...

Workflow Deployment Script

The script is offered for download and can be applied for frequently used deployment operations:

...

Usage: deploy-workflow.sh [Command] [Options] [Switches]

  Commands:
    export            --file [--format] --path --type [--use-short-path] [--start-folder] [--for-signing] 
    ..                --file [--format] --folder [--recursive] [--type] [--use-short-path] [--for-signing]]
                             [--no-draft] [--no-deployed] [--no-released] [--no-invalid]
    import            --file [--format] [--folder] [--overwrite] [--prefix] [--suffix]
    import-deploy     --file [--format] [--folder] [--algorithm]
    deploy            --path --type [--date-from] [--no-draft] [--no-deployed]
    ..                --folder [--recursive] [--date-from] [--no-draft] [--no-deployed]
    revoke            --path --type
    ..                --folder [--recursive]
    release           --path --type [--date-from]
    ..                --folder [--recursive] [--date-from]
    recall            --path --type
    ..                --folder [--recursive]
    store             --path --type --file
    remove            --path --type [--date-from]
    ..                --folder [--date-from]
    restore           --path --type --new-path [--prefix] [--suffix]
    ..                --folder --new-path [--prefix] [--suffix]
    delete            --path --type
    ..                --folder
    revalidate        --folder [--recursive]
    sign              --file      [--keystore |--key --cert] [--key-password] [--hash]
    ..                --directory [--keystore |--key --cert] [--key-password] [--hash]

  Options:
  encrypt  --url=<url>         --in [--infile --outfile] --cert [--java-home] [--java-lib]
    decrypt      | required: JOC Cockpit URL
 --in [--infile --outfile] --key [-controller-id=<id[,id]>    -key-password] [--java-home] [--java-lib]

  Options:
    --url=<url>                        | required: JOC Cockpit URL
    --controller-id=<id[,id]>          | required: Controller ID
    --user=<account>                   | required: JOC Cockpit user account
    --password=<password>              | optional: JOC Cockpit password
    --ca-cert=<path>                   | optional: path to CA Certificate used for JOC Cockpit login
    --client-cert=<path>               | optional: path to Client Certificate used for login
    --client-key=<path>                | optional: path to Client Key used for login
    --timeout=<seconds>                | optional: timeout for request, default: 60
    --file=<path>                      | optional: path to export file or import file
    --format=<ZIP|TAR_GZ>              | optional: format of export file or import file
    --folder=<folder[,folder]>         | optional: list of inventory folders holding objects
    --start-folder=<folder>            | optional: start folder for export with relative paths
    --path=<path[,path]>               | optional: list of inventory paths to objects
    --type=<type[,type]>               | optional: list of object types such as WORKFLOW,SCHEDDULE
    --new-path=<path>                  | optional: new object path on restore
    --prefix=<string>                  | optional: prefix for duplicate objects on import
    --suffix=<string>                  | optional: suffix for duplicate objects on import
    --algorithm=<identifier>           | optional: signature algorithm for import, default: SHA512withECDSA
    --date-from=<date>                 | optional: update daily plan start date for deploy/release operation
    --directory=<directory>            | optional: path to directory with files that should be signed
    --keystore=<path>                  | optional: path to keystore file in PKCS12 format
    --key=<path>                       | optional: path to private key file in PEM format
    --key-password=<password>          | optional: password for keystore/private key file
    --cert=<path>                      | optional: path to certificate file in PEM format
    --hash=<sha256|sha512>             | optional: hash algorithm for signing such as sha256, sha512, default: sha256}
    --audit-messagein=<string>           | optional: audit log message
    --audit-time-spent=<number>   | optional: input string  | optional: audit log time spent in minutesfor encryption/decryption
    --audit-link=<url>infile=<path>                    | optional: auditinput file logfor linkencryption/decryption
    --log-diroutfile=<directory><path>              | optional: path to directory holding| the script's log files

  Switches:optional: output file for encryption/decryption
    -h | -java-helphome=<directory>            | optional: Java Home directory for encryption/decryption, default: $JAVA_HOME
    | displays usage
--java-lib=<directory>      -v | --verbose     | optional: Java library directory for encryption/decryption, default: ./lib
    --audit-message=<string>    | displays verbose output, repeat to increase verbosity
    -p | --passwordoptional: audit log message
    --audit-time-spent=<number>        | optional: audit log time |spent asksin for passwordminutes
    -r | -audit-recursivelink=<url>                   | specifiesoptional: foldersaudit to be looked up recursivelylog link
    -o | --overwrite--log-dir=<directory>              | optional: path to directory holding the |script's overwriteslog objectsfiles

 on importSwitches:
    -sh | --for-signinghelp                     | exports objects for| digitaldisplays signingusage
    -uv | --use-short-pathverbose              | exports relative paths
    --no-draft| displays verbose output, repeat to increase verbosity
    -p | --password                    | excludesasks draftfor objectspassword
    -r | -no-deployedrecursive                   | specifies folders to |be excludeslooked deployedup objectsrecursively
    -o | -no-releasedoverwrite                   | overwrites objects |on excludesimport
 released objects
  -s | --nofor-invalidsigning                 | exports objects for digital signing
 | excludes invalid objects
-u |   --use-showshort-logspath              | exports relative paths
    --no-draft   | shows log output if                   | excludes draft objects
    --log-dir is usedno-deployed                      | excludes deployed objects
    --make-dirsno-released                      | excludes released objects
  | creates directories if they do not exist

...

