JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 12

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • If JOC Cockpit is installed for the high security level then deployment of workflows requires external signing.
    • For the low security level the private key Private Key of the root account available with the JS7 - Database is used for all users.
    • For the medium security level the user's individual private key Private Key available with the JS7 database is used.
    • For the high security level signing is performed outside of JOC Cockpit. No private keys Private Keys are stored with JOC Cockpit and the JS7 database.
  • For details see JS7 - Security Architecture.

Users have a choice how to perform signing and deployment of workflows:

Prerequisites

Required: User Signing Certificate

Each user Users with the permission to deploy workflows has have to add their X.509 signing certificate Signing Certificate to their profile like this:

...

  • Users have to export workflows using the Export operation available from the JOC Cockpit's Configuration view.

    • Other deployable objects such as File Order Sources, Job Resources, Notice Boards, Resource Locks etc. do not require signing.
    • Releasable objects that are not digitally signed include Calendars, Schedules, Script Includes, Job Templates etc.
  • Deployment tasks include:

    • Exporting workflows using the checkbox for Signing to a .tar.gz/.zip export archive file.

    • Extracting the export archive file.
      • The export archive file includes a meta_inf file and related folders and files for workflows.
    • Signing the extracted workflow files.
    • Storing the base64 encoded signature file for each workflow file in same folder.
    • Note that each signature file has to use the same name as the original workflow with an additional file extension.
      • for X.509 RSA/ECDSA signature files use the file extension .sig.
      • for PGP signature files use the file extension .asc.
    • Adding signature files to a .tar.gz/.zip import archive file. This includes that the meta_inf file is available in the top-level folder of the import archive file.
    • Uploading the import archive file using the Import and Deploy button available from the JOC Cockpit's Configuration view..

Example for Deployment Process

Export

...

Signing

The following steps are explained for manual signing. For automated signing see JS7 - Signing Workflows for High Security Level.

It is essential that the signing procedure is performed on a secure device and in a secure manner outside of the host operating JOC Cockpit.

...

Image Removed

Signing Workflow Files

...

Code Block
languagebash
titleStep 1: Create binary signature file from signing a workflow file
openssl dgst -sha256 -sign c:\tmp\sos.private-ec-key.pem -out c:\tmp\example-wf.workflow.json.sig.bin c:\tmp\example-wf.workflow.json

...

  • the signer algorithm

...

  • the private key file used to sign the workflow file

...

  • the path to the output file that contains the binary representation of the signature

...

Code Block
languagebash
titleStep 2: Convert binary signature file to base64 encoding
openssl base64 -in c:\tmp\example-wf.workflow.json.sig.bin -out c:\tmp\example-wf.workflow.json.sig
  • base64
    • OpenSSL switch to transform the signature file from binary encoding to base64 encoding
  • -in c:\tmp\example-wf.workflow.json.sig.bin
    • the binary encoded signature file as created in step 1)
  • -out c:\tmp\example-wf.workflow.json.sig
    • the base64 encoded signature file to be created that carries a .sig extension and that will be picked up later on by JOC Cockpit when importing workflows and signatures.

The procedure for adding workflow files and signature files to an import archive includes the following steps:

...

  • The exported archive contains the meta_inf file. This file does not have to be signed. However, it should be present in the top-level folder of the import archive file.

Resources

Display children header

...

Image Removed

...

During import, any workflow files and the signature files from the import archive file will be deployed to Controller instances & Agents. This includes validation by Controller instances and Agents independently. After successful validation the workflows will be available in a deployed state that is ready to accept orders for workflow execution.