# Mutual Authentication: Server, Agent Relay, and Agents

These instructions are for configuring mutual authentication for a server, agent relays, and agents that communicate with the server through agent relays. Make sure your server and agents are not running before you start this configuration.

To configure mutual authentication between a server, agent relay, and agents:

1. Open a shell and navigate to the server installation location \conf directory. For example:
`.serena\ra\conf`
2. Export the server key as a certificate by running:
```keytool -export -keystore server.keystore -storepass changeit
-alias server -file server.crt```

You should see the message:

`Certificate stored in file server.crt`
3. Copy the exported server.crt (certificate file) to the agent relay [install_location]\[agentrelay_name]\conf\jms-relay directory.

where [agent-relay_name] is the unique name you gave the agent relay during install.

4. From within the agent relay directory:
`[install_location]\[agent-relay_name]\conf\jms-relay`

import the server.crt file by running:

```keytool -import -keystore agentrelay.keystore -storepass changeit
-alias server -file server.crt -keypass changeit -noprompt```

You should see the message:

`Certificate was added to keystore`
Important: Before you can export an agent relay key, you must first add an alias to the agent relay. See Adding an Alias to an Agent Relay.
5. From within the agent relay directory:
`[install_location]\[agent-relay_name]\conf\jms-relay`

export the agent relay key as a certificate by running:

```keytool -export -keystore agentrelay.keystore -storepass changeit
-alias [agent-relay_alias] -file [agent-relay_name].crt```

You should see the message:

` Certificate is stored in file [agent-relay_name].crt`
6. Copy the exported [agent-relay_name].crt (certificate file) to the server installation location .serena\ra\conf directory.
7. From within the server's install location .serena\ra\conf directory, import the [agent-relay_name].crt file by running:
```keytool -import -keystore server.keystore -storepass changeit
-alias [agent-relay_alias] -file [agent-relay_name].crt
-keypass changeit -noprompt```

You should see the message:

`Certificate was added to keystore`
8. For an agent that is configured to connect to the agent relay, copy the exported [agent-relay_name].crt (certificate file) to the agent [install_location]\[agent_name]\conf directory.

where [agent_name] is the unique name you gave the agent during install.

9. From within the agent's [install_location]\[agent_name]\conf directory, import the [agent-relay_name].crt file by running:
```keytool -import -keystore sra.keystore -storepass changeit
-alias [agent-relay_alias] -file [agent-relay].crt
-keypass changeit -noprompt```

You should see the message:

`Certificate was added to keystore`
10. From within the agent's [install_location]\[agent_name]\conf directory, export the agent key as a certificate by running:
```keytool -export -keystore sra.keystore -storepass changeit
-alias [agent_alias] -file [agent_name].crt```

You should see the message:

` Certificate is stored in file [agent_name].crt`
Important: Before you can export an agent's certificate key, you must first add an alias to the agent. See Adding an Alias to an Agent.
11. Copy the exported [agent_name].crt (certificate file) to the agent relay [install_location]\[agent-relay_name]\conf\jms-relay\ directory.
12. From within the agent relay [install_location]\[agent-relay_name]\conf\jms-relay directory, import the [agent_name].crt file by running:
```keytool -import -keystore agentrelay.keystore -storepass changeit
-alias [agent_alias] -file [agent_name].crt -keypass changeit -noprompt```

You should see the message:

`Certificate was added to keystore`
13. To configure another agent that communicates with the server through this agent relay, repeat from step 10.
Attention: For each agent, make sure you change the name of the -alias argument [agent_alias], and the -file argument [agent_name].
14. Restart the server, agent relay, and agents.