/
4.2.1.2.1 Using The Same Keystore

4.2.1.2.1 Using The Same Keystore

Owned by Chooi San Chong
Last updated: Jan 21, 2025
2 min read

If you prefer to use the Platform Container Keystore for all remote picos, follow these steps.

Execution Context

  1. Copy the keystore file that was created in Enable One-way SSL On RCP from the Platform Container to each of the Execution Containers. Place it in Execution Container $MZ_HOME/keys.

  2. Retrieve the properties keystore path, passwords and alias from Platform Container.

Commands retrieving the values from the Platform Container

$ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.keystore $ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.keystore.password $ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.key.password

If aliases are used in the keystore, you can use this for retrieving the value of the alias used by the platform certificate.

$ mzsh topo get --format data-only topo://container:<platform container>/val:common.pico.rcp.tls.keystore.alias

  1. Set these same properties in each Execution Container. Keystore passwords and alias should be same values as for the Platform Container.

Commands configuring keystore properties

$ mzsh topo set 'topo://container:<execution container>/obj:common.pico.rcp.tls' \ '{ keystore=<keystore path> }' $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.keystore.password"' \ <encrypted password> $ mzsh topo set 'topo://container:<execution container>/val:common."pico.rcp.tls.key.password"' \ <encrypted password>

If aliases are used in the keystore, you can use this to configure the value of the alias.

Example,

Run mzsh topo open container to see the property:

  1. In Platform Container, enable client authentication by setting the property pico.rcp.tls.require_clientauth to true.

Run mzsh topo open container to see the property:

  1. Restart the Platform, followed by restarting the ECs.

Legacy Desktop

  1. Copy the keystore file that was created in Enable One-way SSL On RCP from the Platform Container to each of the desktop launcher client machine.

  2. When attempting to log in to the platform, the desktop launcher will display a window stating, 'Instance requires client authentication and no client key is available. Import Client Key?'.

    image-20250117-084206.png

  1. Click Yes and browse to the keystore file location.

  2. After clicking OK, you need to enter the keystore password.

image-20250117-025417.png