In order to protect the system, it is recommended that the machines within the Control Zone and Execution Zone are placed behind firewalls. For further information how this setup is done, see Communications through Firewalls in Network Security.

The internal protocol RCP and HTTP are used for communication between pico instances. It is recommended that both RCP and HTTP are encrypted with TLS, with or without authentication. For further information about how to set up encryption, see RCP Encryption and HTTP Encryption in Network Security.

Users that have the relevant permissions can login to the Platform or ECs via the Web Interface using HTTP or HTTPS. The credential and permissions for the Platform Web Interface are configured in the Access Controller in the Desktop.

The default user mzadmin, can login to Execution Context Web Interface and the password must be set in the Execution Context property ec.httpd.password. This property should be changed to the encrypted form. For more information about how to encrypt the password, see encryptpassword in Always Available in the Command Line Tool Reference Guide.


The cookies used by both web interfaces have the HttpOnly and Secure flags set.

The HTTP TRACE command is not allowed by the web interfaces in .

Pico instances such as ECs and SCs can be started remotely from the Platform Container via SSH. Remote access is disabled by default but can be enabled via the mzsh commando topo. For further information about enabling remote access to Execution Containers, see Remote Access to Containers.