Page History
...
Flowchart |
---|
Client [label=" Client \n User Browser / REST API Client ",fillcolor="lightskyblue"] JOC [label=" JOC Cockpit ",fillcolor="lightskyblue"] Client_Keystore [label="Client Keystore\nkeystore locationnlocation is product dependent\n\nCA Certificates\nClientnPrivate Private Key / Certificate",fillcolor="limegreen"] Client_Truststore [label="Client Truststore\ntruststore locationnlocation is product dependent\n\nCA Certificates",fillcolor="orange"] JOC_Keystore [label="JOC Cockpit Keystore\nJETTY_BASE/resources/joc/httpsnhttps-keystore.p12\n\nCA Certificates\nJOC Cockpit PrivatenPrivate Key / Certificate",fillcolor="orange"] JOC_Truststore [label="JOC Cockpit Truststore\nJETTY_BASE/resources/joc/httpsnhttps-truststore.p12\n\nCA Certificates",fillcolor="limegreen"] Client_Keystore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"] Client_Keystore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate\nCertificate",fillcolor="white"] Client_PrivateKey [shape="ellipse",label="Client Authentication\nPrivate Private Key",fillcolor="white"] Client_Certificate [shape="ellipse",label="Client Authentication Certificate\nCertificate",fillcolor="white"] Client_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"] JOC_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"] JOC_Keystore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"] JOC_Keystore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate\nCertificate",fillcolor="white"] JOC_PrivateKey [shape="ellipse",label="Server Authentication Private\nPrivate Key",fillcolor="white"] JOC_Certificate [shape="ellipse",label="Server Authentication Certificate\nCertificate",fillcolor="white"] Client -> JOC [label=" establish connection "] Client -> Client_Truststore Client_Truststore -> Client_Truststore_CA_RootCertificate [label=" add to truststore, \n e.g. by Group Policies "] Client -> Client_Keystore Client_Keystore -> Client_Keystore_CA_RootCertificate -> Client_Keystore_CA_IntermediateCertificate [label=" add to keystore "] Client_Keystore -> Client_PrivateKey -> Client_Certificate [label=" add to keystore "] JOC -> JOC_Keystore JOC_Keystore -> JOC_Keystore_CA_RootCertificate -> JOC_Keystore_CA_IntermediateCertificate [label=" add to keystore "] JOC_Keystore -> JOC_PrivateKey -> JOC_Certificate [label=" add to keystore "] JOC -> JOC_Truststore JOC_Truststore -> JOC_Truststore_CA_RootCertificate [label=" add to truststore "] |
...
- Keystore and truststore in orange color are required for any connections of clients to JOC Cockpit.
- Keystore and truststore in green color are required only if mutual authentication is in place, e.g. to allow certificate based authentication.
- A JOC Cockpit truststore in green color is required should secure connections be used to access a Controller or an LDAP server for authentication/authorization.
- It is therefore recommended to set up the JOC Cockpit truststore.
Secure Connection Setup
In the following the placeholders JOC_HOME
, JETTY_HOME
and JETTY_BASE
are used which locate three directories. If you install Jetty with the JOC Cockpit installer then
...
- On the JOC Cockpit server create the truststore using the
keytool
from your Java JRE or JDK or some third party utility.- For use with a third party utility create a truststore, e.g.
https-truststore.p12,
in PKCS12 format and import:- Root CA certificate
- For use with
keytool
create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.Example for import of a Root CA certificate to a PKCS12 truststore
Code Block language bash title Example how to import a CA signed certificate into a PKCS12 Truststore # import Root CA certificate in PEM format to a a PKCS12 truststore (https-truststore.p12) keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"
- For use with a third party utility create a truststore, e.g.
...
Edit the following entries in the
JETTY_BASE/start.ini
configuration file use of the keystore:Code Block ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12 ## Truststore password jetty.sslContext.trustStorePassword=jobscheduler
Explanation:- Specify the location of the truststore with the
trustStorePath
setting. A location relative to theJETTY_BASE
directory can be specified. - Specify the password for access to the truststore with the
trustStorePassword
setting.
- Specify the location of the truststore with the
Specify the settings to enforce client authentication with the following entries in the
JETTY_BASE/start.ini
configuration file:Code Block ## force use of client authentication certificates jetty.sslContext.needClientAuth=false jetty.sslContext.wantClientAuth=true jetty.sslContext.endpointIdentificationAlgorithm=
Explanation:
- Find explanations from from the JS7 - Authentication article.
Notes
- A restart of JOC Cockpit is required to apply modifications to the JOC Cockpit
JETTY_BASE/start.ini
andJETTY_BASE/resources/joc/joc.properties
configuration files .
...
Overview
Content Tools