  --no-invalid                       | excludes invalid objects
    --show-logs                        | shows log output if --log-dir is used
    --make-dirs                        | creates directories if they do not exist

Anchor
commands commands

Commands

• export
  • Allows to export objects such as workflows to an archive file in .zip or .tar.gz format. The command comes in two flavors:
    • export individual objects specified by the --path and --type options.
      • Should relative paths be used in the archive file then the --start-folder option and --use-short-path switch can be applied.
    • export objects from folders using the --folder option and --recursive switch.
      • Optionally one or more object types can be specified and otherwise all objects will be exported, see --type option.
      • Should relative paths be used in the archive file then the  --use-short-path switch can be applied.
      • Export of objects can further be limited by use of the --no-* switches, see section Switches.
  • The archive file is specified from the --file and --format options.
  • If JOC Cockpit is operated for the High Security Level then the --for-signing switch can be used to export Controller Objects that should be digitally signed. Objects and signatures can be imported using the import-deploy command.
• import
  • Imports an archive file to the inventory. The operation applies to use of JOC Cockpit with the Low and Medium Security Level.
  • Users can specify if existing objects will be overwritten or if duplicate objects from the import file will be assigned a prefix or suffix or will be ignored.
• sign
  • Digitally signs workflows and job resources from an export archive file. The operation applies to use of JOC Cockpit with the High Security Level.
  • Signing includes to specify the Private Key and Certificate from files in PEM format or from a keystore. Optionally the hash algorithm sha256 or sha512 is specified.
  • The sequence of operations includes to export, to sign and to import-deploy signed objects.
  • The sign command works without access to the JS7 REST Web Service and does not require to specify options for connecting to JOC Cockpit.
• import-deploy
  
  • Imports an archive file to the inventory and deploys the included objects. The operation is applicable if JOC Cockpit is operated for the High Security Level.
    • As a prerequisite the archive file must be exported using the --for-signing switch.
    • Workflows and Job Resources from the archive file are digitally signed by the user. Signature files are added to the archive file.
  • On import the objects in the archive file are deployed to related Controllers as specified during export.
• deploy
  • Allows to deploy Controller Objects such as workflows. The command can be used in two flavors:
    • deploy individual objects specified
  export
  • Allows to export objects such as workflows to an archive file in .zip or .tar.gz format. The command comes in two flavors:
    • export individual objects specified by the --path and --type options.
    • Should relative paths be used in the archive file then the --start-folder option and --use-short-path switch can be applied.
    export objects from folders using deploy objects from folders using the --folder option and --recursive switch.
    • Optionally one or more object types can be specified and otherwise all objects will be exported, see --type option.
    • Should relative paths be used in the archive file then the  --use-short-path switch can be applied.
    • Export of objects can further be limited by use of the --no-* switches, see section Switches.
  • The archive file is specified from the --file and --format options.
  • If JOC Cockpit is operated for the High Security Level then the --for-signing switch can be used to export Controller Objects that should be digitally signed. Objects and signatures can be imported using the import-deploy command.
• import
  • Imports an archive file to the inventory. The operation applies to use of JOC Cockpit with the Low and Medium Security Level.
  • Users can specify if existing objects will be overwritten or if duplicate objects from the import file will be assigned a prefix or suffix or will be ignored.
• sign
  • Digitally signs workflows and job resources from an export archive file. The operation applies to use of JOC Cockpit with the High Security Level.
  • Signing includes to specify the Private Key and Certificate from files in PEM format or from a keystore. Optionally the hash algorithm sha256 or sha512 is specified.
  • The sequence of operations includes to export, to sign and to import-deploy signed objects.
  • The sign command works without access to the JS7 REST Web Service and does not require to specify options for connecting to JOC Cockpit.
• import-deploy
  
