JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 9

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Flowchart
Client [label="   Client   \n   User Browser / REST API Client   ",fillcolor="lightskyblue"]
JOC [label="   JOC Cockpit   ",fillcolor="lightskyblue"]
 
Client_Keystore [label="Client Keystore\nkeystore locationnlocation is product dependent\n\nCA Certificates\nClientnPrivate Private Key / Certificate",fillcolor="limegreen"]
Client_Truststore [label="Client Truststore\ntruststore locationnlocation is product dependent\n\nCA Certificates",fillcolor="orange"]
JOC_Keystore [label="JOC Cockpit Keystore\nJETTY_BASE/resources/joc/httpsnhttps-keystore.p12\n\nCA Certificates\nJOC Cockpit PrivatenPrivate Key / Certificate",fillcolor="orange"]
JOC_Truststore [label="JOC Cockpit Truststore\nJETTY_BASE/resources/joc/httpsnhttps-truststore.p12\n\nCA Certificates",fillcolor="limegreen"]

Client_Keystore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"]
Client_Keystore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate\nCertificate",fillcolor="white"]
Client_PrivateKey [shape="ellipse",label="Client Authentication\nPrivate Private Key",fillcolor="white"]
Client_Certificate [shape="ellipse",label="Client Authentication Certificate\nCertificate",fillcolor="white"]

Client_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"]
JOC_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"]
JOC_Keystore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate\nCertificate",fillcolor="white"]
JOC_Keystore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate\nCertificate",fillcolor="white"]

JOC_PrivateKey [shape="ellipse",label="Server Authentication Private\nPrivate Key",fillcolor="white"]
JOC_Certificate [shape="ellipse",label="Server Authentication Certificate\nCertificate",fillcolor="white"]

Client -> JOC [label=" establish connection "]
Client -> Client_Truststore
Client_Truststore -> Client_Truststore_CA_RootCertificate [label=" add to truststore,  \n e.g. by Group Policies "]

Client -> Client_Keystore
Client_Keystore -> Client_Keystore_CA_RootCertificate -> Client_Keystore_CA_IntermediateCertificate [label=" add to keystore "]
Client_Keystore -> Client_PrivateKey -> Client_Certificate [label=" add to keystore "]

JOC -> JOC_Keystore
JOC_Keystore -> JOC_Keystore_CA_RootCertificate -> JOC_Keystore_CA_IntermediateCertificate [label=" add to keystore "]
JOC_Keystore -> JOC_PrivateKey -> JOC_Certificate [label=" add to keystore "]

JOC -> JOC_Truststore
JOC_Truststore -> JOC_Truststore_CA_RootCertificate [label=" add to truststore "]

...

  • Keystore and truststore in orange color are required for any connections of clients to JOC Cockpit.
  • Keystore and truststore in green color are required only if mutual authentication is in place, e.g. to allow certificate based authentication.
  • A JOC Cockpit truststore in green color is required should secure connections be used to access a Controller or an LDAP server for authentication/authorization.
  • It is therefore recommended to set up the JOC Cockpit truststore.

Secure Connection Setup

In the following the placeholders JOC_HOME, JETTY_HOME and JETTY_BASE are used which locate three directories. If you install Jetty with the JOC Cockpit installer then

...

  • On the JOC Cockpit server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
    • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
      • Root CA certificate
    • For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.

      • Example for import of a Root CA certificate to a PKCS12 truststore

        Code Block
        languagebash
        titleExample how to import a CA signed certificate into a PKCS12 Truststore
        # import Root CA certificate in PEM format to a a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"

...

  • Edit the following entries in the JETTY_BASE/start.ini configuration file use of the keystore:

    Code Block
    ## Truststore file path (relative to $jetty.base)
jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12

## Truststore password
jetty.sslContext.trustStorePassword=jobscheduler


    Explanation:

    • Specify the location of the truststore with the trustStorePath setting. A location relative to the JETTY_BASE directory can be specified.
    • Specify the password for access to the truststore with the trustStorePassword setting.

  • Specify the settings to enforce client authentication with the following entries in the JETTY_BASE/start.ini configuration file: 

    Code Block
    ## force use of client authentication certificates
jetty.sslContext.needClientAuth=false
jetty.sslContext.wantClientAuth=true
jetty.sslContext.endpointIdentificationAlgorithm=

    Explanation:

Notes

  • A restart of JOC Cockpit is required to apply modifications to the JOC Cockpit JETTY_BASE/start.ini and JETTY_BASE/resources/joc/joc.properties configuration files .

...