1
Is it possible to enable Mutual SSL Authentication between server and device. As per WSO2 docs, this feature is available but the not the default way. Currently the server is using a one-way authentication where the server certificate is shared with the device but there is no authentication from the device. I would want to implement mutual authentication between device and the server.
I know that WSO2 provides SCEP mechanism for security. I didnt exactly understand whether it is already installed or do we need to perform some extra steps so that the communication between device and server is secure.
I referred to the links below. https://docs.wso2.com/display/IoTS330/Mutual+SSL+Authentication
Currently working on WSO2 IoT Server 3.3.0
Any help would be appreciated. Thanks
Prithviraj Bhandarkar
Posted 2019-04-04T06:41:45.327
Reputation: 11
What is not the default way about the way it supports client certificates? The first link explains it. Step 4 on the diagram is the Android device sending the client certificate that's stored in
<ANDROID_AGENT_SOURCE_HOME>/client/iDPProxy/src/main/res/rawto the server. – garethTheRed – 2019-04-04T07:14:16.460Currently there is only one-way authentication.Only the server has a certificate and the client(android agent) does not.The client uses the certificate of the server. The client does not identify itself which shouldn't happen in mutual authentication. This is what I observed according to how it is behaving currently.Please correct me if I am wrong. – Prithviraj Bhandarkar – 2019-04-08T06:57:17.863
I see! That's what should happen with mutual TLS authentication - the client verifies the server's certificate and the server verifies the client's certificate. I mis-understood your question. Remember that when only the server certificate is used, communication will still be secure. The server will need another way to authenticate the client - such as shared key or username/password. I have no experience of WSO2 though, so can't help :-( – garethTheRed – 2019-04-08T08:01:10.073