/
4.2.1.2.2 Creating A New Keystore

4.2.1.2.2 Creating A New Keystore

Owned by Chooi San Chong
Last updated: Jan 21, 2025
4 min read

If you prefer to use different new Keystore for remote picos, follow these steps.

Execution Context

  1. First, ensure that the keystore property is set in your platform container as a result of enabling one-way SSL on RCP. Refer Enable One-way SSL On RCP.

    • "pico.rcp.tls.keystore"="/opt/mz/keys/keystore.p12"

  2. Create a Keystore and Key Pair on Each Execution Container:

    • For each Execution Container, generate a keystore and a key pair (private key and corresponding public certificate). This keystore will store the private key and the certificate.

  3. Export the Certificates from Execution Containers:

    • For each Execution Container, export the public certificate from its keystore.

    • Run the following command to export the Execution Container public certificate:

    •  $ keytool -keystore <path_to_ec_keystore_file> -export -rfc -alias <alias_name> -file <certificate filename>

      For example, in the Execution Container, the created keystore file is eckeystore.p12. Run this command to export the Execution Container's public certificate to a file named ec_pubcert.pem.

    • $ keytool -keystore eckeystore.p12 -export -rfc -alias ec -file ec_pubcert.pem

  4. Import the Execution Container Certificates to the Platform Container:

    • Import the exported certificates from each Execution Container into the Platform Container's truststore. This allows the Platform Container to trust each Execution Container.

    • Copy the Execution Container’s public certificate to Platform container.

    • Run the following command to import the Execution Container’s public certificate into the Platform keystore set in pico.rcp.tls.keystore:

    • For example, the Platform keystore set in the property pico.rcp.tls.keystore is $MZ_HOME/keys/keystore.p12. Set the alias name to 'ec'.

    • Run this command to view the keystore.

    • You should see two entries: alias 1 is the Platform keystore (PrivateKeyEntry), and alias ec is the Execution Container keystore (trustedCertEntry).

  5. Export the Platform Container Certificate:

    • Export the public certificate from the Platform Container's keystore.

    • Run the following command to export the Platform Container public certificate:

    • For example, in the Platform Container, the created keystore file is keystore.p12. Run this command to export the Platform Container's public certificate to a file named platform_pubcert.pem.

  6. Import the Platform Container Certificate to Execution Containers:

    • Import the exported Platform Container certificate into the truststore of each Execution Container. This allows the Execution Containers to trust the Platform Container.

    • Copy the Platform public certificate to Execution container.

    • Run the following command to import Platform public certificate:

    • For example, the Execution Container keystore saved in location $MZ_HOME/keys/keystore.p12. Set the alias name to '1'.

    • Run this command to view the keystore.

    • You should see two entries: alias ec is the Execution Container keystore (PrivateKeyEntry), and alias 1 is the Platform Container keystore (trustedCertEntry).

  7. Set the RCP TLS properties in the Execution Container:

    • Use mzsh topo set to set these properties:

    • Example,

    • Note that "pico.rcp.tls.keystore.alias" must be the alias name of the Execution Container keystore’s PrivateKeyEntry.

    • For example,

  8. In Platform Container, enable client authentication by setting the property pico.rcp.tls.require_clientauth to true.

    • Example,

    • Run mzsh topo open container to see the property:

  9. Restart the Platform, followed by restarting the ECs.

If the Platform property pico.rcp.tls.require_clientauth is enabled and the Platform is restarted while the Execution Container RCP TLS properties are not yet set, you will not be able to execute mzsh topo set or mzsh topo open container. Therefore, ensure that all Execution Container RCP TLS properties are properly configured before enabling pico.rcp.tls.require_clientauth in the Platform container.

 

Legacy Desktop

When client authentication is enabled, each desktop installation must authenticate itself to the Platform using a private key. Desktop can use the same Keystore file from Platform Container.

If you prefer to use a different keystore file for the desktop client connection, follow these steps:

  1. Run the following command to create a keystore that contains a private key.

For example, this command creates a keystore file named clientkey.keys.

  1. Create a certificate file that is associated with the key that you created in the previous step.

    For example, this command generates a certificate named clientcert.cer.

  1. Copy the keystore file created above to the host where the Desktop Launcher will be run.

  2. Copy the certificate file created above to Platform Container.

  3. Import the certificate to the platform.

    For example, this command import certificate to Platform keystore.

If you view the keystore, you should see the entry of alias clientcert which is the Client desktop keystore (trustedCertEntry).

  1. Open the Desktop Launcher.

  2. Right-click on a MediationZone instance and then select Instance Settings from the popup menu. Select the Security tab.

  3. Right-click on the text field under Client Key and select Import Key From File.

  4. Select the keystore file from step 1 and Click Open.

  5. Enter Keystore password and click OK to add into Client Key.

  6. Click OK to close the Security tab and proceed with Login.

Next:

4.2.1.3 RCP TLS Properties