Overview of the TLS Protocol

The TLS protocol provides three type of authentication:

  • During the first type of authentication, called server authentication, the site initiating the session (PNODE) requests a certificate from its trading partner (SNODE) during the initial handshake. The SNODE returns its ID certificate (read from its KeyStore) and the PNODE authenticates it using one or more trusted root certificates stored in its KeyStore. Root certificates are signed by a trusted source—either a public certificate authority, such as Thawte, or by the trading partner acting as its own CA. If the ID certificate from the SNODE cannot be validated using any root certificate found in the KeyStore, or if the root certificate has expired, the PNODE terminates the session. IBM Connect:Direct® writes entries to the statistics logs of both nodes and the session is aborted.
  • The second type of authentication, called client authentication, is optional. If this option is enabled in the SNODE's IBM Connect:Direct parameters file definition for the PNODE, the SNODE will request a certificate from the PNODE and authenticate it using the information in its KeyStore. If this authentication fails, the SNODE terminates the session and IBM Connect:Direct writes information about the failure to the statistics log of both nodes.
  • The third type of authentication is also optional and consists of validating the certificate common name. This authentication is enabled when the security administrator specifies the common name (CN) expected to be contained in the ID certificate to be validated in its IBM Connect:Direct Parameters file.
    • During the first type of authentication, the PNODE compares the common name it has specified for the SNODE in its IBM Connect:Direct Parameters file with the common name contained in the certificate sent by the SNODE. If the compare fails, that is, the information is not identical, the PNODE terminates the session, and IBM Connect:Direct writes information about the failure to the statistics logs of both nodes.
    • During the second type of authentication, the SNODE compares the common name it has specified for the PNODE in its IBM Connect:Direct Parameters file with the common name contained in the certificate sent by the PNODE. If the compare fails, that is, the information is not identical, the SNODE terminates the session, and IBM Connect:Direct writes information about the failure to the statistics logs of both nodes.