Page History

...

JS7_CONTROLLER_HOME points to the Controller instance's installation directory
- /opt/sos-berlin.com/js7/controller (default on Linux)
- C:\Program Files\sos-berlin.com\js7\controller (default on Windows)
JS7_CONTROLLER_CONFIG_DIR points to the Controller instance's configuration directory
- /var/sos-berlin.com/js7/controller/config (default on Linux)
- C:\ProgramData\sos-berlin.com\js7\config (default on Windows)

Secure Connections

...

from JOC Cockpit to Controller

This configuration is applied in order to secure the connection if JOC Cockpit and Controller are not operated on the same server and network interface.

...

Step 4: Configure the JOC Cockpit Truststore

...

The JOC Cockpit truststore is added the Root CA certificate. If self-signed certificates are used then each certificate is added to the JOC Cockpit truststore.

On the JOC Cockpit server create the truststore .using the keytool from your Java JRE or JDK or some third party utility.

For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
- Root CA certificate
For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.

Example for import of a Root CA certificate to a PKCS12 truststore:

Code Blocklanguagebash

Example for import of a Root CA certificate to a PKCS12 truststore:
Code Block
language bash

title	Example how to import a CA signed certificate into a PKCS12 Truststore

# import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"

Example for use of a self-signed Controller certificate with a JOC Cockpit PKCS12 truststore:

Code Block

language	bash
title	Example for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit PKCS12 Truststore

# import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit PKCS12 keystore (joc-https.p12)
keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.p12" -storepass jobscheduler -storetype PKCS12 -trustcacerts

Example for use of a self-signed Controller certificate with a JOC Cockpit JKS truststore:

Code Block

language	bash
title	Example for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit JKS Truststore

# import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit JKS keystore (joc-https.jks)
keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.jks" -storepass jobscheduler -trustcacerts

The location of the truststore is added to the JETTY_BASE/resources/joc/joc.properties configuration file like this:

Example for PKCS12 keystore

Code Block

language	text

### Location of the Java truststore that contains the certificates of all
###   Controllers used for HTTPS connections. The path can be absolute or
###   relative to joc.properties

truststore_path = ../../resources/joc/https-truststore.p12 
truststore_type = PKCS12
truststore_password = jobscheduler

Example for JKS keystore

Code Block

language	text

### Location of the Java truststore that contains the certificates of all
###   Controllers used for HTTPS connections. The path can be absolute or 
###   relative to joc.properties

truststore_path = ../../resources/joc/https-truststore.jks
truststore_type = JKS
truststore_password = jobscheduler

Hostname verification by default is in place with the JETTY_BASE/resources/joc/joc.properties configuration file.

Code Block

################################################################################
### Should hostname verification be carried out for https certificate. 
### Default false

https_with_hostname_verification = true

...

Step 1: Create Controller Trusstore

On the Controller server create the truststore using the keytool from your Java JRE or JDK or some third party utility.

For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
- Root CA certificate

For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.

Example for import of a Root CA certificate to a PKCS12 truststore:

Code Block

language	bash
title	Example how to import a CA signed certificate into a PKCS12 Truststore

# on JOC Cockpit server: import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12

Example for export/import of self-signed certificate to a PKCS12 keystore:

Code Block

language	bash
title	Example how to export the Master public certificate from a PKCS12 Keystore

# on Controller server: export Controller's certificate from keystore (https-keystore.p12) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt)
keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12" -storepass jobscheduler -storetype PKCS12

# on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12

Example for export/import of self-signed certificate to a JKS keystore:

For use with self-signed certiExport the JobScheduler Master public certificate for use with the JOC Cockpit Web Service

Example for export with JKS keystore format
- Code Block
  language bash
  title Example how to export the Master public certificate from a JKS Keystore
  # on Controller server: export
Master
- Controller's
public
- certificate from keystore (
private
- https-
https
- keystore.jks) identified by its alias name (
master
- controller-https) to a file in PEM format (
master
- controller-https.crt) keytool -exportcert -rfc -noprompt -file "
master
- controller-https.crt" -alias "
master
- controller-https" -keystore
"SCHEDULER_DATA/config
- "JS7_CONTROLLER_CONFIG_DIR/private/
private
- https-
https
- keystore.jks" -storepass jobscheduler
Example for export with PKCS12 keystore format
Code Block
language bash
title Example how to export the Master public certificate from a PKCS12 Keystore
# export Master public certificate from keystore (private-https.p12) identified by its alias name (master-https)
- # on JOC Cockpit server: import Controller certificate in PEM format to a
file
- PKCS12
in PEM
- truststore
format
- (
master
- https-
https
- truststore.
crt
- p12) keytool -
exportcert
- import -
rfc
- alias "controller-
noprompt
- https" -file "
master
- controller-https.crt
" -alias "master-https
- " -keystore "
SCHEDULER
- JETTY_
DATA
- BASE/
config
- resources/
private
- joc/
private
- https-
https
- truststore.
p12
- jks"
-storepass
jobscheduler
- -storetype PKCS12
The exported public certificate of each JobScheduler Master has to be imported to the Java Truststore that is used by the JOC Cockpit.

Notes

A restart of the respective component is required to apply modifications to the JS7_CONFIG_DIR/private/private.conf file of the Controller or to configuration files of JOC Cockpit .

...

Space shortcuts

Page tree

Versions Compared

Old Version 6

New Version 7

Key

Secure Connections

from JOC Cockpit to Controller

Step 4: Configure the JOC Cockpit Truststore

Step 1: Create Controller Trusstore

Notes