Page Comparison

If you prefer to use different new Keystore for remote picos, follow these steps.

Execution Context

1. First, ensure that the keystore property is set in your platform container as a result of enabling one-way SSL on RCP. Refer Enable One-way SSL On RCP.

   1. Code Block
      "pico.rcp.tls.keystore"="/opt/mz/keys/keystore.p12"

2. Create a Keystore and Key Pair on Each Execution Container:

   • For each Execution Container, generate a keystore and a key pair (private key and corresponding public certificate). This keystore will store the private key and the certificate.

3. Export the Certificates from Execution Containers:

   • For each Execution Container, export the public certificate from its keystore.

   • Run the following command to export the Execution Container public certificate:

   • Code Block
     language text
     $ keytool -keystore <path_to_ec_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

     For example, in the Execution Container, the created keystore file is eckeystore.p12. Run this command to export the Execution Container's public certificate to a file named ec_pubcert.pem.

   • Code Block
     $ keytool -keystore eckeystore.p12 -export -rfc -alias ec -file ec_pubcert.pem

4. Import the Execution Container Certificates to the Platform Container:

   • Import the exported certificates from each Execution Container into the Platform Container's truststore. This allows the Platform Container to trust each Execution Container.

   • Copy the Execution Container’s public certificate to Platform container.

   • Run the following command to import the Execution Container’s public certificate into the Platform keystore set in pico.rcp.tls.keystore:

   • Code Block
     language text
     $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

     For example, the Platform keystore set in the property pico.rcp.tls.keystore is $MZ_HOME/keys/keystore.p12. Set the alias name to 'ec'.

   • Code Block
     keytool -import -alias ec -file ec_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

     Run this command to view the keystore.

   • Code Block
     $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

     You should see two entries: alias 1 is the Platform keystore (PrivateKeyEntry), and alias ec is the Execution Container keystore (trustedCertEntry).

5. Export the Platform Container Certificate:

   • Export the public certificate from the Platform Container's keystore.

   • Run the following command to export the Platform Container public certificate:

   • Code Block
     language text
     $ keytool -keystore <path_to_platform_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

     For example, in the Platform Container, the created keystore file is keystore.p12. Run this command to export the Platform Container's public certificate to a file named platform_pubcert.pem.

   • Code Block
     $ keytool -keystore keystore.p12 -export -rfc -alias 1 -file platform_pubcert.pem

6. Import the Platform Container Certificate to Execution Containers:

   • Import the exported Platform Container certificate into the truststore of each Execution Container. This allows the Execution Containers to trust the Platform Container.

   • Copy the Platform public certificate to Execution container.

   • Run the following command to import Platform public certificate:

   • Code Block
     $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

     For example, the Execution Container keystore saved in location $MZ_HOME/keys/keystore.p12. Set the alias name to '1'.

   • Code Block
     $ keytool -import -alias 1 -file platform_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

     Run this command to view the keystore.

   • Code Block
     $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

     You should see two entries: alias ec is the Execution Container keystore (PrivateKeyEntry), and alias 1 is the Platform Container keystore (trustedCertEntry).

7. Set the RCP TLS properties in the Execution Container:

   • Use mzsh topo set to set these properties:

   • Code Block
     $ mzsh topo set 'topo://container:<execution container>/obj:common.pico.rcp.tls' \ '{ keystore=<keystore path> }' $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.password"' \ <encrypted password> $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.key.password"' \ <encrypted password>

   • Note that "pico.rcp.tls.keystore.alias" must be the alias name of the Execution Container keystore’s PrivateKeyEntry.

   • For example,

   • Code Block
     pico.rcp.tls.keystore="/opt/mz/keys/keystore.p12" "pico.rcp.tls.keystore.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86" "pico.rcp.tls.key.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86" "pico.rcp.tls.keystore.alias"="ec"

8. In Platform Container, enable client authentication by setting the property pico.rcp.tls.require_clientauth to true.

   • Code Block
     $ mzsh topo set topo://container:<platform container>/val:common.pico.rcp.tls.require_clientauth true

   • Run mzsh topo open container to see the property:

   • Code Block
     pico.rcp.tls.require_clientauth="true"

9. Restart the Platform, followed by restarting the ECs.

Legacy Desktop

When client authentication is enabled, each desktop installation must authenticate itself to the Platform using a private key. Desktop can use the same Keystore file from Platform Container.

...