The file sample submission from TIE Server to ATD uses a Transport Layer Security (TLS) connection. To enforce the authentication on TLS connection, do the following:

1. Upload the certificates signed by the public Certificate Authority (CA) to ATD.
2. Enable the Enforce Certificate Validation policy on the TIE Server.

For a list of trusted CAs, see the OpenJDK 1.8 documentation at: http://openjdk.java.net/.

For instructions on how to upload certificates to ATD, see the "Upload Web Server certificate and CA certificate" section in the Advance Threat Defense Product Guide.

NOTE: As an alternative to using a public CA, TIE Server allows you to install locally trusted CA certificates or use the certificates provided through ATD by default.

Follow the steps in this article if:

• Your ATD servers are using the self-signed certificate provided by default in ATD.
• Your ATD servers are using a certificate signed by a custom CA.

Do not follow the steps in this article if your ATD servers are using a certificate signed by a public CA, recognized by Java as such.

Before you begin:

• Run the following commands as root.
• Run the following commands before you enable the 'Enforce Certificate Validation' option in the ATD policy, and do not restart the TIE Server.
• If you have a Primary-Secondary server configuration, repeat the following steps in the Primary and all Secondary instances of your appliances.
  
  NOTE: As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example:

  Master becomes Primary
  Slave becomes Secondary

  Previous versions of TIE Server retain the original Master/Slave designations.
   
• The ATD Java truststore is at: /var/McAfee/tieserver/keystore/atd_servers_truststore.jks

Enforce Certificate Validation

1. Download the certificates for ATD server that you configured in the policies:
   
   echo | openssl s_client -connect <ATD_SERVER_IP>:443 2>/dev/null | openssl x509 -outform der -out /var/McAfee/tieserver/keystore/atd_server_1.der
    
2. Add the ATD certificates to the Java truststore:
   
   yes | /opt/McAfee/tieserver/jre/bin/keytool -import -file /var/McAfee/tieserver/keystore/atd_server_1.der -alias atd_server_1 -storepass -noprompt -keystore /var/McAfee/tieserver/keystore/atd_servers_truststore.jks
    
3. Change ownership and permissions on ATD truststore:
   
   chown mfetie:mfetie /var/McAfee/tieserver/keystore/atd_servers_truststore.jks; chmod 600 /var/McAfee/tieserver/keystore/atd_servers_truststore.jks
    
4. (Optional) Verify that the certificates are added correctly:
   
   /opt/McAfee/tieserver/jre/bin/keytool -keystore /var/McAfee/tieserver/keystore/atd_servers_truststore.jks -list -v -storepass -noprompt
    
5. Enable the Enforce Certificate Validation option in the ATD policy tab.
6. Issue a Wake up Agents enforcing policies under ePolicy Orchestrator for TIE Servers.

NOTE: If the ATD Java Truststore is placed in a location other than /var/McAfee/tieserver/keystore/atd_servers_truststore.jks, you must update the property atd.certificates.keyStore.file in /opt/McAfee/tieserver/conf/tie.properties to reflect the new location.