Page History
...
--url
- Specifies the URL by which JOC Cockpit is accessible using
<http|https>://<host>:<port>
. - Example: http://centostest-primary.sos:4446
- Example: https://centostest-primary.sos:4443
- Specifies the URL by which JOC Cockpit is accessible using
--user
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--client-cert
and--client-key
options then their common name (CN) attribute has to match the user account. - If a user account is specified then a password can be specified using the
--password
option or interactive keyboard input can be prompted using the-p
switch.
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--password
- Specifies the password used for the account specified with the
--user
option for login to JOC Cockpit. - Password input from the command line is considered insecure.
- Consider use of the
-p
switch offering a secure option for interactive keyboard input. - Consider use of the
encrypt
command to encrypt a password:./deployoperate-workflowjoc.sh encrypt --in=root --cert=encrypt.crt
.- The encryption result will include the prefix
enc:
followed by the encrypted symmetric key, initialization vector and encrypted secret separated by space. - If an encrypted password is specified, then it will be decrypted using the Private Key file:
./deployoperate-workflowjoc.sh <command> --password="enc:BF8J8KP7TPlxy..." --key=encrypt.key
.
- The encryption result will include the prefix
- Consider use of the
- Specifies the password used for the account specified with the
--ca-cert
- Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
--client-cert
- Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
--client-key
- Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
--timeout
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
60
seconds.
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
--controller-id
- Specifies the identification of the Controller.
--validity-days
- Specifies the number of days before expiration of a JS7 license.
- Exit code 2 signals an expired license or an inapplicable license check if the Open Source License is used.
- Exit code 3 signals a valid license that is about to expire within the number of days specified.
- Specifies the number of days before expiration of a JS7 license.
--key
- When used with the
decrypt
command, specifies the path to a file that holds the Private Key used for decrypting in PEM format.
- When used with the
--cert
- When used with the
encrypt
command, specifies the path to a file that holds the CA signed or self-signed X.509 Certificate. Alternatively the path to a file holding the Public Key can be specified. The Certificate is expected in PEM format. - For encryption the Certificate must match the Private Key used for later decryption specified with the
--key
option.
- When used with the
--key-password
- When used with the
decrypt
command, specifies the password for access to the key file using the--key
option. - Password input from the command line is considered insecure.
- Consider use of the
-k
switch or more elaborate mechanisms, for example by temporarily populating the system keystore form a security key such as a YubiKey® or similar. - Consider use of encrypted passwords as explained with the
--password
option.
- Consider use of the
- When used with the
--in
- When used with the
encrypt
anddecrypt
commands, specifies the input value that should be encrypted or decrypted., - One of the options
--in
or--infile
can be specified.
- When used with the
--infile
- When used with the
encrypt
anddecrypt
commands, specifies the path to the input file that should be encrypted/decrypted. - One of the options
--in
or--infile
can be specified. This option requires use of the--outfile
option.
- When used with the
--outfile
- When used with the
encrypt
command, specifies the path to the output file that will be created holding the encrypted content of the input file. - When used with the
decrypt
command, specifies the path to the output file that will be created holding the decrypted content of the input file. - The option is required if the
--infile
option is specified
- When used with the
--java-home
- When used with the
encrypt
anddecrypt
commands or with encrypted passwords, specifies the Java home directory. By default theJAVA_HOME
environment variable is used to determine the location of Java. - The Java home directory is the top-level directory of a Java installation. The directory includes the
bin
sub-directory andjava
executable.
- When used with the
--java-lib
- When used with the
encrypt
anddecrypt
commands or with encrypted passwords, a number of Java libraries are required to perform encryption/decryption. - The Java libraries are expected in the
lib
sub-directory of the JS7 Unix Shell CLI. Default:./lib
.
- When used with the
--audit-message
- Specifies a message that is made available to the Audit Log.
- Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
--audit-time-spent
- Specifies the time spent to perform an operation which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--audit-link
- Specifies a link (URL) which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--log-dir
- If a log directory is specified then the script will log information about processing steps to a log file in this directory.
