Configuring Mutual Authentication

To use mutual authentication, the server and agents must exchange keys. You export the server key (as a certificate) and import it into the agent keystore, then reverse the process by exporting the agent key and importing it into the server keystore. When using an agent relay, the relay must swap certificates with the server and with the remote agents that will use the relay.

Property Settings Required Before Exchanging Keys

Before exchanging keys, ensure that the following properties are set:

Property	Location	Value
server.jms.mutualAuth	in the server's server_install/conf/server/installed.properties file	true
For each agent: locked/agent.mutual_auth	in the agent's agent_install\conf\agent\installed.properties file	true
For each agent relay: agentrelay.jms_proxy.secure	in the relay's relay_install\conf\agentrelay.properties file	true
For each agent relay: agentrelay.jms_proxy.mutualAuth	in the relay's relay_install\conf\agentrelay.properties file	true

Property

Location

Value

server.jms.mutualAuth

in the server's server_install/conf/server/installed.properties file

true

For each agent:

locked/agent.mutual_auth

in the agent's agent_install\conf\agent\installed.properties file

true

For each agent relay:

agentrelay.jms_proxy.secure

in the relay's relay_install\conf\agentrelay.properties file

true

For each agent relay:

agentrelay.jms_proxy.mutualAuth

in the relay's relay_install\conf\agentrelay.properties file

true

To exchange keys:

Open a shell and navigate to the server installation conf directory.

Run:

keytool -export -keystore server.keystore -storepass changeit
-alias server -file server.crt

Copy the exported file (certificate) to the local agent/agent relay installation conf directory.

Import the file by running from within the agent's conf directory (or agent relay's jms-relay directory):

keytool -import -keystore ud.keystore -storepass changeit
-alias server -file server.crt -keypass changeit -noprompt

You should see the Certificate was added to keystore message.

NOTE

For agent relays, replace ud.keystore with the name of the relay's keystore–agentrelay.keystore

For each local agent or agent relay , export the key by running the following (change the name of the file argument to match the agent name):

keytool -export -keystore ud.keystore -storepass changeit

-alias ud_agent -file [agent_name].crt

You should see the message:

Certificate stored in file agent_name.crt.

NOTE

For agent relays, replace ud.keystore with the name of the relay's keystore–agentrelay.keystore

Copy the exported file to the server's conf directory.

From within the server's conf directory, import each certificate by running the following command (change the name of the file argument and alias to match the certificate's name):

keytool -import -keystore ud.keystore -storepass changeit

-alias [agent_name] -file [agent_name].crt -keypass changeit -noprompt

You should see the Certificate was added to keystore message.

Restart the server and agents/agent relays.

To connect an agent relay with the remote agents that will use it, swap certificates as explained above: each remote agent must import the certificate for the relay it will use, and the relay must import the certificate from each remote agent that will use it. Agents using relays do not have to swap certificates with the server.

To list the certificates loaded into a keystore, run the following from within the keystore directory:

keytool -list -keystore ud.keystore -storepass changeit