Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. First, ensure that the keystore property is set in your platform container as a result of enabling one-way SSL on RCP. Refer Enable One-way SSL On RCP.

    • Code Block
      "pico.rcp.tls.keystore"="/opt/mz/keys/keystore.p12"
  2. Create a Keystore and Key Pair on Each Execution Container:

    • For each Execution Container, generate a keystore and a key pair (private key and corresponding public certificate). This keystore will store the private key and the certificate.

  3. Export the Certificates from Execution Containers:

    • For each Execution Container, export the public certificate from its keystore.

    • Run the following command to export the Execution Container public certificate:

    • Code Block
      languagetext
       $ keytool -keystore <path_to_ec_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

      For example, in the Execution Container, the created keystore file is eckeystore.p12. Run this command to export the Execution Container's public certificate to a file named ec_pubcert.pem.

    • Code Block
      $ keytool -keystore eckeystore.p12 -export -rfc -alias ec -file ec_pubcert.pem
  4. Import the Execution Container Certificates to the Platform Container:

    • Import the exported certificates from each Execution Container into the Platform Container's truststore. This allows the Platform Container to trust each Execution Container.

    • Copy the Execution Container’s public certificate to Platform container.

    • Run the following command to import the Execution Container’s public certificate into the Platform keystore set in pico.rcp.tls.keystore:

    • Code Block
      languagetext
      $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

      For example, the Platform keystore set in the property pico.rcp.tls.keystore is $MZ_HOME/keys/keystore.p12. Set the alias name to 'ec'.

    • Code Block
      keytool -import -alias ec -file ec_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

      Run this command to view the keystore.

    • Code Block
      $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

      You should see two entries: alias 1 is the Platform keystore (PrivateKeyEntry), and alias ec is the Execution Container keystore (trustedCertEntry).

  5. Export the Platform Container Certificate:

    • Export the public certificate from the Platform Container's keystore.

    • Run the following command to export the Platform Container public certificate:

    • Code Block
      languagetext
       $ keytool -keystore <path_to_platform_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

      For example, in the Platform Container, the created keystore file is keystore.p12. Run this command to export the Platform Container's public certificate to a file named platform_pubcert.pem.

    • Code Block
      $ keytool -keystore keystore.p12 -export -rfc -alias 1 -file platform_pubcert.pem
  6. Import the Platform Container Certificate to Execution Containers:

    • Import the exported Platform Container certificate into the truststore of each Execution Container. This allows the Execution Containers to trust the Platform Container.

    • Copy the Platform public certificate to Execution container.

    • Run the following command to import Platform public certificate:

    • Code Block
      $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

      For example, the Execution Container keystore saved in location $MZ_HOME/keys/keystore.p12. Set the alias name to '1'.

    • Code Block
      $ keytool -import -alias 1 -file platform_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

      Run this command to view the keystore.

    • Code Block
      $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

      You should see two entries: alias ec is the Execution Container keystore (PrivateKeyEntry), and alias 1 is the Platform Container keystore (trustedCertEntry).

  7. Set the RCP TLS properties in the Execution Container:

    • Use mzsh topo set to set these properties:

    • Code Block
      $ mzsh topo set 'topo://container:<execution container>/obj:common.pico.rcp.tls' \
      '{ keystore=<keystore path> }'
      $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.password"' \
      <encrypted password>
      $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.key.password"' \
      <encrypted password>
    • Example,

    • Code Block
      $ mzsh topo set 'topo://container:echost01/obj:common.pico.rcp.tls' \
      '{ keystore="/opt/mz/keys/eckeystore.p12" }'
      $ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.keystore.password"' \
      'DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86'
      $ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.key.password"' \
      'DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86'
      $ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.keystore.alias"' \
      1
    • Note that "pico.rcp.tls.keystore.alias" must be the alias name of the Execution Container keystore’s PrivateKeyEntry.

    • For example,

    • Code Block
      pico.rcp.tls.keystore="/opt/mz/keys/keystore.p12"
      "pico.rcp.tls.keystore.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86"
      "pico.rcp.tls.key.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86"
      "pico.rcp.tls.keystore.alias"="ec"
  8. In Platform Container, enable client authentication by setting the property pico.rcp.tls.require_clientauth to true.

    • Code Block
      $ mzsh topo set topo://container:<platform container>/val:common.pico.rcp.tls.require_clientauth true
    • Run mzsh topo open container to see the property:

    • Code Block
      pico.rcp.tls.require_clientauth="true"
  9. Restart the Platform, followed by restarting the ECs.

...