Once a JetPatch Connector is deployed to an endpoint server, it initiates TLS-secured HTTPS communication with the Connector, as a preferred form of communication.
Each connector uses a self-generated identity token to authenticate itself to the JetPatch server. The token is registered once with the server (through the TLS-secured channel), and used from that point on in all communications. The JetPatch server routinely cross-checks this identity token with server meta-information such as MAC addresses, to identify and handle cases where endpoint identity has changed, e.g. when an endpoint has been cloned. In such cases, the JetPatch server may ask the JetPatch Connector to re-establish its identity by registering a new identity token.
The validity of the server certificate used by the JetPatch server can be checked by the connector, in order to defend against Man-in-the-Middle (MitM) attacks. To support this, one or more root CA certificates must be provided to the JetPatch Connector during its deployment, through JetPatch server configuration. To get this configured on the JetPatch server, see the below steps:
Create Cert and Key
1. Find the Java keystore on the JetPatch server
find ./ -name keytool*
2. Use the Java keytool to generate a new SSL certificate
3. Copy the cert and key generated to:
Secure JetPatch Server Communication
1. Open the following file for editing:
2. Change the following parameters: “ssl_certificate_key“ and “ssl_certificate” to the crt and key you generated:
ssl_certificate intigua-sslcert/secure_intigua.crt; ssl_certificate_key intigua-sslcert/secure_intigua.key;
3. After changing the file save it and restart nginx service with the command:
service nginx restart
Secure Connector Communication
- Open the following file for editing:
- Set the value of the following key to the path to the certificate:
7. Restart tomcat
Now, all subsequent deployments will enforce the new certificate. Existing deployments will need to be uninstalled, then reinstalled.
Note: To disable authentication, remove the ssl.certificate.path value from the above configuration.
See https://tecadmin.net/enable-tls-with-nginx/ for more information.
Communication with Web Clients
The certificate used for the communication with the Connectors is also used for encrypting the traffic to the User Web clients, therefore the above procedure also applies for Web clients.
It is recommended to sign the certificate by trusted authority (CA) to avoid web-browser warning messages or alerts. The default certificate supplied in the JetPatch installation is a self signed certificate.
How to manually change a TLS certificate on the Endpoint (Connector)
Before we start : In the sections below please don't forget to replace the 'INTIGUA_ROOT_DIR_PATCH' to the actual path you are using.
1. Create new directory named "cert", the new directory path is:
2. FTP the certificate to this path :
3. Change the new certificate name to "certificate.pem"
4. Update config file: add new entries to csclient.cfg file (Intigua/vAgentManager/components/csclient.cfg)
For Linux / Solaris
5. Delete csclient.cfg.bin file (Intigua/vAgentManager/components/csclient.cfg.bin)
6. Restart the connector