JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 12

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • On the JOC Cockpit server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
    • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
      • Root CA certificate
    • For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.

      • Example for import of a Root CA certificate to a PKCS12 truststore:

        Code Block
        languagebash
        titleExample how to import a CA signed certificate into a PKCS12 Truststore
        # import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"

      • Example for use of a self-signed Controller certificate with a JOC Cockpit PKCS12 truststore:

        Code Block
        languagebash
        titleExample for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit PKCS12 Truststore
        # import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit PKCS12 keystore (joc-https.p12)
keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.p12" -storepass jobscheduler -storetype PKCS12 -trustcacerts

      • Example for use of a self-signed Controller certificate with a JOC Cockpit JKS truststore:

        Code Block
        languagebash
        titleExample for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit JKS Truststore
        # import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit JKS keystore (joc-https.jks)
keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.jks" -storepass jobscheduler -trustcacerts

  • The location of the truststore is added to the JETTY_BASE/resources/joc/joc.properties configuration file like this:

    • Example for PKCS12 truststore

      Code Block
      languagetext
      ### Location of the truststore that contains the certificates of all
###   Controllers used for HTTPS connections. The path can be absolute or
###   relative to joc.properties

truststore_path = ../../resources/joc/https-truststore.p12 
truststore_type = PKCS12
truststore_password = jobscheduler

    • Example for JKS truststore

      Code Block
      languagetext
      ### Location of the truststore that contains the certificates of all
###   Controllers used for HTTPS connections. The path can be absolute or 
###   relative to joc.properties

truststore_path = ../../resources/joc/https-truststore.jks
truststore_type = JKS
truststore_password = jobscheduler

  • Hostname verification by default is in place with the JETTY_BASE/resources/joc/joc.properties configuration file.

    Code Block
    ################################################################################
### Should hostname verification be carried out for https certificate. 
### Default false

https_with_hostname_verification = true

Mutual Authentication

...

for Controller

This configuration is applied in order to enable mutual authentication:

  • from JOC Cockpit to the Controller
    • JOC Cockpit verifies the Controller certificate for Server Authentication
    • Controller verifies the JOC Cockpit certificate for Client Authentication
  • from pairing Controller instances

Step 1: Create/Update JOC Cockpit (Client) Keystore

...