To establish a secure (HTTPS) connection between servers in the Policy Management network, or to establish secure connections with third-party systems, you need to create and exchange secure sockets layer (SSL) security certificates, which allow for encrypted communication, before putting the system into production. The platcfg utility supports two types of security certificates: self-signed and third-party.
Self-signed certificates are created locally on each server using the platcfg utility, then synchronized throughout the Policy Management network to allow encrypted communications between servers. A connection is established between the active servers of a cluster. Because any server in a cluster may become the active server, certificates must be exchanged between all servers in all clusters. To function correctly, the certificates must be current and valid. Self-signed certificates are inherently less secure than third-party signed certificates, so they are not recommended for use in a production environment. Additionally, some external systems may not allow the use of self-signed certificates, which may necessitate the use of third-party certificates.
Third-party signed certificates are created by an external signing authority. Third-party signed certificates are generated in response to a Certificate Signature Request (CSR), which you create locally using the platcfg utility and then send to the third-party signing authority. You then combine it with a current and valid self-signed certificate and synchronize it throughout the Policy Management network.
Figure 1 shows an example of statistics information displayed on the Reports tab of the Policy Server Administration page over a secure connection for an MPE cluster.