- File names are created according to the pattern:
operate-workflowjoc.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
operate-workflowjoc.2022-03-19T20-50-45.log
Switches
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# common options for connection to JS7 REST API request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller) # get status information for Standalone JOC Cockpit response=$(./operate-joc.sh status "${request_options[@]}") # returns response {"clusterState":{"_text":"ClusterUnknown","severity":2},"controllers":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller","host":"localhost","id":20,"isCoupled":false,"javaVersion":"21+35-2513","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"STANDALONE","securityLevel":"HIGH","startedAt":"2024-09-03T09:52:38.918Z","surveyDate":"2024-09-23T10:10:01.496Z","title":"Standalone Controller","url":"http://localhost:4444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"H2","version":"1.4.200 (2019-10-14)"},"deliveryDate":"2024-09-23T10:10:01.499Z","jocs":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"STANDALONE","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":1,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:09:43.682Z","memberId":"localhost:1ce420678f21a574e6adeb2f218f5bd40ed1b1bf9005414bcf060fba2e4c5a67","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"securityLevel":"HIGH","startedAt":"2024-09-19T20:55:34.522Z","title":"My JOC Cockpit","url":"http://localhost:4446","version":"2.7.2"}]} # get severity from status information echo "$response" | jq -r '.jocs[0].componentState.severity // empty' echo "$response" | jq -r '.jocs[0].connectionState.severity // empty' echo "$response" | jq -r '.jocs[0].controllerConnectionStates[0].state.severity // empty' echo "$response" | jq -r '.jocs[0].version // empty' echo "$response" | jq -r '.database.componentState.severity // empty' echo "$response" | jq -r '.database.connectionState.severity // empty' # get status information for JOC Cockpit Cluster response=$(./operate-joc.sh status "${request_options[@]}") # returns response {"clusterState":{"_text":"ClusterCoupled","severity":0},"controllers":[{"clusterNodeState":{"_text":"inactive","severity":1},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":2,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"PRIMARY","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.271Z","surveyDate":"2024-09-23T10:07:16.768Z","title":"PRIMARY CONTROLLER","url":"http://localhost:4444","version":"2.7.2"},{"clusterNodeState":{"_text":"active","severity":0},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":3,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"BACKUP","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.972Z","surveyDate":"2024-09-23T10:07:16.737Z","title":"SECONDARY CONTROLLER","url":"http://localhost:44444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"MySQL","version":"5.7.33"},"deliveryDate":"2024-09-23T10:07:16.773Z","jocs":[{"clusterNodeState":{"_text":"active","severity":0},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":3,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:13Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:41Z","title":"PRIMARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"},{"clusterNodeState":{"_text":"inactive","severity":1},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":false,"host":"localhost","id":1,"instanceId":"joc#1","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:12Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:40Z","title":"SECONDARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"}]} # get severity from status information echo "$response" | jq -r '.clusterState.severity // empty' echo "$response" | jq -r '.controllers[0].componentState.severity // empty' echo "$response" | jq -r '.controllers[0].connectionState.severity // empty' echo "$response" | jq -r '.controllers[1].componentState.severity // empty' echo "$response" | jq -r '.controllers[1].connectionState.severity // empty' echo "$response" | jq -r '.jocs[0].componentState.severity // empty' echo "$response" | jq -r '.jocs[0].connectionState.severity // empty' echo "$response" | jq -r '.jocs[0].version // empty' echo "$response" | jq -r '.database.componentState.severity // empty' echo "$response" | jq -r '.database.connectionState.severity // empty' |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# common options for connection to JS7 REST API request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller) # check license ./operate-joc.sh check-license "${request_options[@]}" # returns response .... License type: COMMERCIAL_VALID .... License valid: true .... License valid from: 2021-05-05T12:22:41Z .... License valid until: 2026-05-04T12:22:41Z |
Encrypting and Decrypting
- Secrets can be encrypted and decrypted as explaind with JS7 - Encryption and Decryption.
- Encryption/decryption require related Java libraries that are available from the
./lib
sub-directory. - For creation of a Private Key and Certificate see JS7 - How to create X.509 Encryption Keys.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# create Private Key
openssl ecparam -name secp384r1 -genkey -noout -out encrypt.key
# create Certificate Signing Request
openssl req -new -sha512 -nodes -key encrypt.key -out encrypt.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Encrypt"
# create Certificate
openssl x509 -req -sha512 -days 1825 -signkey encrypt.key -in encrypt.csr -out encrypt.crt -extfile <(printf "keyUsage=critical,keyEncipherment,keyAgreement\n")
# encrypt a secret such as a password using the Certificate, the encryption result will be returned and will look like: enc:BEXbHYa...
./operate-joc.sh encrypt --in="root" --cert=encrypt.crt
# options for connection to the JS7 REST API can specify the encryption result as password and the Private Key for decryption
request_options=(--url=http://localhost:4446 --user=root --password="enc:BEXbHYa..." --key=encrypt.key --controller-id=controller)
# for example, when restarting a Controller the Private Key is used to decrypt the password for access to the REST API on-the-fly
./operate-joc.sh restart "${request_options[@]}"
# decrypt an encrypted secret using the Private Key
./operate-joc.sh decrypt --in="enc:BEXbHYa..." --key=encrypt.key |
Resources
- API
- Workflow Deployment Operations
- Workflow Status Operations
- Controller Deployment Operations
- Controller Status Operations
...
Overview
Content Tools