  • Imports an archive file to the inventory and deploys the included objects. The operation is applicable if JOC Cockpit is operated for the High Security Level.
    • As a prerequisite the archive file must be exported using the --for-signing switch.
    • Workflows and Job Resources from the archive file are digitally signed by the user. Signature files are added to the archive file.
  • On import the objects in the archive file are deployed to related Controllers as specified during export.
• • Deploying objects forwards them to Controllers and Agents.
    • More than one Controller ID can be specified like this: --controller-id=controller-uat-1,controller-uat-2
• revoke
  • Allows to undeploy Controller Objects such as workflows. The command can be used in two flavors:
    • revoke individual objects specified by the --path and --type options.
    • revoke objects from folders using the --folder option and --recursive switch.
  • Revoking Controller objects deletes them from the Controller and Agents, objects remain in draft status in the inventory.
    • More than one Controller ID can be specified like this: --controller-id=controller-uat-1,controller-uat-2
• release
  • Allows to release Automation Objects such as schedules. The command can be used in two flavors:
    • release individual objects specified by the --path and --type options.
    • release objects from folders using the --folder option and --recursive switch.
  • Releasing objects activates them for example for use by the Daily Plan.
• recall
  • Allows to unrelease Automation Objects such as schedules. The command can be used in two flavors:
    • recall individual objects specified by the --path and --type options.
    • recall objects from folders using the --folder option and --recursive switch.
  • Recalling objects deactivates them from further use, objects remain in draft status in the inventory.
• store
  • Allows to store an object such as a workflow or schedule from a file to the inventory.
    • The --file option specifies the file that holds the JSON representation of an object.
    • The --type option specifies the object type. 
    • The --path option specifies the folders and object name of the objects inventory location.
  • Objects are stored to the inventory in draft status and can be deployed or released using the related commands.
• remove
  • Allows to remove objects such as workflows or schedules from the inventory
  deploy
  • Allows to deploy Controller Objects such as workflows. The command can be used in two flavors:
    • deploy remove individual objects specified objects specified by the --path and --type options.
    • deploy remove objects from folders recursively using the --folder option and --recursive switch.
  • Deploying objects forwards them to Controllers and Agents.
    • More than one Controller ID can be specified like this: --controller-id=controller-uat-1,controller-uat-2
  revoke
  • • .
  • Controller objects such as workflows are removed from the Controller and from the inventory. Automation objects such as schedules are removed from the inventory.
  • Removing objects moves them to the trash from which they can be restored or deleted
• restore
  • Allows to restore objects such as workflows or schedules from the trash
  • Allows to undeploy Controller Objects such as workflows. The command can be used in two flavors:
    • revoke restore individual objects specified by the --path and --type options.
    • revoke restore objects from folders recursively using the --folder option and --recursive switch.
  • Revoking Controller Restoring objects deletes moves them from the Controller and Agents, objects remain in draft status in the inventory.
    • More than one Controller ID can be specified like this: --controller-id=controller-uat-1,controller-uat-2
    trash to the inventory from which they can be deployed or released.
• delete
  • Allows to delete objects such as workflows or schedules from the trash
  release
  • Allows to release Automation Objects such as schedules. The command can be used in two flavors:
    • release delete individual objects specified by the --path and --type options.
    • release delete objects from folders recursively using the --folder option and --recursive switch.
  • Releasing Deleting objects activates them for example for use by the Daily Plan.
  recall
  • will permanently wipe them from the trash.
• revalidate
  • Allows to revalildate objects such as workflows or schedules from the inventory, for example after import
  • Allows to unrelease Automation Objects such as schedules. The command can be used in two flavors:for inventory folders.
• encrypt
  • Allows to encrypt a value using the --in option. If used to encrypt a file then recall individual objects specified by the --pathinfile and --typeoutfile options have to be specified.recall objects from folders using the
  • The --folder option and --recursive switch.
  • Recalling objects deactivates them from further use, objects remain in draft status in the inventory.
  • cert option specifies the path to the Certificate used for encryption.
  • Encryption is performed by Java libraries that are looked up in the ./lib sub-directory of the Workflow Deployment Script.
• decrypt
  • Allows to decrypt a value using the --in option. If used to decrypt a file then the --infile and --outfile options have to be specified
  store
  • Allows to store an object such as a workflow or schedule from a file to the inventory.
  • The --filekey option specifies the file that holds the JSON representation of an object.
  • The --type option specifies the object type. 
  • The --path option specifies the folders and object name of the objects inventory location.
  • Objects are stored to the inventory in draft status and can be deployed or released using the related commands.
• remove
  • Allows to remove objects such as workflows or schedules from the inventory. The command can be used in two flavors:
    • remove individual objects specified by the --path and --type options.
    • remove objects from folders recursively using the --folder option.
  • Controller objects such as workflows are removed from the Controller and from the inventory. Automation objects such as schedules are removed from the inventory.
  • Removing objects moves them to the trash from which they can be restored or deleted
• restore
  • Allows to restore objects such as workflows or schedules from the trash. The command can be used in two flavors:
    • restore individual objects specified by the --path and --type options.
    • restore objects from folders recursively using the --folder option.
  • Restoring objects moves them from the trash to the inventory from which they can be deployed or released.
• delete
  • Allows to delete objects such as workflows or schedules from the trash. The command can be used in two flavors:
    • delete individual objects specified by the --path and --type options.
    • delete objects from folders recursively using the --folder option.
  • Deleting objects will permanently wipe them from the trash.
• revalidate
  • Allows to revalildate objects such as workflows or schedules from the inventory, for example after import. The command can be used for inventory folders.

...

