Page History
Table of Contents |
---|
Introduction
- The JS7 offers to perform operations by the JS7 - REST Web Service API.
- For detailed information see the Technical Documentation of the REST Web Service API.
- For available CLI operations see JS7 - Unix Shell Command Line Interface.
- The REST Web Service API can be accessed from Shell utilities such as
curl
. - In addition, a PowerShell module is available for simplified access to the REST Web Service API. This is described in the JS7 - PowerShell Module article.
The JOC Cockpit Operation Script offered for Unix Shell can be applied to perform frequently used status operations on JOC Cockpit.
JOC Cockpit Operation Script
Command | Documentation |
---|---|
status | |
check-license | |
encrypt / decrypt | Encrypt / decrypt strings and files |
The script is offered for download and can be applied for frequently used operations on workflows, jobs and orders:
- The script is available for Linux and MacOS® using bash shell.
- The script terminates with exit code 0 to signal successful execution, with exit code 1 for command line argument errors and with exit code 4 for non-recoverable errors. Exit code 3 signals that no matching objects have been found.
- The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services. Examples make use of JS7 Release 2.7.2, bash 4.2, curl 7.29.0 and jq 1.6.0.
Prerequisites
The Script requires the curl utility and the jq utility to be available from the operating system.
jq ships with the MIT license, see https://opensource.org/licenses/MIT.
Download
Download: JS7 - Download (Section: Unix Shell ClI)
Usage
Invoking the script without arguments displays the usage clause:
Code Block | ||
---|---|---|
| ||
Usage: operate-joc.sh [Command] [Options] [Switches] Commands: status --controller-id check-license [--validity-days] encrypt --in [--infile --outfile] --cert [--java-home] [--java-lib] decrypt --in [--infile --outfile] --key [--key-password] [--java-home] [--java-lib] Options: --url=<url> | required: JOC Cockpit URL --user=<account> | required: JOC Cockpit user account --password=<password> | optional: JOC Cockpit password --ca-cert=<path> | optional: path to CA Certificate used for JOC Cockpit login --client-cert=<path> | optional: path to Client Certificate used for login --client-key=<path> | optional: path to Client Key used for login --timeout=<seconds> | optional: timeout for request, default: 60 --controller-id=<id> | required: Controller ID --validity-days=<number> | optional: min. number of days for which a license should be valid, default: 60 --key=<path> | optional: path to private key file in PEM format --key-password=<password> | optional: password for private key file --cert=<path> | optional: path to certificate file in PEM format --in=<string> | optional: input string for encryption/decryption --infile=<path> | optional: input file for encryption/decryption --outfile=<path> | optional: output file for encryption/decryption --java-home=<directory> | optional: Java Home directory for encryption/decryption, default: $JAVA_HOME --java-lib=<directory> | optional: Java library directory for encryption/decryption, default: ./lib --audit-message=<string> | optional: audit log message --audit-time-spent=<number> | optional: audit log time spent in minutes --audit-link=<url> | optional: audit log link --log-dir=<directory> | optional: path to directory holding the script's log files Switches: -h | --help | displays usage -v | --verbose | displays verbose output, repeat to increase verbosity -p | --password | asks for password -k | --key-password | asks for key password --show-logs | shows log output if --log-dir is used --make-dirs | creates directories if they do not exist see https://kb.sos-berlin.com/x/QoiOCQ |
Commands
status
Returns status information about JOC Cockpit, Controller instances and database indicated by a textual status and severity, for details see JS7 - Dashboard:
JOC Cockpit Status Property Value JOC Cockpit Cluster Status current true|false Controller Status Text Severity Controller Cluster Status coupled 0 unknown 3 Controller Cluster Node Status active 0 inactive 1 unknown 3 Controller Component Status operational 0 limited 1 inoperable 2 unknown 3 Controller Connection Status established 0 unstable 1 unreachable 2 unknown 3 Database Status Text Severity Database Component Status operational 0 unknown 3 Database Connection Status established 0 unstable 1 unreachable 2 unknown 3
check-license
- Terminates an order which optionally includes to forcibly terminate running jobs using the
--force
switch. - When used for license checks the script terminates with exit code 0 to signal a valid license that will not expire before a number of days. Exit code 2 signals an expired license, exit code 3 signals a valid license that is about to expire within a number of days.
