JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Santiago Aucejo Petzoldt

Saved on

compared with

New Version 13

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

The certificate rollout with the command line client supports only the usage of the JS7 JOC Certificate Authority. Rollout of certificates generated with an external Certificate Authority are not supported.

Prerequisites

  • Users benefit from simplified rollout of keys and certificates to Controller instances and Agents when using the built-in JS7 - Certificate Authority.
  • Users have a choice to use an external certificate authority or the built-in certificate authority included with JOC Cockpit.

JS7 provides a command line client available with Controller instances and Agents to create and to roll-out keys and certificates of the built-in certificate authority. Rollout of keys and certificates created with an external certificate authority are not in scope of the JS7 command line client.

Prerequisites

The following A number of conditions have to be met before the command line client can be used to rollout the generated keys and certificates.

  • A The JOC CA Cockpit certificate authority has to be present in JS7 JOCavailable and the root key and certificate have been created.
  • A valid token has to be generated in JS7 JOC Cockpit for the desired JS7 controller/ JS7 agentController instances and Agents.

Command Line Client

Parameters:

ParameterRequiredDescriptionExample
--helpNoShows the help pageusage information, this option is exclusive option has to be specified as the only command line option and has no value.
--token=Yes

UUID of the token for a onetime one-time authentication to JS7 JOC Cockpit to receive the generated keys and certificates.

--token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b
--subject-dn=Yes

The SubjectDN to be used consisting of [CN, OU, O, L, S,C] where the current hostname has to be set as CN.

--subject-dn="CN=myControllerHostname, OU=development, O=SOS,  L=Berlin, S=Berlin, C=DE"
--san=Yes

The subject alternative names(SAN) should be set with variation of the hostname e.g. including the domain part. The alternatives are separated by comma.

--san="myControllerHostname.sos, myControllerHostname, sp.sos, sp"
--joc-uri=Yes

URI of the JS7 JOC to receive the generated certificates from.

--joc-uri=https://joc-2-0-secondary:4443
--source-keystore=No

Path of the Keystore holding the keys to connect to JS7 JOC over HTTPS.

--source-keystore=C:/sp/devel/js7/keys/sp-keystore.p12
--source-keystore-type=No

Type of the keystore to connect to JS7 JOC over HTTPS. (PKCS12[default] and JKS are supported only)

--source-keystore-type=PKCS12
--source-keystore-pass=No

Password for the keystore holding the keys to connect to JS7 JOC over HTTPS.

--source-keystore-pass="YourKeystorePassword"
--source-keystore-entry-pass=No

Password for the private key entry of the keystore holding the keys to connect to JS7 JOC over HTTPS.

--source-keystore-entry-pass="YourKeystoreEntryPassword"
--source-truststore=No

Path of the Truststore holding the trusted certificates to connect to JS7 JOC over HTTPS.

--source-truststore=C:/sp/devel/js7/keys/sp-truststore.p12
--source-truststore-type=No

Type of the truststore to connect to JS7 JOC over HTTPS. (PKCS12[default] and JKS are supported only)

--source-truststore-type=PKCS12
--source-truststore-pass=No

Password for the truststore holding the keys to connect to JS7 JOC over HTTPS.

--source-truststore-pass="YourTruststorePassword"
--source-private-key=No

Path to the private Key file used to connect to JS7 JOC over HTTPS.

--source-private-key=C:/sp/devel/js7/keys/sp/sp.key
--source-certificate=No

Path to the certificate file used to connect to JS7 JOC over HTTPS.

--source-certificate=C:/sp/devel/js7/keys/sp/sp.cer
--source-ca-cert=No

Path to the CA certificate file(s) used to connect to JS7 JOC over HTTPS. (Comma separated)

--source-ca-cert="C:/sp/devel/js7/keys/sp/sos_intermediate_ca.cer, C:/sp/devel/js7/keys/sp/sos_root_ca.cer"
--target-keystore=Yes

Path to the Keystore where the generated SSL certificates and keys should be stored.

--target-keystore=C:/sp/devel/js7/testing/CLI/controller/https-keystore.p12
--target-keystore-type=No

Type of the keystore to store to. (PKCS12[default] and JKS are supported only)

--target-keystore-type=PKCS12
--target-keystore-pass=No

Password for the keystore to store to.

--target-keystore-pass="YourKeystorePassword"
--target-keystore-entry-pass=No

Password for the private key/certificate entry of the target keystore holding the keys for mutual https.

--target-keystore-entry-pass="YourKeystoreEntryPassword"
--target-truststore=Yes

Path to the Truststore where the trusted ca certificate should be stored.

--target-truststore=C:/sp/devel/js7/testing/CLI/controller/https-truststore.p12
--target-truststore-type=No

Type of the truststore to store to. (PKCS12[default] and JKS are supported only)

--target-truststore-type=PKCS12
--target-truststore-pass=No

Password for the truststore to store to.

--target-truststore-pass="YourTruststorePassword"

--key-alias=Yes

Alias used to store the certificate and its private key in the target keystore.

--key-alias="MyKeyAlias"
--ca-alias=Yes

Alias used to store the ca certificate in both, the target keystore and truststore.

--ca-alias="MyTrustedCertificateAlias"

Connection to JS7 JOC over HTTP

No parameter starting with --source has to be set.

Connection to JS7 JOC over HTTPS

There are two ways supported to connect over HTTPS. Depending on the method which is chosen some optional parameters are required.

  1. using KeyStore/Truststore
    • The following parameters have to be set
      • --source-keystore
        • required
      • -source-keystore-type
        • optional
        • has to be set if JKS is used
      • --source-keystore-pass
        • optional
        • has to be set if the keystore is secured with a password
      • --source-keystore-entry-pass
        • optional
        • has to be set if the private key entry is secured with a password
      • --source-truststore
        • required
      • --source-truststore-type
        • optional
        • has to be set if JKS is used
      • --source-truststore-pass
        • optional
        • has to be set if the truststore is secured with a password
  2. using key and certificate files instead of stores
    • The following parameters have to be set
      • --source-private-key
        • required
      • --source-certificate
        • required
      • --source-ca-cert
        • required

Examples


The jar file to use is present in two forms 

...