Versions Compared

Version Old Version 5 New Version Current
Changes made by

Chooi San Chong

Chooi San Chong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. First, ensure that the keystore property is set in your platform container as a result of enabling one-way SSL on RCP. Refer Enable One-way SSL On RCP.

    • Code Block
      "pico.rcp.tls.keystore"="/opt/mz/keys/keystore.p12"

  2. Create a Keystore and Key Pair on Each Execution Container:

    • For each Execution Container, generate a keystore and a key pair (private key and corresponding public certificate). This keystore will store the private key and the certificate.

  3. Export the Certificates from Execution Containers:

    • For each Execution Container, export the public certificate from its keystore.

    • Run the following command to export the Execution Container public certificate:

    • Code Block
      languagetext
       $ keytool -keystore <path_to_ec_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

      For example, in the Execution Container, the created keystore file is eckeystore.p12. Run this command to export the Execution Container's public certificate to a file named ec_pubcert.pem.

    • Code Block
      $ keytool -keystore eckeystore.p12 -export -rfc -alias ec -file ec_pubcert.pem

  4. Import the Execution Container Certificates to the Platform Container:

    • Import the exported certificates from each Execution Container into the Platform Container's truststore. This allows the Platform Container to trust each Execution Container.

    • Copy the Execution Container’s public certificate to Platform container.

    • Run the following command to import the Execution Container’s public certificate into the Platform keystore set in pico.rcp.tls.keystore:

    • Code Block
      languagetext
      $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

      For example, the Platform keystore set in the property pico.rcp.tls.keystore is $MZ_HOME/keys/keystore.p12. Set the alias name to 'ec'.

    • Code Block
      keytool -import -alias ec -file ec_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

      Run this command to view the keystore.

    • Code Block
      $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

      You should see two entries: alias 1 is the Platform keystore (PrivateKeyEntry), and alias ec is the Execution Container keystore (trustedCertEntry).

  5. Export the Platform Container Certificate:

    • Export the public certificate from the Platform Container's keystore.

    • Run the following command to export the Platform Container public certificate:

    • Code Block
      languagetext
       $ keytool -keystore <path_to_platform_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

      For example, in the Platform Container, the created keystore file is keystore.p12. Run this command to export the Platform Container's public certificate to a file named platform_pubcert.pem.

    • Code Block
      $ keytool -keystore keystore.p12 -export -rfc -alias 1 -file platform_pubcert.pem

  6. Import the Platform Container Certificate to Execution Containers:

    • Import the exported Platform Container certificate into the truststore of each Execution Container. This allows the Execution Containers to trust the Platform Container.

    • Copy the Platform public certificate to Execution container.

    • Run the following command to import Platform public certificate:

    • Code Block
      $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

      For example, the Execution Container keystore saved in location $MZ_HOME/keys/keystore.p12. Set the alias name to '1'.

    • Code Block
      $ keytool -import -alias 1 -file platform_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

      Run this command to view the keystore.

    • Code Block
      $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

      You should see two entries: alias ec is the Execution Container keystore (PrivateKeyEntry), and alias 1 is the Platform Container keystore (trustedCertEntry).

  7. Set the RCP TLS properties in the Execution Container:

    • Use mzsh topo set to set these properties:

    • Code Block
      $ mzsh topo set 'topo://container:<execution container>/obj:common.pico.rcp.tls' \
'{ keystore=<keystore path> }'
$ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.password"' \
<encrypted password>
$ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.key.password"' \
<encrypted password>

    • Example,

    • Code Block
      $ mzsh topo set 'topo://container:echost01/obj:common.pico.rcp.tls' \
'{ keystore="/opt/mz/keys/eckeystore.p12" }'
$ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.keystore.password"' \
'DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86'
$ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.key.password"' \
'DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86'
$ mzsh topo set 'topo://container:echost01/val:common."pico.rcp.tls.keystore.alias"' \
1

    • Note that "pico.rcp.tls.keystore.alias" must be the alias name of the Execution Container keystore’s PrivateKeyEntry.

    • For example,

    • Code Block
      pico.rcp.tls.keystore="/opt/mz/keys/keystore.p12"
"pico.rcp.tls.keystore.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86"
"pico.rcp.tls.key.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86"
"pico.rcp.tls.keystore.alias"="ec"

  8. In Platform Container, enable client authentication by setting the property pico.rcp.tls.require_clientauth to true.

    • Code Block
      $ mzsh topo set topo://container:<platform container>/val:common.pico.rcp.tls.require_clientauth true

      Example,

    • Code Block
      mzsh topo set topo://container:platform/val:common.pico.rcp.tls.require_clientauth true

    • Run mzsh topo open container to see the property:

    • Code Block
      pico.rcp.tls.require_clientauth="true"

  9. Restart the Platform, followed by restarting the ECs.

...

  1. Copy the keystore file created above to the host where the Desktop Launcher will be run.

  2. Copy the certificate file created above to Platform Container.

  3. Import the certificate to the platform.

    Code Block
    $ keytool -keystore <path_to_platform_keystore-file> -import -file <certificate filename>  -alias <alias>

    For example, this command import certificate to Platform keystore.

  • Code Block
    $ keytool -keystore $MZ_HOME/keys/keystore.p12 -import -file clientcert.cer  -alias clientcert

If you view the keystore, you should see the entry of alias clientcert which is the Client desktop keystore (trustedCertEntry).

...