- Terminates an order which optionally includes to forcibly terminate running jobs using the
encrypt
- Allows to encrypt a value using the
--in
option. If used to encrypt a file then--infile
and--outfile
options must be specified. - The
--cert
option specifies the path to a file holding the Certificate used for encryption. - Encryption is performed by Java libraries that are looked up in the
./lib
sub-directory of the JS7 Unix Shell CLI. For details see JS7 - Encryption and Decryption.
- Allows to encrypt a value using the
decrypt
- Allows to decrypt a value using the
--in
option. If used to decrypt a file then--infile
and--outfile
options must be specified. - The
--key
option specifies the path to the Private Key used for decryption. If the Private Key is protected by a password, then the--key-password
option or switch must be specified. - Decryption is performed by Java libraries that are looked up in the
./lib
sub-directory of the JS7 Unix Shell CLI.
- Allows to decrypt a value using the
Options
--url
- Specifies the URL by which JOC Cockpit is accessible using
<http|https>://<host>:<port>
. - Example: http://centostest-primary.sos:4446
- Example: https://centostest-primary.sos:4443
- Specifies the URL by which JOC Cockpit is accessible using
--user
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--client-cert
and--client-key
options then their common name (CN) attribute has to match the user account. - If a user account is specified then a password can be specified using the
--password
option or interactive keyboard input can be prompted using the-p
switch.
- Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the
--password
- Specifies the password used for the account specified with the
--user
option for login to JOC Cockpit. - Password input from the command line is considered insecure.
- Consider use of the
-p
switch offering a secure option for interactive keyboard input. - Consider use of the
encrypt
command to encrypt a password:./operate-joc.sh encrypt --in=root --cert=encrypt.crt
.- The encryption result will include the prefix
enc:
followed by the encrypted symmetric key, initialization vector and encrypted secret separated by space. - If an encrypted password is specified, then it will be decrypted using the Private Key file:
./operate-joc.sh <command> --password="enc:BF8J8KP7TPlxy..." --key=encrypt.key
.
- The encryption result will include the prefix
- Consider use of the
- Specifies the password used for the account specified with the
--ca-cert
- Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
--client-cert
- Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
--client-key
- Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
--timeout
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
60
seconds.
- Specifies the maximum duration for requests to the JS7 REST Web Service. Default:
--controller-id
- Specifies the identification of the Controller.
--validity-days
- Specifies the number of days before expiration of a JS7 license.
- Exit code 2 signals an expired license or an inapplicable license check if the Open Source License is used.
- Exit code 3 signals a valid license that is about to expire within the number of days specified.
- Specifies the number of days before expiration of a JS7 license.
--key
- When used with the
decrypt
command, specifies the path to a file that holds the Private Key used for decrypting in PEM format.
- When used with the
--cert
- When used with the
encrypt
command, specifies the path to a file that holds the CA signed or self-signed X.509 Certificate. Alternatively the path to a file holding the Public Key can be specified. The Certificate is expected in PEM format. - For encryption the Certificate must match the Private Key used for later decryption specified with the
--key
option.
- When used with the
--key-password
- When used with the
decrypt
command, specifies the password for access to the key file using the--key
option. - Password input from the command line is considered insecure.
- Consider use of the
-k
switch or more elaborate mechanisms, for example by temporarily populating the system keystore form a security key such as a YubiKey® or similar. - Consider use of encrypted passwords as explained with the
--password
option.
- Consider use of the
- When used with the
--in
- When used with the
encrypt
anddecrypt
commands, specifies the input value that should be encrypted or decrypted., - One of the options
--in
or--infile
can be specified.
