Versions Compared

Version Old Version 1 New Version Current
Changes made by

Jenni Wallin

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

TLS can be set up to demand authentication from all clients that run outside the local host. The Platform, EC/ECSAsECs, SCs will then ask for valid certificates from each connecting pico instance.

...

  1. Set the properties that specifies the keystore path and the passwords in each Execution Container. Use the same values as for the Platform Container.

    Info
    titleExample - Retrieving the values from the Platform Container


    Code Block
    languagetext
    themeEclipse
    $ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.keystore

$ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.keystore.password

$ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.key.password

    If aliases are used in the keystore, you can use this for retrieving the value of the alias used by the platform certificate.

    Code Block
    $ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.keystore.alias



    Info
    titleExample - Configuring keystore properties


    Code Block
    languagetext
    themeEclipse
    $ mzsh topo set 'topo://container:<execution container>/obj:common.pico.rcp.tls' \
'{ keystore=${mz.home}"/keys" }'

$ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.password"' \
<encrypted password>

$ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.key.password"' \
<encrypted password>

    If aliases are used in the keystore, you can use this to configure the value of the alias.

    Code Block
    $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.alias"' \
<encrypted password>



  2. There are two methods that you can use to make the client/server certificates available on all containers.
    1. Copy the keystore file that was created in TLS Standard Setup from the Platform Container to each of the Execution Containers. The target path is specified by the property pico.rcp.tls.keystore.

    2. Create a keystore and key pair on each Execution Container, then export and import the certficates. The certificate from the Platform Container must be exported to all Execution Containers. The certificates from the Execution Containers must be exported to the Platform Container.

    Run the following command to export a certificate:

    Code Block
    languagetext
    themeEclipse
     $ keytool -keystore <keystore file> -export -rfc -alias <alias_name> -file <certificate filename>


    Info
    titleExample - Exporting a certificate


    Code Block
    languagetext
    themeEclipse
    $ keytool -keystore $MZ_HOME/keys/container.keys -export -rfc -alias platform -file $MZ_HOME/keys/platform.pem


    Run the following command to import a certificate:

    Code Block
    languagetext
    themeEclipse
    $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>


    Info
    titleExample - Importing a certificate


    Code Block
    languagetext
    themeEclipse
    $ keytool -import -alias platform -file $MZ_HOME/keys/container.pem -keystore $MZ_HOME/keys/container.keys -keypass changeit -storepass changeit



  3. Enable client authentication by setting the property pico.rcp.tls.require_clientauth to true.

    Info
    titleExample - Enabling client authentication


    Code Block
    languagetext
    themeEclipse
    $ mzsh topo set topo://container:<platform container>/val:common.pico.rcp.tls.require_clientauth true



  4. Restart the system

Desktops

When client authentication is enabled, each desktop installation must authenticate itself to the Platform using a private key. You have to import this key in the Desktop Launcher in order to connect to the Platform. The certificate must also be imported as a trusted certificate in the Platform keystore.

  1. Run the following command to create a keystore that contains a private key.

    Code Block
    $ keytool -genkey -keystore <keystore file> -alias <alias> -keyalg RSA -keysize 2048


    Info
    titleExample - Creating the key


    Code Block
    $ keytool -genkey -keystore $MZ_HOME/keys/clientkey.keys -alias client -keyalg RSA -keysize 2048



  2. Copy the keystore file to the host that will run the Desktop Launcher.

  3. Create a certificate file that is associated with the key that you created in the previous step.

    Code Block
    $ keytool -keystore <keystore file> -exportcert -alias <alias> -file <certificate filename>


    Info
    titleExample - Creating a certificate


    Code Block
    $ keytool -keystore $MZ_HOME/keys/clientkey.keys -exportcert -alias client -file clientcert.cer



  4. Import the certificate to the platform

    Code Block
    $ keytool -keystore <platform keystore> -import -file <certificate filename>  -alias <alias>


    Info
    titleExample - Importing a certificate


    Code Block
    $ keytool -keystore $MZ_HOME/keys/container.keys -import -file clientcert.cer  -alias clientcert



  5. Open the Desktop Launcher.

  6. Right-click on a instance and a Image Added instance and then select Instance Settings from the popup menu. Select the Security tab.

  7. Right-click on the text field under Client Key and select Import Key From File.

  8. Select the key file that you copied in step 2.


Scroll pagebreak