JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 7

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

The built-in certificate authority Certificate Authority available from JOC Cockpit offers the functionality

  • to create a Root CA private key and certificate, to self-sign the Root CA certificate,
    • The Root CA private key and certificate are stored with the JS7 - Database.
  • to create private keys and certificates per Controller and Agent instance, to sign the resulting certificates.
    • The private keys and certificates are not stored with the JS7 database, instead, they are requested by Controller and Agent instances, are created on-the-fly and are forwarded to the requester.
  • to create security tokens that allow Controller instances and Agents to authenticate their request for a private key and certificate.

...

The JS7 - Profiles offer the JS7 - Profiles - SSL Key Management sub-view to user accounts that are assigned the administrator role. To be more precise this sub-view is available to user accounts that are assigned the sos:products:joc:adminstration:manage role, see JS7 - Default Roles and Permissions.

Explanation:

  • Operations offered from this sub-view include
    • to generate the Root CA private key and certificate and to self-sign the certificate,
    • to import and to update the private key and self-signed certificate in case that they are generated by an external Certificate Authority.
  • Consider that updates to the Root CA private key and certificate require new private keys and certificates for Controller instances and Agents to be created.
    • Existing private keys and certificates remain in place with Controllers and Agents, they continue to work but cannot be verified by a user.
    • It is therefore recommended to create and to rollout new private keys and certificates within a foreseeable time.
  • JOC Cockpit supports ECDSA key algorithms only as RSA key algorithms are not considered secure for the future.

...

As a result the Controller or Agent instance is equipped with an a TLS/SSL certificate and is ready to accept HTTPS connections.

The User->Manage Controllers/Agents menu of JOC Cockpit offers to create security tokens for Controller and Agents Agent instances individually:

  • You can use the Controller's action menu to create one-time security tokens for Controller instances.
  • You can select one or more Agents to create one-time security tokens per Agent. Then , then use the Create one-time Token button.
  • After selection of the Controller or Agents a popup window is displayed that asks for the lifetime of the token.

...

  • The security token is valid until its lifetime expires. 
    • It is recommended to use short lifetimes such as 30 minutes that are sufficient to perform the steps for roll-out rollout of certificates to the respective Controller and Agents.
    • The lifetime is specified for a time zone as the user browser's time zone and the time zone of the server operating a Controller instance or Agent might differ.
  • Security tokens become invalid after one-time use. Cleanup of expired security tokens is performed automatically by JOC Cockpit.
  • Once the security tokens are generated they are visible from the user interface.

...