Page History
...
- Connections from the user's browsers to the JOC Cockpit can be secured by HTTPS and TLS/SSL certificates.
- Connections from the JS7 - REST Web Service API to the Controller can be secured by HTTPS TLS/SSL certificates.
- This article describes the steps required to set up secure HTTPS communication with Jetty JOC Cockpit and with the JobScheduler MasterController.
- Consider the JS7 - System Architecture for an overview of components and connections.
- Consider JobScheduler Universal Agent - HTTPS Agent and Master Authentication for securing the connection between Controller instances and Agents.
...
- Certificate stores can be managed from the command line and by use of tools that provide a GUI for this purpose:
- the Java Keytool is available with from the Java JRE or JDK,
- the Keystore Explorer is an open source utility to graphically manage certificate stores.
Certificate Management
Certificate Management for secure connections of
...
clients to
...
JOC Cockpit
Should JOC Cockpit and JobScheduler Master be operated on the same server then no HTTPS connection between both components is required. To secure the JOC Cockpit user interface for HTTPS access by clients (user browsers or REST API clients) the following private key and certificates should be in place:
Flowchart |
---|
browserClient [label=" User Browser Client \nUser Browser / REST API Client ",fillcolor="lightskyblue"] JOC [label=" JOC Cockpit ",fillcolor="lightskyblue"] browserClient_Truststore [label="UserClient Browser Truststore\ntruststore location is product dependent\n\nCA Certificates",fillcolor="orange"] JOC_Keystore [label="JOC Cockpit Keystore\n./jetty_base/resources/joc/jochttps-httpskeystore.p12\n\nCA Certificates\nJOC Cockpit Private Key\nJOC Cockpit/ Certificate",fillcolor="orange"] browserClient_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] JOC_Keystore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] JOC_Keystore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate",fillcolor="white"] JOC_PrivateKey [shape="ellipse",label="JOC Cockpit Private Key",fillcolor="white"] JOC_Certificate [shape="ellipse",label="JOC Cockpit Certificate",fillcolor="white"] browserClient -> JOC [label=" establish JOC Cockpit connection "] browserClient -> browserClient_Truststore [label=" use certificate store "] browserClient_Truststore -> browserClient_Truststore_CA_RootCertificate [label=" addedadd to truststore, e.g. by Group Policies "] JOC -> JOC_Keystore JOC_Keystore -> JOC_Keystore_CA_RootCertificate -> JOC_Keystore_CA_IntermediateCertificate [label=" add to keystore "] JOC_Keystore -> JOC_PrivateKey -> JOC_Certificate [label=" add to keystore "] |
...
Then proceed with chapter Set up a secure connection of user browsers to the JOC Cockpit
Certificate Management for secure connections
...
from JOC Cockpit to
...
Controller
Should JOC Cockpit and Controller be operated on the same server and network interface then no HTTPS connection between both components is required.
Should JOC Cockpit and JobScheduler Controller be operated on different servers then both connections this connection should be secured by HTTPS
...
.
Private keys and public certificates should be distributed as follows:
Flowchart |
---|
browserClient [label=" User BrowserClient \nUser Browser / REST Client",fillcolor="lightskyblue"] MasterController [label=" JobScheduler MasterController ",fillcolor="lightskyblue"] JOC [label=" JOC Cockpit ",fillcolor="lightskyblue"] browserClient_Truststore [label="UserClient Browser Truststore\ntruststore location is product dependent\n\nCA Certificates",fillcolor="orange"] MasterController_Keystore [label="MasterController Keystore\n./config/private/privatehttps-https.jks\nMasterkeystore.p12\n\nCA Certificates\nController Private Key / Certificate",fillcolor="orange"] JOC_Truststore [label="JOC Cockpit Truststore\n./jetty_base/etcresources/joc/https-httpstruststore.jksp12\n\nCA certificates\nMaster certificates",fillcolor="orange"] JOC_Keystore [label="JOC Cockpit Keystore\n./jetty_base/etcresources/joc/https-httpskeystore.jksp12\n\nCA Certificates\nJOC Cockpit Private Key\nJOC Cockpit/ CertificatesCertificate",fillcolor="orange"] browserClient_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] JOC_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] JOC_TruststoreKeystore_CA_IntermediateCertificateRootCertificate [shape="ellipse",shape="ellipse",label="CA IntermediateRoot Certificate",fillcolor="white"] JOC_Keystore_CA_RootCertificateIntermediateCertificate [shape="ellipse",shape="ellipse",label="CA RootIntermediate Certificate",fillcolor="white"] JOCController_Keystore_CA_IntermediateCertificateRootCertificate [shape="ellipse",shape="ellipse",label="CA IntermediateRoot Certificate",fillcolor="white"] Master_PrivateKeyController_Keystore_CA_IntermediateCertificate [shape="ellipse",label="MasterCA PrivateIntermediate KeyCertificate",fillcolor="white"] MasterController_Keystore_CertificatePrivateKey [shape="ellipse",label="MasterController Private CertificateKey",fillcolor="white"] MasterController_TruststoreKeystore_Certificate [shape="ellipse",label="MasterController Certificate",fillcolor="chartreusewhite"] JOC_PrivateKey [shape="ellipse",label="JOC Cockpit Private Key",fillcolor="white"] JOC_Certificate [shape="ellipse",label="JOC Cockpit Certificate",fillcolor="white"] MasterController -> MasterController_Keystore MasterController_Keystore -> Master_Truststore_CertificateController_Keystore_CA_RootCertificate -> Controller_Keystore_CA_IntermediateCertificate [label=" transferadd to JOC Cockpit keystore "] MasterController_Keystore -> MasterController_PrivateKey -> MasterController_Keystore_Certificate [label=" add to keystore "] browserClient -> JOC [label=" establish JOC Cockpit connection "] browserClient -> browserClient_Truststore [label=" use certificate repositorystore "] browserClient_Truststore -> browserClient_Truststore_CA_RootCertificate [label=" addedadd to truststore, e.g. by Group Policies "] JOC -> JOC_Keystore JOC_Keystore -> JOC_Keystore_CA_RootCertificate -> JOC_Keystore_CA_IntermediateCertificate [label=" add to keystore "] JOC_Keystore -> JOC_PrivateKey -> JOC_Certificate [label=" add to keystore "] JOC -> JOC_Truststore JOC_Truststore -> JOC_Truststore_CA_RootCertificate -> JOC_Truststore_CA_IntermediateCertificate [label=" add to truststore "] JOC_Truststore_CA_IntermediateCertificate -> Master_Truststore_Certificate [label=" add to truststore "] Controller |
The MasterController's private key and certificate are added to the MasterController's keystore. In case of a self-signed certificate the certificate is added to the JOC Cockpit truststore as well. This step can be skipped if a CA-signed certificate is used as the Root Certificate and Intermediate Certificate in the JOC Cockpit truststore are is sufficient to verify any Master Controller certificates.
Secure Connection Setup
Anchor | ||||
---|---|---|---|---|
|
...
for clients to
...
JOC Cockpit
This configuration is applied in order to enable users clients (user browser, REST API client) to access the JOC Cockpit by use of HTTPS with their browser.
In the following the placeholders JOC_HOME
, JETTY_HOME
and JETTY_BASE
are used which locate three directories. If you install Jetty with the JOC installer then
JOC_HOME
is the installation path which is specified during the JOC Cockpit installation:- C:\Program Files\
/opt/sos-berlin.com
\/js7/joc
(default on WindowsLinux) - /opt/
C:\Program Files\sos-berlin.com
/\js7\joc
(default on LinuxWindows)
- C:\Program Files\
JETTY_HOME
=JOC_HOME
/jetty
JETTY_BASE
is Jetty's base directory which is specified during the JOC Cockpit installation:- C:\ProgramData\
/home/<setup-user>/sos-berlin.com
\/js7/joc
(default on WindowsLinux) - /home/<setup-user>/
C:\ProgramData\sos-berlin.com
/\js7\joc
(default on LinuxWindows)
- C:\ProgramData\
Step 1: Add the HTTPS module to Jetty
...