Rice Client Application Certificate Requirements
Rice Client Application Certificate Requirements
In order to facilitate KSB communication between the Rice central server and client applications, a certificate will be required for the client applications that will be connecting to the Rice Standalone Server. The following steps explain the details to comply with the certificate requirements.
Development Environments
- For the development environments, you may generate a self signed certificate for the client machine and add to the attached rice-test.keystore using the following command:
keytool -keystore rice-test.keystore -storepass nowUCme_nowUdont -v -alias <your alias> -genkeypair -validity 9999 -dname "CN=<your fully qualified machine name>, OU=<your organization>, O=UC Davis, L=Davis, ST=California, C=US"
- Install the updated rice-test.keystore in your environment where it will be referenced in the rice configuration files.
- A copy of the updated rice-test.keystore must also be installed on the Rice Standalone Server, and all Rice clients it the environment (KFS, KC).
- An additional cert is required for client applications connecting to the rice-sandboxes environment. The rice-sandboxes.ucdavis.edu machine does not currently have an InCommon cert, therefore a certificate from rice-sandboxes.ucdavis.edu (rice-sandboxes_ucdavis_edu.pem) must be imported into the java cacerts bundle on the client machine. The following command shows how to import the cert (attached) for the rice-sandboxes.ucdavis.edu development machine:
keytool -importcert -file rice-sandboxes_ucdavis_edu.pem -keystore cacerts -storepass changeit -alias rice-sandboxes.ucdavis.edu
Production Environment
- For the production environment, an InCommon Certificate is required for the client application which will be connecting to the production Rice Standalone Server.
- The InCommon certificate is then installed in client application keystore along with the private key. The InCommon certificate is then forwarded to the rice team, along with the alias used, for addition to the rice central server keystore as well as the keystores of the other client applications in the environment.
- The client application must also request that the rice team forward the certificates from all of the applications in the production environment, including the rice central server. These certificates must also be installed in the client application keystore, again with the proper alias.
- For more information on how to request an InCommon certificate for your application, visit the following link and click on the SSL Certificate category: MyUCDavis > UCD Resources > Software
It is recommended that certificates be imported into the client keystore with an alias which matches the rice application id (e.g., rice, kfs, ...etc). Keeping the alias a simple intuitive value will help prevent alias mismatches between the various keystores, which will cause KSB communication to fail.