In this section:

Signed TLS certificates are not available from Ribbon. If the service provider does not perform this function, a third-party certificate authority can be used at your expense.

However, Ribbon can provide debugging tools on request (refer to Sales).  

Ribbon also provides the following files:

  • Private key - required and must be kept secret from all nodes (besides the CA)

  • Unsigned file that is submitted to a third-party certificate authority

The third-party certificate authority is supposed to provide the following files:

  • Public certificate - stored locally and transmitted to ADNs on TLS handshake

  • CA public certificate - the CA’s certificate that is used to validate peer certificate (whether the service provider acts as a certificate authority or a third-party CA is providing authentication).

  • Certificate revocation list (CRL) - an optional file that contains a list of invalidated certificate

There are a number of variations for certificate-based authentication. The DSC Platform supports X.509 certificate exchange. This protocol is used with Web certificates.

The authentication exchange in the handshake includes a node’s certificate. This certificate is validated against the local copy of the Certificate Authority (CA) certificate. If this certificate decodes validly, its content includes (among other things) validity dates, signing information, and the Distinguished Name (DN). This DN is going to be the Diameter ID of the ADN (or our local node when sent to the peer).

Certificates are generally better for large installations because each node only needs to connect to a CA to construct its own authentication certificate and to get the CA certificate.

Two-way Authentication

The DSC Platform supports two-way authentication where the server sends its certificate and requests a certificate from the client.

Server vs Client Connections

The incoming connection is considered to be the client side for the purposes of the TLS handshake. Similarly, the outgoing connection from the DSC Platform is expected to be treated as a client connection for TLS.

  • No labels