Page History
Table of Contents |
---|
Introduction
- Users benefit from the certificate authority included with JOC Cockpit to create and to roll-out private keys and certificates.
- This includes simplified roll-out to Controller and Agent instances to establish secure HTTPS connections.
- The build-in certificate authority is applicable when operating JOC Cockpit in a low or medium security level, see JS7 - Security Architecture.
- The built-in certificate authority
- creates certificates for HTTPS Mutual Authentication
- between JOC Cockpit and Controller instances,
- between Primary and Secondary Controller instances,
- between Controller instances and Agents.
- is not used to create JOC Cockpit server authentication certificates . As for access to JOC Cockpit. Access is accessed performed by user browsers, therefore it is preferable to use a server /client authentication certificate that is signed by a known certificate authority for which user browsers include the root certificate.
- creates certificates for HTTPS Mutual Authentication
- Users benefit from simplified rollout of private keys and certificates when using the built-in certificate authority.
...
- to authenticate with JOC Cockpit by use of a security token, see JS7 - Certificate Authority - Manage Certificates with JOC Cockpit,
- to request a private key and certificate to be created by JOC Cockpit on-the-fly,
- to update a Controller or Agent instance's configuration for use of the private key and certificate with HTTPS mutual authentication.
Prerequisites
The following conditions have to be met before the Command Line Client can be used to roll-out private keys and certificates.
- The JOC Cockpit certificate authority has to be available and the root private key and certificate have been created.
- Valid security tokens have been generated with JOC Cockpit for the desired Controller and Agent instances.
- For details see JS7 - Certificate Authority - Manage Certificates with JOC Cockpit
Command Line Client
The command line client is available for Unix and Windows
- for a Controller instance:
./bin/controller.sh|cmd
- for an Agent instance:
./bin/agent.sh|cmd
Standard Arguments
The following arguments are used independently from an HTTP or HTTPS connection to JOC Cockpit:
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Explanation:
|
Arguments for use with JOC Cockpit HTTPS Connections
The following arguments are used in addition to standard arguments in case that JOC Cockpit is set up for HTTPS connections:
Expand | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
Explanation:
|
...
Arguments for use with JOC Cockpit HTTPS Connections using Mutual Authentication
The following arguments are used in addition to HTTPS connection arguments in case that JOC Cockpit is setup for JOC Cockpit - HTTPS Mutual Authentication.
Expand | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||
Explanation:
|
Examples
Example for use of an HTTP Connection to JOC Cockpit
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
java -jar sos-commons-cli.jar com.sos.cli.ExecuteRollOut \ --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b \ --joc-uri=http://somehost.example.com:4446 \ --san="myhost.example.com, myhost" \ --subject-dn="CN=myhost, OU=IT Operations, O=SOS, C=DE, L=Berlin, S=Berlin" \ --key-alias=myhost \ --ca-alias="Root CA" \ --target-keystore=/var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12 \ --target-keystore-pass=jobscheduler \ --target-keystore-entry-pass=jobscheduler \ --target-truststore=/var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12 \ --target-truststore-pass=jobscheduler |
Explanation:
- tbd
Example for use of an HTTPS Connection to JOC Cockpit with Mutual Authentication from a Client Truststore
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
java -jar sos-commons-cli.jar com.sos.cli.ExecuteRollOut \ --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b \ --joc-uri=https://somehost.example.com:4446 \ --san="myhost.example.com, myhost" \ --subject-dn="CN=myhost, OU=IT Operations, O=SOS, C=DE, L=Berlin, S=Berlin" \ --key-alias=myhost \ --ca-alias="Root CA" \ --source-keystore=/home/sos/private/js7-keystore.p12 \ --source-keystore-pass="" \ --source-keystore-entry-pass="" \ --source-truststore=/home/sos/private/js7-truststore.p12 \ --source-truststore-pass="" \ --target-keystore=/var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12 \ --target-keystore-pass=jobscheduler \ --target-keystore-entry-pass=jobscheduler \ --target-truststore=/var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12 \ --target-truststore-pass=jobscheduler |
Explanation:
- tbd
Example for use of an HTTPS Connection to JOC Cockpit with Mutual Authentication from a Client Key File
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
java -jar sos-commons-cli.jar com.sos.cli.ExecuteRollOut \ --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b \ --joc-uri=https://myyhostmyhost.example.com:4446 \ --san="myhost.example.com, myhost" \ --subject-dn="CN=myhost, OU=IT Operations, O=SOS, C=DE, L=Berlin, S=Berlin" \ --key-alias=myhost \ --ca-alias="Root CA" \ --source-private-key=/home/sos/private/myhost.key \ --source-certificate=/home/sos/public/myhost.pem \ --source-ca-cert="/home/sos/public/intermediate_ca.pem, /home/sos/public/root_ca.pem" \ --target-keystore=var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12 \ --target-keystore-pass=jobscheduler \ --target-keystore-entry-pass=jobscheduler \ --target-truststore=var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12 \ --target-truststore-pass=jobscheduler |
Explanation:
- tbd
Developer Notes
The jar file to use is present in two forms
...