...

• from JOC Cockpit to the Controller:
  • JOC Cockpit verifies the Controller certificate for Server Authentication
  • Controller verifies the JOC Cockpit certificate for Client Authentication
• from pairing Controller instances.

Step 1: Create/Update JOC Cockpit (Client) Keystore

...

• On the Controller server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
  • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
    • Root CA certificate
  • For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.
    • Example for import of a Root CA certificate to a PKCS12 truststore:

      
      

      Code Block
      language bash title Example how to import a CA signed certificate into a PKCS12 Truststore
      # on JOC Cockpit server: import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12

    • Example for export/import of self-signed certificate to a PKCS12 keystore:

      Code Block
      language bash title Example how to export the Master public certificate from a PKCS12 Keystore
      # on Controller server: export Controller's certificate from keystore (https-keystore.p12) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt) keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12" -storepass jobscheduler -storetype PKCS12 # on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12

    • Example for export/import of self-signed certificate to a JKS keystore:

      Code Block
      language bash title Example how to export the Master public certificate from a JKS Keystore
      # on Controller server: export Controller's certificate from keystore (https-keystore.jks) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt) keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks" -storepass jobscheduler # on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12JKS truststore (https-truststore.p12jks) keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.jks" -storetype PKCS12JKS

Risk Mitigation

The above explanations indicate use of a Root CA certificate for verification of Client Authentication certificates when it comes to mutual authentication.

• In fact use of a Root CA certificate allows any clients that dispose of a Client Authentication certificate signed by the same Root CA certificate or Intermediate CA certificates to be authenticated. This implication might allow an unwanted number of clients to access a Controller. By design the only clients to access a Controller should be JOC Cockpit instances.
• Coping strategies include
  • to use a separate certificate authority to sign Client Authentication certificates for access to Controllers.
  • to import individual Client Authentication certificates to the Controller truststore instead of using a Root CA certificate.

Notes

• A restart of the respective component is required to apply modifications to the JS7_CONFIG_DIR/private/private.conf file of the Controller or to configuration files of JOC Cockpit .

...