Page History
...
- On the JOC Cockpit server create the truststore using the
keytool
from your Java JRE or JDK or some third party utility.- For use with a third party utility create a truststore, e.g.
https-truststore.p12,
in PKCS12 format and import:- Root CA certificate
- For use with
keytool
create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.Example for import of a Root CA certificate to a PKCS12 truststore:
Code Block language bash title Example how to import a CA-signed certificate into to a PKCS12 Truststore # import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"
- For use with a third party utility create a truststore, e.g.
...
-storetype PKCS12
Example for import of a Root CA certificate to a JKS truststore:
Code Block language bash title Example how to import a CA-signed certificate to a JKS Truststore # import Root CA certificate in PEM format to a JKS truststore (https-truststore.jks) keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/
...
See above chapter Step 3: Configure Jetty for configuration of the keystore with JETTY_BASE/start.ini
.
Edit the following entries in the
JETTY_BASE/start.ini
configuration file use of the keystore: ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=Code Block resources/joc/https-truststore.
jks" -storetype JKS
Anchor client_authentication_configure_jetty client_authentication_configure_jetty
Step 2: Configure Jetty
client_authentication_configure_jetty | |
client_authentication_configure_jetty |
See above chapter Step 3: Configure Jetty for configuration of the keystore with JETTY_BASE/start.ini
.
Edit the following
Explanation:- Specify the location of the truststore with the
trustStorePath
setting. A location relative to theJETTY_BASE
directory can be specified. - Specify the password for access to the truststore with the
trustStorePassword
setting.
Specify the settings to enforce client authentication with the following entries in the
JETTY_BASE/start.ini
configuration file use of the keystore:Code Block ## forceTruststore usefile ofpath client(relative authentication certificatesto $jetty.base) jetty.sslContext.needClientAuth=falsetrustStorePath=resources/joc/https-truststore.p12 ## Truststore password jetty.sslContext.wantClientAuth=true jetty.sslContext.endpointIdentificationAlgorithm=
Explanation:
trustStorePassword=jobscheduler
Explanation:- Specify the location of the truststore with the
trustStorePath
setting. A location relative to theJETTY_BASE
directory can be specified. - Specify the password for access to the truststore with the
trustStorePassword
setting.
- Specify the location of the truststore with the
Specify the settings to enforce client authentication with the following entries in the
JETTY_BASE/start.ini
configuration file:Code Block ## force use of client authentication certificates jetty.sslContext.needClientAuth=false jetty.sslContext.wantClientAuth=true jetty.sslContext.endpointIdentificationAlgorithm=
Explanation:
- Find explanations from the JS7 - Authentication article.
Risk Mitigation
The above explanations indicate use of a Root CA certificate for verification of Client Authentication certificates when it comes to mutual authentication.
- In fact use of a Root CA certificate allows any clients that dispose of a Client Authentication certificate signed by the same Root CA certificate or Intermediate CA certificates to be authenticated. This implication might allow an unwanted number of clients to access JOC Cockpit.
- Coping strategies include
- to use a separate certificate authority to sign Client Authentication certificates for access to JOC Cockpit.
- to import individual Client Authentication certificates to the JOC Cockpit truststore instead of using a Root CA certificateFind explanations from the JS7 - Authentication article.
Notes
- A restart of JOC Cockpit is required to apply modifications to the JOC Cockpit
JETTY_BASE/start.ini
andJETTY_BASE/resources/joc/joc.properties
configuration files .
...