Configuring a New Alias for Client RSA Authentication

Use the Java keytool utility to create public and private keys for RSA authentication, then add the public key and RSA alias to the cluster’s keystore.

RSA authentication uses public and private keys instead of passwords to authenticate with the ESP Server. Use the Java keytool to generate RSA keys for ESP clients.

When this task is complete, you can authenticate ESP clients and other ESP components in the cluster using the new alias plus either the new local keystore or a private key. See the Utilities Guide for information on RSA authentication of ESP utilities like esp_cluster_admin. You can also use RSA authentication for:

ESP C and .NET SDK APIs - use the new alias with a private key file
ESP Java SDK APIs - use the new alias with the new local keystore
ESP bindings - use the new alias with a private key file

This procedure involves up to three keystores:

Cluster keystore – stored on an ESP node and serves the entire cluster.
Client keystore – a local keystore used by a Java client for RSA authentication (for example, esp_cluster_admin --keystore).
Work keystore – a local keystore used to generate a new alias, public key, and private key. The work keystore can be the same as the client keystore.

Open a command prompt or terminal.
Set the ESP_JAVA_HOME environment variable to point to your Java installation.
Add $ESP_JAVA_HOME/bin to the path.
To create a private/public key, enter a command of this form, specifying a local work or client keystore:
keytool -genkey -keyalg RSA -alias <alias/username> -keystore keystore.jks -storepass <password> -keypass <password>
<alias/username> is the alias chosen by you for the private and public keys; it will function as a user name for logging in using RSA. keystore.jks is the file where keys are added. You can specify an absolute path to create the file in a specific directory. If no path is specified, the command assumes keystore.jks resides in the current directory and creates it if it is not present. The default keystore in the security directory is ESP_HOME/security/keystore_rsa.jks.<password> sets the password you use to access the private key associated with the alias.
Use the cluster admin tool to deploy the new public key and alias from your local keystore to the cluster keystore on the server:
```
esp_cluster_admin --uri=esp[s]://host-name:port
--auth=rsa
--keystore=<keystore>
--storepass=<storepass>
--keypass=<keypass>
--key-alias=<alias>
> deploykey <new-username> <keystore> <storepass> <key-alias> 
[<storetype>]
```
- --auth=rsa enables RSA authentication
- --keystore=<keystore> is the location where the private/public key pairs created in step 4 are stored (a local work keystore or client keystore)
- --storepass=<storepass> is the user-defined password for the keystore
- --keypass=<keypass> is the user-defined key password
- --key-alias=<alias> is the user-defined alias name for the key
- deploykey is the command that deploys the new public key and alias to the cluster
  - <new-username> is the alias you are giving to the new public key in the cluster keystore; can be the same as <key-alias>
  - <keystore> may be (but need not be) the same keystore specified in step 4 and in --keystore=<keystore> in this step
  - <storepass> is the password for <keystore>
  - <key-alias> is the alias in the local keystore whose public key you are deploying
  - [<storetype>] is JKS (the default) or PKCS12
For example:
```
$ESP_HOME/bin/esp_cluster_admin --uri=esps://bedrock:19333 
--auth=rsa --key-alias=serverkey --storepass=538931 --keystore=$ESP_HOME/security/keystore_rsa.jks 
> deploykey fredf fredf.jks fredf fredf
```
This makes the public key available to the cluster manager. This key becomes the public key that the cluster manager uses to verify the signature messages sent by the client’s private key during the authentication process.