1
Is it possible to enable Mutual SSL Authentication between server and device. As per WSO2 docs, this feature is available but the not the default way. Currently the server is using a one-way authentication where the server certificate is shared with the device but there is no authentication from the device. I would want to implement mutual authentication between device and the server.
I know that WSO2 provides SCEP mechanism for security. I didnt exactly understand whether it is already installed or do we need to perform some extra steps so that the communication between device and server is secure.
I referred to the links below. https://docs.wso2.com/display/IoTS330/Mutual+SSL+Authentication
Currently working on WSO2 IoT Server 3.3.0
Any help would be appreciated. Thanks
What is not the default way about the way it supports client certificates? The first link explains it. Step 4 on the diagram is the Android device sending the client certificate that's stored in
<ANDROID_AGENT_SOURCE_HOME>/client/iDPProxy/src/main/res/raw
to the server. – garethTheRed – 2019-04-04T07:14:16.460Currently there is only one-way authentication.Only the server has a certificate and the client(android agent) does not.The client uses the certificate of the server. The client does not identify itself which shouldn't happen in mutual authentication. This is what I observed according to how it is behaving currently.Please correct me if I am wrong. – Prithviraj Bhandarkar – 2019-04-08T06:57:17.863
I see! That's what should happen with mutual TLS authentication - the client verifies the server's certificate and the server verifies the client's certificate. I mis-understood your question. Remember that when only the server certificate is used, communication will still be secure. The server will need another way to authenticate the client - such as shared key or username/password. I have no experience of WSO2 though, so can't help :-( – garethTheRed – 2019-04-08T08:01:10.073