• --url
  • Specifies the URL by which JOC Cockpit is accessible using <http|https>://<host>:<port>.
  • Example: http://centostest-primary.sos:4446
  • Example: https://centostest-primary.sos:4443
• --user
  • Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the --client-cert and --client-key options then their common name (CN) attribute has to match the user account.
  • If a user account is specified then a password can be specified using the --password option or interactive keyboard input can be prompted using the -p switch.
• --password
  • Specifies the password used for the account specified with the --user option for login to JOC Cockpit.
  • Consider use of the -p switch offering a secure option for interactive keyboard input.
• --controller-id
  • Specifies the identification of the Controller that holds related orders.
  • More than one Controller ID can be specified, separated by comma, for the export operation when using the --for-signing switch.
• --ca-cert
  • Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
• --client-cert
  • Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
• --client-key
  • Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
• --timeout
  • Specifies the maximum duration for requests to the JS7 REST Web Service. Default: 60 seconds.
• --file
  • Specifies the location of an archive file that is used with export, import and import-deploy commands.
  • On export an existing archive file will be overwritten.
• --format
  • Specifies the format of the archive file indicated with the --file option.
  • The format can be one of ZIP or TAR_GZ. Default: ZIP. The JS7 can process archive files in .zip format on Unix.
• --folder
  • Specifies the inventory folder used for the related operation.
    • Folder specification starts from a / followed by one or more sub-folders.
    • More than one folder can be specified using comma as in --folder=/ProductDemo/AgentCluster,/ProductDemo/ScheduledExecution.
  • When used with the import and import-deploy commands, a single folder can be specified that is prepended the folders included with the archive file.
• --start-folder
  • Specifies the inventory folder used for relative paths in archive files when using the export command with the --path option, see --use-short-path switch.
• --path
  • Specifies the path of an object such as a workflow, job resource, schedule. A path starts from a /, optionally followed by a hierarchy of sub-folders, and the object name.
  • Objects are identified from thier path and object type.
• --type
  • Specifies the object type such as a workflow or schedule that is indicated together with the --path option to identify an object.
    • Controller Object types include: WORKFLOW,FILEORDERSOURCE,JOBRESOURCE,NOTICEBOARD,LOCK
    • Automation Object types include: SCHEDULE,WORKINGDAYSCALENDAR,NONWORKINGDAYSCALENDAR,JOBTEMPLATE,INCLUDESCRIPT,REPORT
  • When used with the export command for folders then more than one object type can be specified separated by comma, for example --type=WORKFLOW,JOBRESOURCE
• --new-path
  • When used with the restore command, the new path is specified to which the object will be restored in the inventory.
• --prefix
  • When used with the import command, a prefix can be specified that is prepended all objects that are imported.
  • If an object with the same name and prefix exists, then the object will not be imported.
• --suffix
  • When used with the import command, a suffix can be specified that is appended all objects that are imported.
  • If an object with the same name and suffix exists, then the object will not be imported.
• --algorithm
  • When used with the import-deploy command, the signature algorithm is specified that was used to digitally sign objects. Default: SHA512withECDSA.
  • The algorithm name is made up of the hash algorithm name such as SHA256, SHA512 and the encryption type of the Private Key such as ECDSA or RSA.
  • This offers to specify the following algorithm names: SHA256withECDSA, SHA256withRSA, SHA512withECDSA, SHA512withRSA.
• --date-from
  • Specifies the date starting from which the Daily Plan will be updated:
    • The --date-from=now option value specifies that the Daily Plan will be updated for orders starting from now.
    • The Daily Plan date in ISO date format can be specified, for example --date-from=2023-10-23.
    • If omitted then the Daily Plan will not be updated.
  • Orders in the Daily Plan can be updated for example if the underlying workflow or schedule is changed.
• --directory
  • When used with the sign command, specifies the directory in which workflow files with the extension *.workflow.json and job resources holding the extension .jobresource.json are looked up for signing. Sub-directories are looked up recursively.
  • All files found will be digitally signed by creating a signature file with the extension *.json.sig that holds the signature of the related object.
• --keystore
  • When used with the sign command, specifies the path to a keystore file in PKCS12 format. The keystore is expected to hold the Private Key and Certificate.
  • Only one of the options --keystore and --key can be specified.
• --key
  • When used with the sign command, specifies the path to a key file that holds the private key used for signing in PEM format.
  • Only one of the options --keystore and --key can be specified.
• --cert
  • When used with the sign command, specifies the path to a Certificate file that matches the Private Key used for signing. The Certificate is expected in PEM format.
  • The argument is required if the --key option is used.
  • The argument is optional If the --keystore option is used. The --cert option has precedence if used with the --keystore option.
• --key-password
  • When used with the sign command, specifies the password for access to the keystore or key file.
  • Password input from the command line is considered insecure. Consider use of the -k switch or more elaborate mechanisms, for example by temporarily populating the system keystore form a security key such as a YubiKey® or similar.
• --hash
  • When used with the sign command, specifies the hash algorithm used to create a hash from a file that is to be signed.
  • Possible values include sha256 and sha512. Default: sha256
• --audit-message
  • Specifies a message that is made available to the Audit Log.
  • Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
• --audit-time-spent
  • Specifies the time spent to perform an operation which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --audit-link
  • Specifies a link (URL) which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --log-dir
  • If a log directory is specified then the script will log information about processing steps to a log file in this directory.
  • File names are created according to the pattern: deploy-workflow.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
  • For example: deploy-workflow.2022-03-19T20-50-45.log

...

• -h | --help
  • Displays usage.
• -v | --verbose
  • Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
  • When used twice as with -v -v then curl verbose output will be displayed.
• -p | --password
  • Asks the user for interactive keyboard input of the password used for the account specified with the --user option..
  • The switch is used for secure interactive input as an alternative to use of the option --password=<password>.
• -k | --key-password
  • Asks the user for interactive keyboard input of the password used for access to a keystore or key file specified with the --keystore or --key options.
  • The switch is used for secure interactive input as an alternative to use of the --key-password=<password> option.
• -r | --recursive
  • Specifies that folders will be looked up recursively if the --folder option is used.
• -o | --overwrite
  • Specifies that objects with the same name and type will be overwritten when used with the import command.
• -s | --for-signing
  • Specifies that objects are exported for digital signing when used with the export command. For JS7 environments operated for the High Security Level digitally signed objects can be imported using the import-deploy command.
• -u | --use-short-path
  • Specifies that relative object paths will be applied to archive files when used with the export command.
  • An object path /a/b/c/workflow will be added as /c/workflow to the archive file. A folder /a/b/c will be added as /c to the archive file.
• --no-draft
  • Specifies that draft objects will be excluded when used with the export and deploy command.
• --no-deployed
  • Specifies that deployed objects will be excluded when used with the export and deploy command.
• --no-released
  • Specifies that released objects will be excluded when used with the export command.
• --no-invalid
  • Specifies that invalid objects will be excluded when used with the export command.
• --show-logs
  • Displays the log output created by the script if the --log-dir option is used.
• --make-dirs
  • If directories are missing that are indicated with the --log-dir option then they will be created.

