Mutual authentication

With Secure Socket Layer (SSL) technology, clients and servers can communicate securely by encrypting all communications. Data is encrypted before it is sent and decrypted by the recipient. Communications cannot be deciphered or modified by third-parties. SSL can be used in two modes:

In unauthenticated mode, communication is encrypted and decrypted but endpoints do not have to verify the other's credentials. By default IBM® UrbanCode™ Build uses this mode for its JMS-based server-agent communication.

In mutual authentication mode, communications are encrypted and decrypted, but endpoints are also required to authenticate themselves by providing certificates. A certificate is a cryptographically signed document that is intended to assure to others the identity of the endpoint that uses the certificate. Mutual authentication is enabled on a per-endpoint basis.

When mutual authentication mode is enabled on an endpoint, the endpoint requires that the other endpoint that it is communicating with has a trusted certificate. A certificate is trusted if that certificate is signed by another trusted certificate such as a certificate authority or is a trusted certificate itself. A certificate is trusted if it is imported into the endpoint's keystore as a trusted certificate.

When the server has mutual authentication enabled, the agent certificates that are used must be signed by a trusted certificate authority or be imported into the server's keystore. The same applies for the agent. The server and the agent are not required to have mutual authentication enabled together. The setting applies only to the endpoint and how it accepts certificates of endpoints it communicates with.

Mutual authentication mode can be implemented during server-agent installation or activated afterward. See Configuring SSL security on Apache Tomcat for information about activating this mode and exchanging certificates between the server and agents.