Page History
| Table of Contents |
|---|
Introduction
- If JOC Cockpit is installed for the high security level then deployment of workflows requires external signing.
- For the low security level the private key of the
rootaccount available with the JS7 - Database is used for all users. - For the medium security level the user's individual private key available with the JS7 database is used.
- For the high security level signing is performed outside of JOC Cockpit. No private keys are stored with JOC Cockpit and the JS7 database.
- For the low security level the private key of the
- For details see JS7 - Security Architecture.
- For automated signing see JS7 - Signing Workflows for High Security Level.
Prerequisites
Required: User Signing Certificate
Each user with the permission to deploy workflows has to add their X.509 signing certificate to their profile like this:
Optional: Root CA Certificate
In addition, the X.509 Root CA Certificate which signed the user's signing certificate can be added to JOC Cockpit. There is a single Root CA Certificate for all user profiles.
...
- Any user signing certificates have to be available with the Controller instances and Agents. Certificates are stored in the
config/private/trusted-x509-keyssub-directory of Controller and Agent installations. - If a Root CA Certificate is present in JOC Cockpit then it is sufficient to add the Root CA Certificate to the
config/private/trusted-x509-keyssub-directory of Controller and Agent installations.- No further user
signingcertificates have to be added to Controller instances or Agents as long as user signing certificates are created by the same Root CA. - This mechanism implies that any user signing certificate signed by the same Root CA Certificate will be accepted.
- Users who do not wish to use this implicit mechanism should not add the Root CA Certificate to the Controller instances and Agents but should add individual user signing certificates only.
- No further user
Deployment Process Overview
Users have to export workflows using the Export operation available from the JOC Cockpit's Configuration view.
- Other deployable objects such as File Order Sources, Job Resources, Notice Boards, Resource Locks etc. do not require signing.
- Releasable objects that are not digitally signed include Calendars, Schedules, Script Includes, Job Templates etc.
- Deployment tasks include:
Exporting workflows using the checkbox for Signing to a .tar.gz/.zip export archive file.
- Extracting the export archive file.
- The export archive file includes a
meta_inffile and related folders and files for workflows.
- The export archive file includes a
- Signing the extracted workflow files.
- Storing the base64 encoded signature file for each workflow file in same folder.
- Note that each signature file has to use the same name as the original workflow with an additional file extension.
- for X.509 RSA/ECDSA signature files use the file extension .sig.
- for PGP signature files use the file extension .asc.
- Adding signature files to a .tar.gz/.zip import archive file. This includes that the
meta_inffile is available in the top-level folder of the import archive file. - Uploading the import archive file using the Import and Deploy button available from the JOC Cockpit's Configuration view..
Example for Deployment Process
Export
- Click Export in the context menu of a folder or use the Export button in the right upper corner of the Configuration view:
- In the Export popup window check the checkbox for Signing:
- Select the workflows to deploy.
Signing
The following steps are explained for manual signing. For automated signing see JS7 - Signing Workflows for High Security Level.
...
Extract the export archive file and preserve the folder structure of included workflow files:
Signing Workflow Files
This example makes use of OpenSSL to sign a workflow file in two steps:
...
Overview
Content Tools