Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

If you prefer to use different new Keystore for remote picos, follow these steps.

Execution Context

  1. First, ensure that the keystore property is set in your platform container as a result of enabling one-way SSL on RCP. Refer Enable One-way SSL On RCP.

    1. "pico.rcp.tls.keystore"="/opt/mz/keys/keystore.p12"
  2. Create a Keystore and Key Pair on Each Execution Container:

    • For each Execution Container, generate a keystore and a key pair (private key and corresponding public certificate). This keystore will store the private key and the certificate.

  3. Export the Certificates from Execution Containers:

    • For each Execution Container, export the public certificate from its keystore.

    • Run the following command to export the Execution Container public certificate:

    •  $ keytool -keystore <path_to_ec_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

      For example, in the Execution Container, the created keystore file is eckeystore.p12. Run this command to export the Execution Container's public certificate to a file named ec_pubcert.pem.

    • $ keytool -keystore eckeystore.p12 -export -rfc -alias ec -file ec_pubcert.pem
  4. Import the Execution Container Certificates to the Platform Container:

    • Import the exported certificates from each Execution Container into the Platform Container's truststore. This allows the Platform Container to trust each Execution Container.

    • Copy the Execution Container’s public certificate to Platform container.

    • Run the following command to import the Execution Container’s public certificate into the Platform keystore set in pico.rcp.tls.keystore:

    • $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

      For example, the Platform keystore set in the property pico.rcp.tls.keystore is $MZ_HOME/keys/keystore.p12. Set the alias name to 'ec'.

    • keytool -import -alias ec -file ec_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

      Run this command to view the keystore.

    • $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

      You should see two entries: alias 1 is the Platform keystore (PrivateKeyEntry), and alias ec is the Execution Container keystore (trustedCertEntry).

  5. Export the Platform Container Certificate:

    • Export the public certificate from the Platform Container's keystore.

    • Run the following command to export the Platform Container public certificate:

    •  $ keytool -keystore <path_to_platform_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

      For example, in the Platform Container, the created keystore file is keystore.p12. Run this command to export the Platform Container's public certificate to a file named platform_pubcert.pem.

    • $ keytool -keystore keystore.p12 -export -rfc -alias 1 -file platform_pubcert.pem
  6. Import the Platform Container Certificate to Execution Containers:

    • Import the exported Platform Container certificate into the truststore of each Execution Container. This allows the Execution Containers to trust the Platform Container.

    • Copy the Platform public certificate to Execution container.

    • Run the following command to import Platform public certificate:

    • $ keytool -import -alias <alias_name> -file <certificate_file_name> -keystore <keystore file> -keypass <password> -storepass <password>

      For example, the Execution Container keystore saved in location $MZ_HOME/keys/keystore.p12. Set the alias name to '1'.

    • $ keytool -import -alias 1 -file platform_pubcert.pem -keystore $MZ_HOME/keys/keystore.p12 -keypass mzadmin -storepass mzadmin

      Run this command to view the keystore.

    • $ keytool -list -keystore $MZ_HOME/keys/keystore.p12 -storepass mzadmin

      You should see two entries: alias ec is the Execution Container keystore (PrivateKeyEntry), and alias 1 is the Platform Container keystore (trustedCertEntry).

  7. Set the RCP TLS properties in the Execution Container:

    • Use mzsh topo set to set these properties:

    • $ mzsh topo set 'topo://container:<execution container>/obj:common.pico.rcp.tls' \
      '{ keystore=<keystore path> }'
      $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.password"' \
      <encrypted password>
      $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.key.password"' \
      <encrypted password>
    • Note that "pico.rcp.tls.keystore.alias" must be the alias name of the Execution Container keystore’s PrivateKeyEntry.

    • For example,

    • pico.rcp.tls.keystore="/opt/mz/keys/keystore.p12"
      "pico.rcp.tls.keystore.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86"
      "pico.rcp.tls.key.password"="DR_8.1_KEY-1-9E5885A757778BFB153C6C877A7D9A86"
      "pico.rcp.tls.keystore.alias"="ec"
  8. In Platform Container, enable client authentication by setting the property pico.rcp.tls.require_clientauth to true.

    • $ mzsh topo set topo://container:<platform container>/val:common.pico.rcp.tls.require_clientauth true
    • Run mzsh topo open container to see the property:

    • pico.rcp.tls.require_clientauth="true"
  9. Restart the Platform, followed by restarting the ECs.

If the Platform property pico.rcp.tls.require_clientauth is enabled and the Platform is restarted while the Execution Container RCP TLS properties are not yet set, you will not be able to execute mzsh topo set or mzsh topo open container. Therefore, ensure that all Execution Container RCP TLS properties are properly configured before enabling pico.rcp.tls.require_clientauth in the Platform container.

Legacy Desktop

When client authentication is enabled, each desktop installation must authenticate itself to the Platform using a private key. Desktop can use the same Keystore file from Platform Container.

If you prefer to use a different keystore file for the desktop client connection, follow these steps:

  1. Run the following command to create a keystore that contains a private key.

    $ keytool -genkey -keystore <path_to_keystore_file> -alias client -keyalg RSA -keysize 2048 -storetype PKCS12

For example, this command creates a keystore file named clientkey.keys.

  • $ keytool -genkey -keystore clientkey.keys -alias client -keyalg RSA -keysize 2048 -storetype PKCS12
  1. Create a certificate file that is associated with the key that you created in the previous step.

    $ keytool -keystore <path_to_keystore_file> -exportcert -alias <alias> -file <certificate filename>

    For example, this command generates a certificate named clientcert.cer.

  • $ keytool -keystore clientkey.keys -exportcert -alias client -file clientcert.cer
  1. Copy the keystore file created above to the host where the Desktop Launcher will be run.

  2. Copy the certificate file created above to Platform Container.

  3. Import the certificate to the platform.

    $ keytool -keystore <path_to_platform_keystore-file> -import -file <certificate filename>  -alias <alias>

    For example, this command import certificate to Platform keystore.

$ keytool -keystore $MZ_HOME/keys/keystore.p12 -import -file clientcert.cer  -alias clientcert

If you view the keystore, you should see the entry of alias clientcert which is the Client desktop keystore (trustedCertEntry).

  1. Open the Desktop Launcher.

  2. Right-click on a MediationZone instance and then select Instance Settings from the popup menu. Select the Security tab.

  3. Right-click on the text field under Client Key and select Import Key From File.

  4. Select the keystore file from step 1 and Click Open.

  5. Enter Keystore password and click OK to add into Client Key.

  6. Click OK to close the Security tab and proceed with Login.

  • No labels