...

• • the path to the Private Key used for decryption. If the Private Key is protected by a password, then the --key-password option must be used.
  • Decryption is performed by Java libraries that are looked up in the ./lib sub-directory of the Workflow Deployment Script.

Anchor
options options

Options

• --url
  • Specifies the URL by which JOC Cockpit is accessible using <http|https>://<host>:<port>.
  • Example: http://centostest-primary.sos:4446
  • Example: https://centostest-primary.sos:4443
• --user
  • Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the --client-cert and --client-key options then their common name (CN) attribute has to match the user account.
  • If a user account is specified then a password can be specified using the --password option or interactive keyboard input can be prompted using the -p switch.
• --password
  • Specifies the password used for the account specified with the --user option for login to JOC Cockpit.
  • Consider use of the -p switch offering a secure option for interactive keyboard input.
• --controller-id
  • Specifies the identification of the Controller that holds related orders.
  • More than one Controller ID can be specified, separated by comma, for the export operation when using the --for-signing switch.
• --ca-cert
  • Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
• --client-cert
  • Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
• --client-key
  • Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
• --timeout
  • Specifies the maximum duration for requests to the JS7 REST Web Service. Default: 60 seconds.
• --file
  • Specifies the location of an archive file that is used with export, import and import-deploy commands.
  • On export an existing archive file will be overwritten.
• --format
  • Specifies the format of the archive file indicated with the --file option.
  • The format can be one of ZIP or TAR_GZ. Default: ZIP. The JS7 can process archive files in .zip format on Unix.
• --folder
  • Specifies the inventory folder used for the related operation.
    • Folder specification starts from a / followed by one or more sub-folders.
    • More than one folder can be specified using comma as in --folder=/ProductDemo/AgentCluster,/ProductDemo/ScheduledExecution.
  • When used with the import and import-deploy commands, a single folder can be specified that is prepended the folders included with the archive file.
• --start-folder
  • Specifies the inventory folder used for relative paths in archive files when using the export command with the --path option, see --use-short-path switch.
• --path
  • Specifies the path of an object such as a workflow, job resource, schedule. A path starts from a /, optionally followed by a hierarchy of sub-folders, and the object name.
  • Objects are identified from thier path and object type.
• --type
  • Specifies the object type such as a workflow or schedule that is indicated together with the --path option to identify an object.
    • Controller Object types include: WORKFLOW,FILEORDERSOURCE,JOBRESOURCE,NOTICEBOARD,LOCK
    • Automation Object types include: SCHEDULE,WORKINGDAYSCALENDAR,NONWORKINGDAYSCALENDAR,JOBTEMPLATE,INCLUDESCRIPT,REPORT
  • When used with the export command for folders then more than one object type can be specified separated by comma, for example --type=WORKFLOW,JOBRESOURCE
• --new-path
  • When used with the restore command, the new path is specified to which the object will be restored in the inventory.
• --prefix
  • When used with the import command, a prefix can be specified that is prepended all objects that are imported.
  • If an object with the same name and prefix exists, then the object will not be imported.
• --suffix
  • When used with the import command, a suffix can be specified that is appended all objects that are imported.
  • If an object with the same name and suffix exists, then the object will not be imported.
• --algorithm
  • When used with the import-deploy command, the signature algorithm is specified that was used to digitally sign objects. Default: SHA512withECDSA.
  • The algorithm name is made up of the hash algorithm name such as SHA256, SHA512 and the encryption type of the Private Key such as ECDSA or RSA.
  • This offers to specify the following algorithm names: SHA256withECDSA, SHA256withRSA, SHA512withECDSA, SHA512withRSA.
• --date-from
  • Specifies the date starting from which the Daily Plan will be updated:
    • The --date-from=now option value specifies that the Daily Plan will be updated for orders starting from now.
    • The Daily Plan date in ISO date format can be specified, for example --date-from=2023-10-23.
    • If omitted then the Daily Plan will not be updated.
  • Orders in the Daily Plan can be updated for example if the underlying workflow or schedule is changed.
• --directory
  • When used with the sign command, specifies the directory in which workflow files with the extension *.workflow.json and job resources holding the extension .jobresource.json are looked up for signing. Sub-directories are looked up recursively.
  • All files found will be digitally signed by creating a signature file with the extension *.json.sig that holds the signature of the related object.
• --keystore
  • When used with the sign command, specifies the path to a keystore file in PKCS12 format. The keystore is expected to hold the Private Key and Certificate.
  • Only one of the options --keystore and --key can be specified.
• --key
  • When used with the sign command, specifies the path to a key file that holds the private key used for signing in PEM format.
  • Only one of the options --keystore and --key can be specified.
• --cert
  • When used with the sign command, specifies the path to a Certificate file that matches the Private Key used for signing. The Certificate is expected in PEM format.
  • The argument is required if the --key option is used.
  • The argument is optional If the --keystore option is used. The --cert option has precedence if used with the --keystore option.
• --key-password
  • When used with the sign command, specifies the password for access to the keystore or key file.
  • Password input from the command line is considered insecure. Consider use of the -k switch or more elaborate mechanisms, for example by temporarily populating the system keystore form a security key such as a YubiKey® or similar.
• --hash
  • When used with the sign command, specifies the hash algorithm used to create a hash from a file that is to be signed.
  • Possible values include sha256 and sha512. Default: sha256
• --audit-message
  • Specifies a message that is made available to the Audit Log.
  • Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
• --audit-time-spent
  • Specifies the time spent to perform an operation which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --audit-link
  • Specifies a link (URL) which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --log-dir
  • If a log directory is specified then the script will log information about processing steps to a log file in this directory.
  • File names are created according to the pattern: deploy-workflow.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
  • For example: deploy-workflow.2022-03-19T20-50-45.log

