Once a JetPatch Connector is deployed to an endpoint server, it initiates TLS-secured HTTPS communication with the Connector, as a preferred form of communication.
Each connector uses a self-generated identity token to authenticate itself to the JetPatch server. The token is registered once with the server (through the TLS-secured channel), and used from that point on in all communications. The JetPatch server routinely cross-checks this identity token with server meta-information such as MAC addresses, to identify and handle cases where endpoint identity has changed, e.g. when an endpoint has been cloned. In such cases, the JetPatch server may ask the JetPatch Connector to re-establish its identity by registering a new identity token.
The validity of the server certificate used by the JetPatch server can be checked by the connector, in order to defend against Man-in-the-Middle (MitM) attacks. To support this, one or more root CA certificates must be provided to the JetPatch Connector during its deployment, through JetPatch server configuration. To get this configured on the JetPatch server, see the below steps:
Create Cert and Key
1. Find the Java keystore on the JetPatch server
find ./ -name keytool*
2. Use the Java keytool to generate a new SSL certificate
3. Copy the cert and key generated to:
Secure JetPatch Server Communication
1. Open the following file for editing:
2. Change the following parameters: “ssl_certificate_key“ and “ssl_certificate” to the crt and key you generated:
ssl_certificate intigua-sslcert/secure_intigua.crt; ssl_certificate_key intigua-sslcert/secure_intigua.key;
3. After changing the file save it and restart nginx service with the command:
service nginx restart
Secure Connector Communication
- Open the following file for editing:
- Set the value of the following key to the path to the certificate:
7. Restart tomcat
Now, all subsequent and current Connector deployments will enforce the new certificate.
Note: To disable authentication, remove the ssl.certificate.path value from the above configuration.
See https://tecadmin.net/enable-tls-with-nginx/ for more information.