196 views

Mutual Authentication


Mutual Authentication establishes trust by exchanging secure sockets layer (SSL) certificates.

Data Flow


 
1. Client(i.e.ServiceNow) and Server (i.e. a 3rd Party) will do a handshake before transmitting any data.
2. Client will have a keystore with Public and Private Key Pair
3. Server will have a keystore with Public and Private Key Pair
4. Client will share the public key( a certificate) with Server and Server will keep it in its truststore.
5. Server will share the public key( a certificate) with Client and Client will keep it in its truststore.
6. Lets say, client initiated the handshare, it will send out its public certificate to Server.
7. Server will check if it has this public certificate in its truststore = which it does.
8. Server sends its public certificate to client and client will check if it has this public certificate in its truststore = which it does.
9. Since handshake is now successful, Client will send out the payload
10. Client will encrypt the payload using Server’s Public Certificate from its truststore.
11. Server receives this payload, and decrypts this payload from the private key in Server’s keystore.
12. Server responds with payload encrypted using Client’s Public Certificate from its truststore.
13. Client receives this payload, and decrypts this payload from the private key in Client’s keystore.
 
 

Example


Step#1: Generate Keystore Pair (Public and private key), self-signed:
 
============
C:\Program Files\Java\jre1.8.0_162\bin>keytool -genkey -alias Keystore_alias -keyalg R
SA -validity enter_Validity_in_Days -keystore Keystore_name.keystore -storepass Keystore_Password -keypass Key_Password
What is your first and last name?
  [Unknown]:  ..........
What is the name of your organizational unit?
  [Unknown]:  ..........
What is the name of your organization?
  [Unknown]:  ..........
What is the name of your City or Locality?
  [Unknown]:  ..........
What is the name of your State or Province?
  [Unknown]:  ..........
What is the two-letter country code for this unit?
  [Unknown]:  ..........
Is CN=vab, OU=servicenow, O=servicenow, L=sydney, ST=nsw, C=61 correct?
  [no]:  yes
============ 
 
 
 
Step#2: Extract the public certificate from above keystore pair:
 
============
C:\Program Files\Java\jre1.8.0_162\bin>keytool -export -alias Keystore_alias -keystore
 Keystore_name.keystore -storepass Keystore_Password -file Cert_name.cer
 
Certificate stored in file <snclient.cer>
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS
12 which is an industry standard format using "keytool -importkeystore -srckeyst
ore snclient.keystore -destkeystore snclient.keystore -deststoretype pkcs12".
============
 
 
 
 
Helpful KB:
 
Debugging Mutual Authentication: KB0696599
Steps to set up Mutual Authentication: Keys: KB0696776 

Article Information

Last Updated:2018-09-11 21:22:36
Published:2018-09-12