As a best practice, connect the TIE and ATD Servers using a secured internal network.
The file sample submission from TIE Server to ATD uses a Transport Layer Security (TLS) connection. To enforce the authentication on TLS connection, do the following:
- Upload the certificates signed by the public Certificate Authority (CA) to ATD.
- Enable the Enforce Certificate Validation policy on the TIE Server.
For a list of trusted CAs, see the
OpenJDK 1.8 documentation at:
http://openjdk.java.net/.
For instructions on how to upload certificates to ATD, see the "Upload Web Server certificate and CA certificate" section in the
Advance Threat Defense Product Guide.
NOTE: As an alternative to using a public CA, TIE Server allows you to install locally trusted CA certificates or use the certificates provided through ATD by default.
Follow the steps in this article if:
- Your ATD servers are using the self-signed certificate provided by default in ATD.
- Your ATD servers are using a certificate signed by a custom CA.
Do
not follow the steps in this article if your ATD servers are using a certificate signed by a public CA, recognized by Java as such.
Before you begin:
- Run the following commands as root.
- Run the following commands before you enable the 'Enforce Certificate Validation' option in the ATD policy, and do not restart the TIE Server.
- If you have a Primary-Secondary server configuration, repeat the following steps in the Primary and all Secondary instances of your appliances.
NOTE: As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example:
Master becomes Primary
Slave becomes Secondary
Previous versions of TIE Server retain the original Master/Slave designations.
- The ATD Java truststore is at: /var/McAfee/tieserver/keystore/atd_servers_truststore.jks
Enforce Certificate Validation
- Download the certificates for ATD server that you configured in the policies:
echo | openssl s_client -connect <ATD_SERVER_IP>:443 2>/dev/null | openssl x509 -outform der -out /var/McAfee/tieserver/keystore/atd_server_1.der
- Add the ATD certificates to the Java truststore:
yes | /opt/McAfee/tieserver/jre/bin/keytool -import -file /var/McAfee/tieserver/keystore/atd_server_1.der -alias atd_server_1 -storepass -noprompt -keystore /var/McAfee/tieserver/keystore/atd_servers_truststore.jks
- Change ownership and permissions on ATD truststore:
chown mfetie:mfetie /var/McAfee/tieserver/keystore/atd_servers_truststore.jks; chmod 600 /var/McAfee/tieserver/keystore/atd_servers_truststore.jks
- (Optional) Verify that the certificates are added correctly:
/opt/McAfee/tieserver/jre/bin/keytool -keystore /var/McAfee/tieserver/keystore/atd_servers_truststore.jks -list -v -storepass -noprompt
- Enable the Enforce Certificate Validation option in the ATD policy tab.
- Issue a Wake up Agents enforcing policies under ePolicy Orchestrator for TIE Servers.
NOTE: If the ATD Java Truststore is placed in a location other than
/var/McAfee/tieserver/keystore/atd_servers_truststore.jks, you must update the property
atd.certificates.keyStore.file in
/opt/McAfee/tieserver/conf/tie.properties to reflect the new location.