SSL configuration
With Secure Sockets Layer (SSL) technology, clients and servers can communicate securely by encrypting all communications. Data is encrypted before it is sent and decrypted by the recipient. This communication cannot be deciphered or modified by third-parties. In addition to encryption, SSL can also support authentication.
IBM® UrbanCode® Deploy servers and agents communicate via HTTP and Java™ Message Service (JMS) protocols. JMS is used for basic commands and information that is exchanged between the server and an agent. Typically, HTTP is used for file transfers between the server and an agent. For example, HTTP is used when an agent is downloading a new plug-in, or when an agent is uploading or downloading version artifacts.
For JMS connections, IBM UrbanCode Deploy supports communication via SSL in two modes: unauthenticated and mutual authentication. In unauthenticated mode, communication is encrypted but users do not have to authenticate or verify their credentials. SSL unauthenticated mode can also be used for HTTP communication. You can implement this mode for HTTP communication during server, agent, or agent relay installation. You can also activate it afterward.
IBM UrbanCode Deploy automatically uses SSL in unauthenticated mode for JMS-based communications between the server and agents. You cannot disable SSL in unauthenticated mode, but you can enable mutual authentication for JMS-based server-agent communication. Because agent relays do not automatically activate SSL security, you must turn on SSL security when you install an agent relay or at least before you connect to the relay. Without SSL security active, agent relays cannot communicate with the server or remote agents.
Mutual authentication is not needed with web agents, therefore is deprecated starting in IBM UrbanCode Deploy version 7.0.0.
In mutual authentication mode, servers, local agents, and agent relays each provide a digital certificate to one another. A digital certificate is a cryptographically signed document that is intended to assure others about the identity of the certificate's owner. IBM UrbanCode Deploy certificates are self-signed. When mutual authentication mode is active, IBM UrbanCode Deploy uses it for HTTP-based server, local agents, and agent relay communication.
In mutual authentication mode, the IBM UrbanCode Deploy server provides a digital certificate to each local agent and agent relay, and each local agent and agent relay provides one to the server. Agent relays, in addition to swapping certificates with the server, must swap certificates with the remote agents that use the relay. Remote agents do not have to swap certificates with the server, just with the agent relay it uses to communicate with the server. This mode can be implemented during installation or activated afterward.