Diameter Enabler supports IPsec or transport layer security (TLS) on each connection in the channel chain. If TLS is enabled, then the signer certificates on the WebSphere® Application Server must support the inbound signer key certificate.
You may use IPsec or TLS to secure Diameter connections between the WebSphere Diameter Enabler and its peers. Implement IPsec as either the operating system configuration or an external device that encrypts and decrypts the encoded messages. In this capacity, IPsec usage is invisible to the WebSphere Diameter Enabler. If you are using IPsec, configure the Diameter connections in the Diameter_Rf.properties, Diameter_Ro.properties, and Diameter_Sh.properties to PROHIBIT_TLS, because it is unnecessary in an IPsec environment. If you do not have IPsec, configure the connections to be secured through TLS. Otherwise, Diameter Enabler will send Diameter messages through an unsecure network.
IPsec is the default security protocol that Diameter Enabler will look for when establishing a connection. If IPsec is not present and security has been configured in the properties file, then a secure channel will be used. IPsec is implemented using either the operating system configuration, or an external device that encrypts and decrypts the encoded messages.
Both ends of the connection must supply certificates so that authentication is performed in both directions. This is handled through the SSL channel configuration. If TLS is used, it must be supported by all the Diameter Enabler devices. If TLS is used, both the WebSphere Diameter Enabler and the Diameter peer that it is connecting to should be configured for TLS.