Page History

...

• JOC_HOME is the installation path that is specified during JOC Cockpit installation:
  
  • /opt/sos-berlin.com/js7/joc (default on LinuxUnix)
  • C:\Program Files\sos-berlin.com\js7\joc (default on Windows)
• JETTY_HOME = JOC_HOME/jetty
• JETTY_BASE is Jetty's base directory that is specified during JOC Cockpit installation:
  
  • /home/<setup-user>/sos-berlin.com/js7/joc (default on LinuxUnix)
  • C:\ProgramData\sos-berlin.com\js7\joc (default on Windows)

...

• JS7_CONTROLLER_HOME points to the Controller instance's installation directory
  • /opt/sos-berlin.com/js7/controller (default on LinuxUnix)
  • C:\Program Files\sos-berlin.com\js7\controller (default on Windows)
• JS7_CONTROLLER_CONFIG_DIR points to the Controller instance's configuration directory
  • /var/sos-berlin.com/js7/controller/config (default on LinuxUnix)
  • C:\ProgramData\sos-berlin.com\js7\config (default on Windows)

...

• To make a Controller use HTTPS the respective port setting has to be specified with the Controller's Instance Start Script.

  • For

    Linux

    Unix the Instance Start Script is available from JS7_CONTROLLER_HOME/bin/controller_instance.sh:

    Code Block
    language xml title Example for HTTP and HTTPS port settings with Controller Instance Start Script for LinuxUnix
    # Sets the http port for the JS7 Controller. # Without this setting the default port 4444 is used. # If just a port is specified then the JS7 Controller listens to all # available network interfaces. This corresponds to 0.0.0.0:<port>. # Use the form <ip address or hostname>:<port> to indicate # a specific network interface the JS7 Controller should listen to. # The command line option --http-port beats the environment # variable JS7_CONTROLLER_HTTP_PORT. JS7_CONTROLLER_HTTP_PORT=localhost:4444 # In addition to the http port an https port for the # JS7 Controller can be specified. If just a port is specified # then the JS7 Controller listens to all available network interfaces. # This corresponds to using 0.0.0.0:<port>. # Use the form <ip address or hostname>:<port> to indicate # a specific network interface the JS7 Controller should listen to. # The command line option --https-port beats the environment # variable JS7_CONTROLLER_HTTPS_PORT. JS7_CONTROLLER_HTTPS_PORT=apmacwin:4444

  • For Windows the Instance Start Script is available from JS7_CONTROLLER_HOME\bin\controller_instance.cmd:

    Code Block
    language xml title Example for HTTP and HTTPS port settings with Controller Instance Start Script for Windows collapse true
    rem # Sets the http port for the JS7 Controller. rem # Without this setting the default port 4444 is used. rem # If just a port is specified then the JS7 Controller listens to all rem # available network interfaces. This corresponds to 0.0.0.0:<port>. rem # Use the form <ip address or hostname>:<port> to indicate rem # a specific network interface the JS7 Controller should listen to. rem # The command line option --http-port beats the environment rem # variable JS7_CONTROLLER_HTTP_PORT. set JS7_CONTROLLER_HTTP_PORT=localhost:4444 rem # In addition to the http port an https port for the rem # JS7 Controller can be specified. If just a port is specified rem # then the JS7 Controller listens to all available network interfaces. rem # This corresponds to using 0.0.0.0:<port>. rem # Use the form <ip address or hostname>:<port> to indicate rem # a specific network interface the JS7 Controller should listen to. rem # The command line option --https-port beats the environment rem # variable JS7_CONTROLLER_HTTPS_PORT. set JS7_CONTROLLER_HTTPS_PORT=apmacwin:4444

    
    

    Explanation:
    • The HTTP port is required but is limited to the localhost network interface with the localhost prefix.
    • The HTTPS port is specified with the hostname prefix that indicates the network interface.

...

• On the JOC Cockpit server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
  • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
    • Root CA certificate
  • For use with keytool create the truststore in PKCS12 or JKS format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.
    

