Page History
Table of Contents |
---|
Introduction
Prerequisites
Required: User Signing Certificate
Each user with the permission to deploy has to publish add his own X.509 signing certificate to JOC Cockpit.
Optional: Root CA Certificate
In addition a , the X.509 certificate of the Root CA that signed the user signing certificates were generated from 's signing certificate can be published added to JOC alsoCockpit. There is only one a single Root CA certificate for all user profiles.
- Each user certificate has Any user signing certificates have to be published to the controller/agents Controller and Agents. Certificates are stored to the
config/private/trusted-x509-keys
folder alsoof Controller and Agent installations. - If a Root CA certificate is present in JOC Cockpit, then it is sufficient to publish add the Root CA certificate only to the controller/agents the
config/private/trusted-x509-keys
folder of Controller and Agent installations.- No further user
signing
certificates are needed have to be published added to the controller/agents Controller or Agents as long as they the user signing certificates were created by the given Root CA. - This mechanism implies that any user signing certificate signed by the same Root CA certificate will be accepted.
- Users who do not wish to use this implicit mechanism should not add the Root CA certificate to Controller and Agents but should add individual user signing certificates only.
- No further user
...
Deployment Process Overview
The user has to export the desired
configurationsconfiguration of scheduling objects with the Export operation available from the Configuration view.
- Deployment tasks include to
export scheduling objects with the checkbox "
for Signing" checked to an archive file (.zip).
- unpack the exported archive
- The archive contains a
meta_inf
file and the configurations.
- The archive contains a
- sign the configurations and store the signature - base64 encoded - in the same folder.
- Each signature file has to
- use the same
- name as the original configuration with an additional filename extension.
- for RSA/ECDSA signatures use the filename extension ".pem" or ".sig" respectively.
- for PGP signatures use the default filename extension ".asc".
- pack the archive once again to add signature files and make sure the
meta_inf
file is still
- available with the root folder of the archive.
- upload the archive using the Import And Deploy button.
Example
Export
- Click on export Export either in the context menu of the folder you want to export or from the button in the top right corner.:
- Check In the Export popup window check the checkbox "forSigningfor Signing":
- Select the configuration meant scheduling objects to deploy.
Signing
Extract the configuration with their folder structure from the archive .and preserve the folder structure of included scheduling objects:
Sign the configuration.
For this example we use OpenSSL to sign the configuration file.
Code Block | ||
---|---|---|
| ||
openssl dgst -sha256 -sign c:\sp\devel\js7\keystmp\sos.private-ec-key.pem -out Cc:\sp\devel\js7\example\Example\tmp\example-wf.workflow.json.sha256 |
-sha256
- the signer algorithm
-sign c:\
sp\devel\js7\keys\tmp\sos.private-ec-key.pem
- the private key file to sign the content of the original configuration file
-out
Cc:\
sp\devel\js7tmp\example
\Example\example-wf.workflow.json.sha256
- the path to the output file
- the file contains the binary representation of the signature
c:\
sptmp\
devel\js7\example
\Example\example-wf.workflow.json
- the path to original configuration scheduling object file (workflow)
- the path to original configuration scheduling object file (workflow)
Code Block | ||
---|---|---|
| ||
openssl base64 -in Cc:\sp\devel\js7\example\Exampletmp\example-wf.workflow.json.sha256 -out Cc:\sptmp\devel\js7\example\Example\example-wf.workflow.json.pem |
base64
- openssl OpenSSL switch to encode base64
-in
Cc:\
sp\devel\js7\example\Example\tmp\example-wf.workflow.json.sha256
- the newly created binary signature file
-out
Cc:\
sptmp\
devel\js7\example
\Example\example-wf.workflow.json.pem
- the base64 encoded text signature text file according to the JOC deploy Cockpit deployment naming standardconvention
Copy the newly created text signature text file to the same folder like as the original scheduling object file.
Pack the file archive once again or insert it into add the file to the existing archive.
The exported archive also contains a the meta_inf
file. This file does not need have to be signed. Make sure the file is present in the root folder of the target archive.
Import/Deploy this archive with the Import And Deploy function .of JOC Cockpit:
Enter the signature algorithm using the default Java names for the signature algorithm.:
e.g.
Supported signature names include
OpenSSL | Java with RSA | Java with ECDSA |
---|---|---|
sha512 | SHA512withRSA | - |
sha256 | SHA256withRSA | SHA256withECDSA |
On During import the scheduling object configuration and the signature from the archive will be send forwarded to the controller directly Controller and will be validated. After that the configuration successful validation by the Controller and by the Agent the scheduling object is deployed.