Anchor
switches switches

Switches

• -h | --help
  • Displays usage.
• -v | --verbose
  • Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
  • When used twice as with -v -v then curl verbose output will be displayed.
• -p | --password
  • Asks the user for interactive keyboard input of the password used for the account specified with the --user option..
  • The switch is used for secure interactive input as an alternative to use of the option --password=<password>.
• -k | --key-password
  • Asks the user for interactive keyboard input of the password used for access to a keystore or key file specified with the --keystore or --key options.
  • The switch is used for secure interactive input as an alternative to use of the --key-password=<password> option.
• -r | --recursive
  • Specifies that folders will be looked up recursively if the --folder option is used.
• -o | --overwrite
  • Specifies that objects with the same name and type will be overwritten when used with the import command.
• -s | --for-signing
  • Specifies that objects are exported for digital signing when used with the export command. For JS7 environments operated for the High Security Level digitally signed objects can be imported using the import-deploy command.
• -u | --use-short-path
  • Specifies that relative object paths will be applied to archive files when used with the export command.
  • An object path /a/b/c/workflow will be added as /c/workflow to the archive file. A folder /a/b/c will be added as /c to the archive file.
• --no-draft
  • Specifies that draft objects will be excluded when used with the export and deploy command.
• --no-deployed
  • Specifies that deployed objects will be excluded when used with the export and deploy command.
• --no-released
  • Specifies that released objects will be excluded when used with the export command.
• --no-invalid
  • Specifies that invalid objects will be excluded when used with the export command.
• --show-logs
  • Displays the log output created by the script if the --log-dir option is used.
• --make-dirs
  • If directories are missing that are indicated with the --log-dir option then they will be created.

Anchor
exit_codes exit_codes

Exit Codes

• 0: operation successful
• 1: argument errors
• 3: no objects found
• 4: JS7 REST Web Service is not reachable or reports errors

Examples

The following examples illustrate typical use cases.

Exporting Objects

• Objects can be exported to an archive file in .zip or .tar.gz format.
• Users can export individual objects from their path and object type. Alternatively, objects can be exported by folders, optionally limited to specific object types.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# export workflows
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --path=/ap/ap3jobs,/ap/Agent/apRunAsUser --type=WORKFLOW

# export draft schedules
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --path=/ap/Agent/apAgentSchedule01,/ap/Agent/apAgentSchedule02 --type=SCHEDULE --no-released

# export objects from folder
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --folder=/ap --recursive

# export objects from folder using relative path
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --folder=/ap/Agent --recursive --use-short-path

# export objects from folder, limiting object types and validity, feeding audit log
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --folder=/ap --recursive --type=WORKFLOW,JOBRESOURCE --no-invalid --audit-message="export to production"

Importing Objects

• Previously exported objects can be imported, for example from a non-production environment to a production environment.
• For import users can specify that existing objects with the same name and type should be overwritten. In addition, users can specify a prefix or suffix to be added to the name of imported objects.
• On export users can specify to apply the absolute or relative path of objects when creating the archive file.
• On import users can accept the path of imported objects as given with the archive file. Alternatively, users can specify a top-level folder hierarchy to which paths from objects in the archive file will be added

• 0: operation successful
• 1: argument errors
• 3: no objects found
• 4: JS7 REST Web Service is not reachable or reports errors

Examples

The following examples illustrate typical use cases.

Exporting Objects

• Objects can be exported to an archive file in .zip or .tar.gz format.
• Users can export individual objects from their path and object type. Alternatively, objects can be exported by folders, optionally limited to specific object types.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# import objects# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# export workflows
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --path=/ap/ap3jobs,/ap/Agent/apRunAsUser --type=WORKFLOW

# export draft schedules
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --path=/ap/Agent/apAgentSchedule01,/ap/Agent/apAgentSchedule02 --type=SCHEDULE --no-released

# export objects from folder
./deploy-workflow.sh exportimport ${request_options[@]} \
    --file=export.zip --folder=/ap --recursiveoverwrite

# exportimport objects fromto a new top-level folder usingand relativeapply pathsuffix
./deploy-workflow.sh exportimport ${request_options[@]} \
    --file=export.zip --folder=/ap/AgentVersion22 --recursive --use-short-path

# export objects from folder, limiting object types and validity, feeding audit logsuffix=v22

# revalidate objects from folder
./deploy-workflow.sh exportrevalidate ${request_options[@]} \
    --file=export.zip --folder=/apVersion22 --recursive --type=WORKFLOW,JOBRESOURCE --no-invalid --audit-message="export to production"

