Communication between MFA server and MFA agents is protected using mutual TLS (mTLS). MFA server runs behind Apache server using it as a reverse proxy, hence TLS connection terminates at Apache server.
By default, Apache server uses eDirectory server certificate available at /etc/ssl/servercerts/servercert.pem. The CA certificate of this server certificate is installed by default on all MFA agents. If administrator want to use any server certificate other than the default eDirectory certificate, its CA certificate must be available in all MFA agents. If the certificate is not available, it can be installed by copying it to the path /usr/share/pki/trust/anchors.
By default, MFA agents use eDirectory certificate available at /etc/ssl/servercerts/servercert.pem as client certificate. MFA servers verify the client certificates using the CA certificate before allowing connections from MFA agents. By default, CA certificate of eDirectory certificate is installed in MFA servers. If administrators want to use any client certificate other than the default eDirectory certificate, its CA certificate should be available in the MFA server. If the certificate is not available, it can be installed by copying it to the path /usr/share/pki/trust/anchors.
By default, validation of the client certificate is enforced at the MFA server. This can be disabled using the command mfa-server-cli mfa-server --enforceClientAuth=false.
Communication between AA server, MFA server, and smartphone are secured using TLS. AA server should be configured with a valid server certificate and its CA certificate should be available in MFA servers and smartphone. If CA certificate is not available in the MFA server, it can be installed by copying it to the path /usr/share/pki/trust/anchors.