The file sample submission from the TIE Server to ATD/IS uses a Transport Layer Security (TLS) connection. To enforce the authentication on the TLS connection, perform the following steps:

1. Upload the certificates signed by the public Certificate Authority (CA) to ATD/IS.
2. Enable the Enforce Certificate Validation policy on the TIE Server.

For a list of trusted CAs, see the OpenJDK 1.8 documentation.

For instructions about how to upload certificates, see the "Upload Web Server certificate and CA certificate" section in the Product Guide.

NOTE: As an alternative to using a public CA, the TIE Server allows you to install locally trusted CA certificates or use the certificates provided through ATD/IS by default.

Follow the steps in this article if the following conditions are met:

• Your ATD/IS servers are using the self-signed certificate provided by default in ATD/IS.
• Your ATD/IS servers are using a certificate signed by a custom CA.

Do not follow the steps in this article if your ATD/IS servers are using a certificate signed by a public CA, recognized by Java as such.

Before you begin:

• Run the following commands as root.
• Run the following commands before you enable the 'Enforce Certificate Validation' option in the ATD policy, and do not restart the TIE Server.
• If you have a Primary-Secondary server configuration, repeat the following steps in the Primary and all Secondary instances of your appliances.
  
  NOTE: As of TIE Server version 2.1.0, the naming convention for Master and Slave operations changed to Primary and Secondary. For example:
   
  Master becomes Primary
  Slave becomes Secondary
   
  Previous versions of TIE Server retain the original Master/Slave designations.
   
• The ATD/IS Java truststore is at /var/McAfee/tieserver/keystore/atd_servers_truststore.jks

Enforce Certificate Validation

1. Download the certificates for the ATD/IS server that you configured in the policies:
   
   echo | openssl s_client -connect <ATD_SERVER_IP>:443 2>/dev/null | openssl x509 -outform der -out /var/McAfee/tieserver/keystore/atd_server_1.der
    
2. Add the ATD/IS certificates to the Java truststore:
   
   yes | /opt/McAfee/tieserver/jre/bin/keytool -import -file /var/McAfee/tieserver/keystore/atd_server_1.der -alias atd_server_1 -storepass -noprompt -keystore /var/McAfee/tieserver/keystore/atd_servers_truststore.jks
    
3. Change ownership and permissions on the ATD/IS truststore:
   
   chown mfetie:mfetie /var/McAfee/tieserver/keystore/atd_servers_truststore.jks; chmod 600 /var/McAfee/tieserver/keystore/atd_servers_truststore.jks
    
4. (Optional) Verify that the certificates are added correctly:
   
   /opt/McAfee/tieserver/jre/bin/keytool -keystore /var/McAfee/tieserver/keystore/atd_servers_truststore.jks -list -v -storepass -noprompt
    
5. Enable the Enforce Certificate Validation option in the ATD/IS policy tab.
6. Issue a Wake up Agents enforcing policies under ePolicy Orchestrator for TIE Servers.

NOTE: If the ATD Java Truststore is placed in a location other than /var/McAfee/tieserver/keystore/atd_servers_truststore.jks, you must update the property atd.certificates.keyStore.file in /opt/McAfee/tieserver/conf/tie.properties to reflect the new location.