Importing Objects

Exporting, Signing and Importing/Deploying for High Security Level

• For deployment of Controller Objects the JS7 High Security Level requires digital signing outside of JOC Cockpit in order to securely apply the user's Private Key. To this purpose the import-deploy command is used. For deployment in Low or Medium Security Level the deploy command is used.
  • Digital signing includes that based on the user's Private Key and Certificate signature files are created that have to be added to the archive file for later import & deployment.
  • The steps to import and to deploy are available from a single operation to prevent tampering of objects after import.
• There are a number of ways how to perform signing. The recommended solution is use of the js7_sign_workflow.sh script as explained from the JS7 - Signing Workflows with X.509 Certificates using Unix Shell Script article. The below example explains the steps to export, to sign and to import/deploy objects
• Previously exported objects can be imported, for example from a non-production environment to a production environment.
• For import users can specify that existing objects with the same name and type should be overwritten. In addition, users can specify a prefix or suffix to be added to the name of imported objects.
• On export users can specify to apply the absolute or relative path of objects when creating the archive file.
• On import users can accept the path of imported objects as given with the archive file. Alternatively, users can specify a top-level folder hierarchy to which paths from objects in the archive file will be added.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# export objects from folder for signing
./deploy-workflow.sh export ${request_options[@]} \
    --file=export.zip --folder=/myFolder --recursive --for-signing

# digitally sign objects
mkdir -p ./temp
rm -fr ./temp/*
unzip -d ./temp ./export.zip
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# import objects
./deploy-workflow.sh import ${request_options[@]} sign \
    --directory=./temp --key=./ecdsa.key --filecert=export./ecdsa.zipcrt --overwritehash=sha512

# import objects to a new top-level folder and apply suffix
./deploy-workflow.sh import ${request_options[@]} \
    --file=export.zip --folder=/Version22 --suffix=v22

# revalidate objects from folder
./deploy-workflow.sh revalidate ${request_options[@]} \
    --folder=/Version22 --recursive

Exporting, Signing and Importing/Deploying for High Security Level

rm -f ./import-from-signing.zip
cd ./temp
zip -r ../import-from-signing.zip *
cd -

# import/deploy objects
./deploy-workflow.sh import-deploy ${request_options[@]} \
    --file=import-from-signing.zip

Deploying and Revoking Objects

• Controller Objects are visible in the inventory from the Controller system folder, for example workflows, job resources etc.
• Such objects are in draft status after modification by the user. Deploying such objects makes them available to Controllers & Agents and sets them to the deployed status.
• Deployed objects can be revoked which withdraws the objects from Controller & Agents and sets them to the draft status
• For deployment of Controller Objects the JS7 High Security Level requires digital signing outside of JOC Cockpit in order to securely apply the user's Private Key. To this purpose the import-deploy command is used. For deployment in Low or Medium Security Level the deploy command is used.
  • Digital signing includes that based on the user's Private Key and Certificate signature files are created that have to be added to the archive file for later import & deployment.
  • The steps to import and to deploy are available from a single operation to prevent tampering of objects after import.
• There are a number of ways how to perform signing. The recommended solution is use of the js7_sign_workflow.sh script as explained from the JS7 - Signing Workflows with X.509 Certificates using Unix Shell Script article. The below example explains the steps to export, to sign and to import/deploy objects.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# exportdeploy objectsworkflows fromand folderupdate fordaily signingplan
./deploy-workflow.sh exportdeploy ${request_options[@]} \
    --file=export.zippath=/ap/ap3jobs,/ap/apEnv --foldertype=/myFolderWORKFLOW --recursive --for-signingdate-from=now

# digitally signdeploy objects
mkdir -p ./temp
rm -fr ./temp/*
unzip -d ./temp ./export.zip
from folder recursively and update daily plan
./deploy-workflow.sh sign deploy ${request_options[@]} \
    --directoryfolder=./ap/tempAgent --key=./ecdsa.keyrecursive --cert=./ecdsa.crt --hash=sha512

rm -f ./import-from-signing.zip
cd ./temp
zip -r ../import-from-signing.zip *
cd -

# import/deploy objectsdate-from=now

# revoke workflows
./deploy-workflow.sh revoke ${request_options[@]} \
    --path=/ap/ap3jobs,/ap/apEnv --type=WORKFLOW

# revoke objects from folder
./deploy-workflow.sh import-deployrevoke ${request_options[@]}  \
    --file=import-from-signing.zip

Deploying and Revoking Objects

folder=/ap/Agent --recursive

Releasing and Recalling Objects

• Automation Controller Objects are visible in the inventory from the Controller Automation system folder, for example workflowscalendars, job resources schedules etc.
• Such objects are in draft status after modification by the user. Deploying Releasing such objects makes activates them available to Controllers & Agents and sets them to the deployed released status.
• Deployed Released objects can be revoked recalled which withdraws deactivates the objects from Controller & Agents and sets them to the draft status.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

 # deployrelease workflowsschedules and update daily plan
./deploy-workflow.sh deployrelease ${request_options[@]} \
    --path=/ap/Agent/ap3jobsapAgentSchedule01,/ap/Agent/apEnvapAgentSchedule02 --type=WORKFLOWSCHEDULE --date-from=now
 
# deployrelease objects from folder recursively and update daily plan
./deploy-workflow.sh deployrelease ${request_options[@]} \
    --folder=/ap/Agent --recursive --date-from=now

# revokerecall workflowsschedules
./deploy-workflow.sh revokerecall ${request_options[@]} \
    --path=/ap/Agent/ap3jobsapAgentSchedule01,/ap/Agent/apEnvapAgentSchedule02 --type=WORKFLOWSCHEDULE

# revokerecall objects from folder
./deploy-workflow.sh revokerecall ${request_options[@]}  \
    --folder=/ap/Agent --recursive

...

