Question
How does the communication pattern from endpoint to IGEL Cloud gateway (ICG) work, including handshakes and certificates, given that the One-Time Password (OTP) enrollment/onboarding is used?
Answer
-
The device is presented with the ICG certificate (or the chain) in the SSL handshake.
-
By entering the communication token, the user confirms that this is the correct chain (or if it is a public CA, the trust is already established automatically).
-
As a result, the SSL handshake is successful and an SSL tunnel is established to transfer the data.
-
In the One-Time Password (OTP) case, the device sends the OTP with the request for enrollment, which the ICG/UMS can then use to authenticate/authorize the device.
-
A client certificate is issued for the device during the enrollment.
-
After enrollment, an mTLS connection is used when the websocket connection is established; the ICG/UMS can then authenticate/authorize the device using the client certificate.