Once a JetPatch Connector is deployed to an endpoint server, it initiates TLS-secured HTTPS communication with the Connector, as a preferred form of communication.
Each connector uses a self-generated identity token to authenticate itself to the JetPatch server. The token is registered once with the server (through the TLS-secured channel), and used from that point on in all communications. The JetPatch server routinely cross-checks this identity token with server meta-information such as MAC addresses, to identify and handle cases where endpoint identity has changed, e.g. when an endpoint has been cloned. In such cases, the JetPatch server may ask the JetPatch Connector to re-establish its identity by registering a new identity token.
The validity of the server certificate used by the JetPatch server can be checked by the connector, in order to defend against Man-in-the-Middle (MitM) attacks. To support this, one or more root CA certificates must be provided to the JetPatch Connector during its deployment, through JetPatch server configuration. To get this configured on the JetPatch server, see the below steps:
- Create a new Java keystore using Java keytool
find ./ -name keytool*
- Copy an SSL certificate to the JetPatch server, to:
- Open the following file for editing:
- Set the value of the following key to the path to the certificate:
Now, all subsequent Connector deployments will enforce authentication. Currently deployed connectors will need to be re-deployed to pick up this change.
Note: To subsequently disable authentication, remove the ssl.certificate.path value from the above configuration.
See https://tecadmin.net/enable-tls-with-nginx/ for more information.