Storing and

...

Removing Objects

• Automation Objects are visible in Objects can be added to the inventory from the Automation system folder, for example calendars, schedules etc.
• Such objects are in draft status after modification by the user. Releasing such objects activates them and sets them to the released status.
• files in JSON format related to the object type such as a workflow, schedule. Newly added objects are set to draft status.
• Objects can be removed from the inventory which will move them to the trash from which they can be restored or deletedReleased objects can be recalled which deactivates the objects and sets them to the draft status.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

 # release schedules and update daily plan
./deploy-workflow.sh release ${request_options[@]} \
    --path=/ap/Agent/apAgentSchedule01,/ap/Agent/apAgentSchedule02 --typepassword=SCHEDULEroot --datecontroller-fromid=nowcontroller)
 
# release objects from folder and update daily planstore object
./deploy-workflow.sh releasestore ${request_options[@]} \
    --folderpath=/ap/AgentNewFolder01/NewWorkflow01 --recursivetype=WORKFLOW --date-from=nowfile=NewWorkflow01.workflow.json

# recall schedulesremove object, update daily plan
./deploy-workflow.sh recallremove ${request_options[@]} \
    --path=/ap/Agent/apAgentSchedule01,/ap/Agent/apAgentSchedule02NewFolder01/NewWorkflow01 --type=SCHEDULEWORKFLOW --date-from=now

# recallremove objects from folder, update daily plan
./deploy-workflow.sh recallremove ${request_options[@]} \
    --folder=/ap/AgentNewFolder01 --date-recursivefrom=now

...

Restoring and

...

Deleting Objects

• Objects that have previously been removed reside in the trash.
• Objects can be restored or can be permanently deleted from the trash.
  
  • To restore objects from the trash the path, object type and new path in the inventory must be specified. Optionally a prefix or suffix can be added to restored object names. Restored
  can be added to the inventory from files in JSON format related to the object type such as a workflow, schedule. Newly added
  • objects are set to draft status.
  Objects can be removed from the inventory which will move them to the trash from which they can be restored or deleted
  • To permanently delete objects from the trash they can be specified from their path & object type or from a folder.
    
    

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# storerestore object from trash, using suffix for restored objectd
./deploy-workflow.sh storerestore ${request_options[@]} \
    --path=/ap/NewFolder01/NewWorkflow01 --type=WORKFLOW --file=NewWorkflow01.workflow.jsonnew-path=/ap/NewFolder01/NewWorkflow01 --suffix=restored

# removedelete object, updatefrom daily plantrash
./deploy-workflow.sh removedelete ${request_options[@]} \
    --path=/ap/NewFolder01/NewWorkflow01 --type=WORKFLOW --date-from=now

# removedelete objects from folder,trash updateby daily planfolder
./deploy-workflow.sh removedelete ${request_options[@]} \
    --folder=/ap/NewFolder01 --date-from=now

...

Encrypting and Decrypting

• Objects that have previously been removed reside in the trash.
• Objects can be restored or can be permanently deleted from the trash.
  
  • To restore objects from the trash the path, object type and new path in the inventory must be specified. Optionally a prefix or suffix can be added to restored object names. Restored objects are set to draft status.
  • To permanently delete objects from the trash they can be specified from their path & object type or from a folder.
    
    

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller))

# create Private Key
openssl ecparam -name secp384r1 -genkey -noout -out encrypt.key

# create Certificate Signing Request
openssl req -new -sha512 -nodes -key encrypt.key -out encrypt.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Encrypt"

# restorecreate objectCertificate
openssl fromx509 trash, using suffix for restored objectd
./deploy-workflow.sh restore ${request_options[@]} \
    --path=/ap/NewFolder01/NewWorkflow01 --type=WORKFLOW --new-path=/ap/NewFolder01/NewWorkflow01 --suffix=restored

# delete object from trash
-req -sha512 -days 1825 -signkey encrypt.key -in encrypt.csr -out encrypt.crt -extfile <(printf "keyUsage=critical,keyEncipherment,keyAgreement\n")


# encrypt
result=$(./deploy-workflow.sh delete ${request_options[@]} \
    --path=/ap/NewFolder01/NewWorkflow01encrypt --in=root --typecert=WORKFLOWencrypt.crt

# delete objects from trash by folderdecrypt
./deploy-workflow.sh delete ${request_options[@]} \
   decrypt --in="$result" --folderkey=./ca/apprivate/NewFolder01encrypt.key

Resources

• API
  • JS7 - REST Web Service API
  • JS7 - PowerShell Module
• Workflow Deployment Operations
  • JS7 - Deployment of Scheduling Objects
  • JS7 - Secure Deployment of Scheduling Objects
• Workflow Status Operations
  • JS7 - Unix Shell CLI for Workflow Status Operations

...