Page History
...
- JOC Cockpit verifies the Controller certificate for Server Authentication
- Controller verifies the JOC Cockpit certificate for Client Authentication
Step 1: Create/Update JOC Cockpit (Client) Keystore
For mutual authentication JOC Cockpit has to hold a Client Authentication private key and certificate in its keystore.
- This can be simplified by use of private key/certificate pair that is created for both extended key usages Server Authentication and Client Authentication. In this case a single private key and certificate is stored with the JOC Cockpit keystore as indicated with the JS7 - JOC Cockpit HTTPS Connections article.
- If separate private key/certificate pairs should be used for Server Authentication and Client Authentication purposes then use of separate certificate stores for JOC Cockpit is recommended:
- The keystore holds the private key/certificate for Server Authentication.
- The client keystore holds the private key/certificate for Client Authentication.
The following steps are applied if a separate client keystore is used with JOC Cockpit.
- On the JOC Cockpit server create the client keystore using the
keytool
from your Java JRE or JDK or some third party utility.- For use with a third party utility create a client keystore, e.g.
https-client-keystore.p12,
in PKCS12 format and import:- JOC Cockpit private key and certificate for Client Authentication
- Root CA certificate
- Intermediate CA certificates
- For use with
keytool
create the client keystore in PKCS12 or JKS format according to the steps indicated with JS7 - JOC Cockpit HTTPS Connections: Step 2: Create JOC Cockpit Keystore chapter.- Apply the indicated steps to the client keystore and use the private key/certificate pair for Client Authentication.
- For use with a third party utility create a client keystore, e.g.
Step 2: Create Controller Trusstore
- On the Controller server create the truststore using the
keytool
from your Java JRE or JDK or some third party utility.- For use with a third party utility create a truststore, e.g.
https-truststore.p12,
in PKCS12 format and import:- Root CA certificate
- For use with
keytool
create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.- Example for import of a Root CA certificate to a PKCS12 truststore:
Code Block language bash title Example how to import a CA signed certificate into a PKCS12 Truststore # on JOC Cockpit server: import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12
Example for export/import of self-signed certificate to a PKCS12 keystore:
Code Block language bash title Example how to export the Master public certificate from a PKCS12 Keystore # on Controller server: export Controller's certificate from keystore (https-keystore.p12) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt) keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12" -storepass jobscheduler -storetype PKCS12 # on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12
Example for export/import of self-signed certificate to a JKS keystore:
Code Block language bash title Example how to export the Master public certificate from a JKS Keystore # on Controller server: export Controller's certificate from keystore (https-keystore.jks) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt) keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks" -storepass jobscheduler # on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.jks" -storetype PKCS12
- Example for import of a Root CA certificate to a PKCS12 truststore:
- For use with a third party utility create a truststore, e.g.
...
Overview
Content Tools