    • Example for import of a Root CA certificate to a PKCS12 truststore:

      Code Block
      language bash title Example how to import a CA-signed certificate into a PKCS12 Truststore
      # import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"

    • Example for use of a self-signed Controller certificate with a PKCS12 truststore:

      Code Block
      language bash title Example for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit PKCS12 Truststore collapse true
      # import the Controller's certificate from a file in PEM format (controller-https.crt) identified by its alias name (controller-https) to the JOC Cockpit PKCS12 truststore (https-truststore.p12) keytool -importcert -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storepass jobscheduler -storetype PKCS12 -trustcacerts

    • Example for use of a self-signed Controller certificate with a JKS truststore:

      Code Block
      language bash title Example for import of a self-signed Controller certificate the Master public certificate to JOC Cockpit JKS Truststore collapse true
      # import the Controller's certificate from a file in PEM format (controller-https.crt) identified by its alias name (controller-https) to the JOC Cockpit JKS truststore (https-truststore.jks) keytool -importcert -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JETTY_BASE/resources/joc/https-truststore.jks" -storepass jobscheduler -trustcacerts

• The location of the truststore is added to the JETTY_BASE/resources/joc/joc.properties configuration file like this:

  • Example for PKCS12 truststore

    Code Block
    language text title Example how to specify a PKCS12 truststore location with the joc.properties file
    ### Location of the truststore that contains the certificates of all ### Controllers used for HTTPS connections. The path can be absolute or ### relative to joc.properties truststore_path = ../../resources/joc/https-truststore.p12 truststore_type = PKCS12 truststore_password = jobscheduler

  • Example for JKS truststore

    Code Block
    language text title Example how to specify a JKS truststore location with the joc.properties file collapse true
    ### Location of the truststore that contains the certificates of all ### Controllers used for HTTPS connections. The path can be absolute or ### relative to joc.properties truststore_path = ../../resources/joc/https-truststore.jks truststore_type = JKS truststore_password = jobscheduler

• Hostname verification by default is in place with the JETTY_BASE/resources/joc/joc.properties configuration file.

  Code Block
  title Example how to specify hostname verification with the joc.properties file
  ################################################################################ ### Specifies Shouldif hostname verification should be carried out for httpsHTTPS certificateconnections. ### Default falsetrue https_with_hostname_verification = true

...

• On the JOC Cockpit server create the client keystore using the keytool from your Java JRE or JDK or some third party utility.
  • For use with a third party utility create a client keystore, e.g. https-client-keystore.p12, in PKCS12 format and import:
    • JOC Cockpit private key and certificate for Client Authentication
    • Root CA certificate
    • Intermediate CA certificates
  • For use with keytool create the client keystore in PKCS12 or JKS format according to the steps indicated with JS7 - JOC Cockpit HTTPS Connections: Step 2: Create JOC Cockpit Keystore chapter.
    • Apply the indicated steps to the client keystore and use the private key/certificate pair for Client Authentication.

• The location of the client keystore is added to the JETTY_BASE/resources/joc/joc.properties configuration file like this:

  • Example for PKCS12 client keystore:

    Code Block
    language text title Example how to specify the PKCS12 client keystore location with joc.properties file
    ### Location of the client keystore that contains the private key and ### certificate for JOC Cockpit client authentication relative to ### joc.properties client_keystore_path = ../../resources/joc/https-client-keystore.p12 client_keystore_type = PKCS12 client_keystore_password = jobscheduler

  • Example for JKS client keystore:

    Code Block
    language text title Example how to specify the JKS client keystore location with joc.properties file collapse true
    ### Location of the client keystore that contains the private key and ### certificate for JOC Cockpit client authentication relative to ### joc.properties client_keystore_path = ../../resources/joc/https-client-keystore.jks client_keystore_type = JKS client_keystore_password = jobscheduler

...

• On the Controller server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
  • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
    • Root CA certificate
  • For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.

    • Example for import of a Root CA certificate to a PKCS12 truststore:

      Code Block
      language bash title Example how to import a CA-signed certificate into a PKCS12 Truststoretruststore
      # on JOC Cockpit server: import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-truststore.p12" -storetype PKCS12

    • Example for export/import of self-signed certificate to a PKCS12 keystore:

      Code Block
      language bash title Example how to export the Master public certificate from /import a self-signed certificate to a PKCS12 Keystoretruststore collapse true
      # on Controller server: export Controller's certificate from keystore (https-keystore.p12) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt) keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12" -storepass jobscheduler -storetype PKCS12 # on JOC Cockpit server: import Controller certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-truststore.p12" -storetype PKCS12

    • Example for export/import of self-signed certificate to a JKS keystore:

      Code Block
      language bash title Example how to export the Master public certificate from /import a self-signed certificate to a JKS Keystoretruststore collapse true
      # on Controller server: export Controller's certificate from keystore (https-keystore.jks) identified by its alias name (controller-https) to a file in PEM format (controller-https.crt) keytool -exportcert -rfc -noprompt -file "controller-https.crt" -alias "controller-https" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks" -storepass jobscheduler # on JOC Cockpit server: import Controller certificate in PEM format to a JKS truststore (https-truststore.jks) keytool -import -alias "controller-https" -file "controller-https.crt" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-truststore.jks" -storetype JKS

...