JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 9

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • On the JOC Cockpit server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
    • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
      • Root CA certificate
    • For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.

      • Example for import of a Root CA certificate to a PKCS12 truststore:

        Code Block
        languagebash
        titleExample how to import a CA signed certificate into a PKCS12 Truststore
        # import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"

      • Example for use of a self-signed Controller certificate with a JOC Cockpit PKCS12 truststore:

        Code Block
        languagebash
        titleExample for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit PKCS12 Truststore
        # import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit PKCS12 keystore (joc-https.p12)
keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.p12" -storepass jobscheduler -storetype PKCS12 -trustcacerts

      • Example for use of a self-signed Controller certificate with a JOC Cockpit JKS truststore:

        Code Block
        languagebash
        titleExample for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit JKS Truststore
        # import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit JKS keystore (joc-https.jks)
keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.jks" -storepass jobscheduler -trustcacerts

  • The location of the truststore is added to the JETTY_BASE/resources/joc/joc.properties configuration file like this:

    • Example for PKCS12 keystoretruststore

      Code Block
      languagetext
      ### Location of the Java truststore that contains the certificates of all
###   Controllers used for HTTPS connections. The path can be absolute or
###   relative to joc.properties

truststore_path = ../../resources/joc/https-truststore.p12 
truststore_type = PKCS12
truststore_password = jobscheduler

    • Example for JKS keystoretruststore

      Code Block
      languagetext
      ### Location of the Java truststore that contains the certificates of all
###   Controllers used for HTTPS connections. The path can be absolute or 
###   relative to joc.properties

truststore_path = ../../resources/joc/https-truststore.jks
truststore_type = JKS
truststore_password = jobscheduler

  • Hostname verification by default is in place with the JETTY_BASE/resources/joc/joc.properties configuration file.

    Code Block
    ################################################################################
### Should hostname verification be carried out for https certificate. 
### Default false

https_with_hostname_verification = true

Mutual Authentication

...

from JOC Cockpit to Controller

This configuration is applied in order to enable mutual authentication:

...

  • On the JOC Cockpit server create the client keystore using the keytool from your Java JRE or JDK or some third party utility.
    • For use with a third party utility create a client keystore, e.g. https-client-keystore.p12, in PKCS12 format and import:
      • JOC Cockpit private key and certificate for Client Authentication
      • Root CA certificate
      • Intermediate CA certificates
    • For use with keytool create the client keystore in PKCS12 or JKS format according to the steps indicated with JS7 - JOC Cockpit HTTPS Connections: Step 2: Create JOC Cockpit Keystore chapter.
      • Apply the indicated steps to the client keystore and use the private key/certificate pair for Client Authentication.

...

  • The location of the client keystore is added to the JETTY_BASE/resources/joc/joc.properties configuration file like this:

    • Example for PKCS12 keystore

      Code Block
      languagetext
      ### Location of the client keystore that contains the private key and 
###   certificate for JOC Cockpit client authentication relative to
###   joc.properties

client_keystore_path = ../../resources/joc/https-truststore.p12 
client_keystore_type = PKCS12
client_keystore_password = jobscheduler

    • Example for JKS keystore

      Code Block
      languagetext
      ### Location of the client keystore that contains the private key and 
###   certificate for JOC Cockpit client authentication relative to
###   joc.properties

client_keystore_path = ../../resources/joc/https-truststore.jks
client_keystore_type = JKS
client_keystore_password = jobscheduler

Step 2: Create Controller Truststore

  • On the Controller server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
    • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
      • Root CA certificate
    • For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.
      • Example for import of a Root CA certificate to a PKCS12 truststore:


        Code Block
        languagebash
        titleExample how to import a CA signed certificate into a PKCS12 Truststore
        # on JOC Cockpit server: import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12

      • Example for export/import of self-signed certificate to a PKCS12 keystore:

        Code Block
        languagebash
        titleExample how to export the Master public certificate from a PKCS12 Keystore
        # on Controller server: export Controller's certificate from keystore (https-keystore.p12) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt)
keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12" -storepass jobscheduler -storetype PKCS12

# on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12

      • Example for export/import of self-signed certificate to a JKS keystore:

        Code Block
        languagebash
        titleExample how to export the Master public certificate from a JKS Keystore
        # on Controller server: export Controller's certificate from keystore (https-keystore.jks) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt)
keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks" -storepass jobscheduler

# on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.jks" -storetype PKCS12

...