- When used with the
--infile
- When used with the
encrypt
anddecrypt
commands, specifies the path to the input file that should be encrypted/decrypted. - One of the options
--in
or--infile
can be specified. This option requires use of the--outfile
option.
- When used with the
--outfile
- When used with the
encrypt
command, specifies the path to the output file that will be created holding the encrypted content of the input file. - When used with the
decrypt
command, specifies the path to the output file that will be created holding the decrypted content of the input file. - The option is required if the
--infile
option is specified
- When used with the
--java-home
- When used with the
encrypt
anddecrypt
commands or with encrypted passwords, specifies the Java home directory. By default theJAVA_HOME
environment variable is used to determine the location of Java. - The Java home directory is the top-level directory of a Java installation. The directory includes the
bin
sub-directory andjava
executable.
- When used with the
--java-lib
- When used with the
encrypt
anddecrypt
commands or with encrypted passwords, a number of Java libraries are required to perform encryption/decryption. - The Java libraries are expected in the
lib
sub-directory of the JS7 Unix Shell CLI. Default:./lib
.
- When used with the
--audit-message
- Specifies a message that is made available to the Audit Log.
- Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
--audit-time-spent
- Specifies the time spent to perform an operation which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--audit-link
- Specifies a link (URL) which is added to the Audit Log.
- The option can be specified if the -
-audit-message
option is used.
--log-dir
- If a log directory is specified then the script will log information about processing steps to a log file in this directory.
- File names are created according to the pattern:
operate-joc.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
operate-joc.2022-03-19T20-50-45.log
Switches
-h | --help
- Displays usage.
-v | --verbose
- Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
- When used twice as with
-v -v
then curl verbose output will be displayed.
-p | --password
- Asks the user for interactive keyboard input of the password used for the account specified with the
--user
option.. - The switch is used for secure interactive input as an alternative to use of the option
--password=<password>
.
- Asks the user for interactive keyboard input of the password used for the account specified with the
-k | --key-password
- Asks the user for interactive keyboard input of the password used for access to a keystore or key file specified with the
--keystore
or--key
options. - The switch is used for secure interactive input as an alternative to use of the
--key-password=<password>
option.
- Asks the user for interactive keyboard input of the password used for access to a keystore or key file specified with the
--show-logs
- Displays the log output created by the script if the
--log-dir
option is used.
- Displays the log output created by the script if the
--make-dirs
- If directories are missing that are indicated with the
--log-dir
option then they will be created.
- If directories are missing that are indicated with the
Exit Codes
0:
operation successful1
: argument errors3
: no objects found4
: JS7 REST Web Service is not reachable or reports errors
Examples
The following examples illustrate typical use cases.
Getting Status Information
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# common options for connection to JS7 REST API request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller) # get status information for Standalone JOC Cockpit response=$(./operate-joc.sh status "${request_options[@]}") # returns response {"clusterState":{"_text":"ClusterUnknown","severity":2},"controllers":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller","host":"localhost","id":20,"isCoupled":false,"javaVersion":"21+35-2513","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"STANDALONE","securityLevel":"HIGH","startedAt":"2024-09-03T09:52:38.918Z","surveyDate":"2024-09-23T10:10:01.496Z","title":"Standalone Controller","url":"http://localhost:4444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"H2","version":"1.4.200 (2019-10-14)"},"deliveryDate":"2024-09-23T10:10:01.499Z","jocs":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"STANDALONE","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":1,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:09:43.682Z","memberId":"localhost:1ce420678f21a574e6adeb2f218f5bd40ed1b1bf9005414bcf060fba2e4c5a67","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"securityLevel":"HIGH","startedAt":"2024-09-19T20:55:34.522Z","title":"My JOC Cockpit","url":"http://localhost:4446","version":"2.7.2"}]} # get severity from status information echo "$response" | jq -r '.jocs[0].componentState.severity // empty' echo "$response" | jq -r '.jocs[0].connectionState.severity // empty' echo "$response" | jq -r '.jocs[0].controllerConnectionStates[0].state.severity // empty' echo "$response" | jq -r '.jocs[0].version // empty' echo "$response" | jq -r '.database.componentState.severity // empty' echo "$response" | jq -r '.database.connectionState.severity // empty' # get status information for JOC Cockpit Cluster response=$(./operate-joc.sh status "${request_options[@]}") # returns response {"clusterState":{"_text":"ClusterCoupled","severity":0},"controllers":[{"clusterNodeState":{"_text":"inactive","severity":1},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":2,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"PRIMARY","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.271Z","surveyDate":"2024-09-23T10:07:16.768Z","title":"PRIMARY CONTROLLER","url":"http://localhost:4444","version":"2.7.2"},{"clusterNodeState":{"_text":"active","severity":0},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":3,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"BACKUP","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.972Z","surveyDate":"2024-09-23T10:07:16.737Z","title":"SECONDARY CONTROLLER","url":"http://localhost:44444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"MySQL","version":"5.7.33"},"deliveryDate":"2024-09-23T10:07:16.773Z","jocs":[{"clusterNodeState":{"_text":"active","severity":0},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":3,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:13Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:41Z","title":"PRIMARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"},{"clusterNodeState":{"_text":"inactive","severity":1},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":false,"host":"localhost","id":1,"instanceId":"joc#1","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:12Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:40Z","title":"SECONDARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"}]} # get severity from status information echo "$response" | jq -r '.clusterState.severity // empty' echo "$response" | jq -r '.controllers[0].componentState.severity // empty' echo "$response" | jq -r '.controllers[0].connectionState.severity // empty' echo "$response" | jq -r '.controllers[1].componentState.severity // empty' echo "$response" | jq -r '.controllers[1].connectionState.severity // empty' echo "$response" | jq -r '.jocs[0].componentState.severity // empty' echo "$response" | jq -r '.jocs[0].connectionState.severity // empty' echo "$response" | jq -r '.jocs[0].version // empty' echo "$response" | jq -r '.database.componentState.severity // empty' echo "$response" | jq -r '.database.connectionState.severity // empty' |
Checking License
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# common options for connection to JS7 REST API request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller) # check license ./operate-joc.sh check-license "${request_options[@]}" # returns response .... License type: COMMERCIAL_VALID .... License valid: true .... License valid from: 2021-05-05T12:22:41Z .... License valid until: 2026-05-04T12:22:41Z |
Encrypting and Decrypting
- Secrets can be encrypted and decrypted as explaind with JS7 - Encryption and Decryption.
- Encryption/decryption require related Java libraries that are available from the
./lib
sub-directory. - For creation of a Private Key and Certificate see JS7 - How to create X.509 Encryption Keys.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# create Private Key openssl ecparam -name secp384r1 -genkey -noout -out encrypt.key # create Certificate Signing Request openssl req -new -sha512 -nodes -key encrypt.key -out encrypt.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Encrypt" # create Certificate openssl x509 -req -sha512 -days 1825 -signkey encrypt.key -in encrypt.csr -out encrypt.crt -extfile <(printf "keyUsage=critical,keyEncipherment,keyAgreement\n") # encrypt a secret such as a password using the Certificate, the encryption result will be returned and will look like: enc:BEXbHYa... ./operate-joc.sh encrypt --in="root" --cert=encrypt.crt # options for connection to the JS7 REST API can specify the encryption result as password and the Private Key for decryption request_options=(--url=http://localhost:4446 --user=root --password="enc:BEXbHYa..." --key=encrypt.key --controller-id=controller) # for example, when restarting a Controller the Private Key is used to decrypt the password for access to the REST API on-the-fly ./operate-joc.sh restart "${request_options[@]}" # decrypt an encrypted secret using the Private Key ./operate-joc.sh decrypt --in="enc:BEXbHYa..." --key=encrypt.key |
Resources
- API
- Workflow Deployment Operations
- Workflow Status Operations
- Controller Deployment Operations
- Controller Status Operations