up mutual authentication

You can set up mutual authentication mode between a server and agents, or between a server, agent relay, and agents.

To configure mutual authentication, follow these procedures in order:

  1. Set properties for mutual authentication

  2. Add an alias to an agent

  3. Add an alias to an agent relay

  4. Configure mutual authentication between a server and agent

  5. Configure mutual authentication between a server, an agent relay, and agents

Back to top

See also: