Skip to content

Increased security of TLS connection between Agents using ATA-token (Agent-to-Agent tokens)

Feature availability

Available from: Resilio Connect v3.6.0

Management Console sends a token to the Agents, using which Agents additionally secure the connection between each other - tokens add additional time-dependent layer of security into all agent-to-agent communications. Each job has a unique token. These tokens are automatically rotated by MC and have some expiration and overlapping lifetime. Minimal token rotation value cannot be lower than 5 minutes, maximum token overlap value cannot be higher than24 hours; configuration is available from MC general settings.

There are three modes for ATA tokens available in Job's Profiles:

  • Compatibility - It's used to provide smooth update from pre-3.6 Connect versions. Management Console picks "Compatibility mode" by default after upgrading to 3.6+. This mode only enables ATA tokens automatically when all Agents in a job are updated to v3.6+.
  • Enforced - Management Console uses this mode by default on all fresh 3.6+ installations. ATA tokens are enforced for all Agents on MC. Obviously, Agents of older versions do not support this mode and connection with them will not be possible. They will remain connected to MC, but not to other Agents in the job.
  • Disabled - Completely disables usage of ATA tokens if extra security is not required or is not applicable to one's use case.

ATA token expiration and overlap intervals are configured in the MC Advanced settings. Key token lifetime must always be higher than double value of Key token overlap. Otherwise behavior is undefined and leads to Agent's instability.

For ATA tokens to work, Agent profiles must have the following Tunnel chipers: “DHE-PSK-AES128-GCM-SHA256;DHE-PSK-AES256-GCM-SHA384”. If only SRP cipher is configured, Agents won't connect to each other, even if all Agents are updated to v3.6.x and/or token policy is in 'compatibility' mode.

Warning

SRP protocol support has been deprecated in Resilio Active Everywhere 4.2.

Connection between Agent will also fail if the token expires and the Agent does not receive new one from MC for a reason. It is recommended to increase token lifetime if your setup implies that Agents may connectivity to Management Console for a long time. At the same time it's highly not advisable to set token ttl lower than 5 minutes to avoid connection timeout errors.