Table of Contents |
---|
Scope
- The connection from the user's browser or any REST client to the JOC Cockpit can be secured by HTTPS. This includes that a client validates the JOC Cockpit SSL certificate for server authentication.
- In addition the JOC Cockpit can be configured for mutual authentication, requiring in addition the client to present a certificate that is validated by the JOC Cockpit.
- This article describes the steps required to set up secure JOC Cockpit for two-factor authentication including SSL mutual authentication and password authentication. For login to JOC Cockpit a client, i.e. a user browser or REST client,
- is required to hold a certificate stored with the client's device that is validated by JOC Cockpit and
- is required to specify a password.
Prerequisites
- JOC Cockpit is set up to use HTTPS Communication.
JOC Cockpit Configuration
JETTY_BASE
is Jetty's base directory which is specified during the JOC Cockpit installation:
...
- Line 4: this setting looks weird, however, it is required due to a bug in Jetty 9.4, see https://github.com/eclipse/jetty.project/issues/3466. With later releases of Jetty that fix this bug the setting will not be required.
Certificate Management
Mutual authentication is based on X509 compliant certificates. Self-signed certificates and CA signed certificates can be used.
Certificate Management with the JOC Cockpit
JOC Cockpit hold a certificate that allows validation of the clients' certificate in its truststore. The location of the Jetty truststore is specified with the JETTY_BASE/start.ini
configuration file.
- Self-signed Certificates
- JOC Cockpit holds the client's certificate in its truststore.
- Each client's individual certificate is required to be in place.
- CA signed Certificates
- JOC Cockpit holds the CA certificate, i.e. the root certificate/intermediate certificate(s), in its truststore.
- Connections from any clients that use a certificate signed by the CA will be accepted.
- This approach is more flexible as it does not require to modify the Jetty truststore when adding/removing clients.
Certificate Management with the Client
The client holds its private key and certificate in its keystore.
...