JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 9

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The JS7 - Security Architecture suggest suggests to operate JOC Cockpit in one of the following security levels:

...

The Signature Key Management sub-view offers the following settings:

CA Certificate

Users have the option to 

  • use a CA-signed certificate

...

    • Authority,
  • use a self-signed certificate.

Use of CA certificates includes that 

  • the A CA Certificate is required to verify the user account's private key and certificate for digital signing when performing deployments.
    • This includes to check that the user account's certificate is signed with the given CA Certificate or a later CA Intermediate Certificate.
    • This includes to check expiration dates of certificates..
    • Depending on the fact if the JS7 Certificate Authority or if an external Certificate Authority is used the respective CA Certificate has to be added to the user account's Profile.
  • for If an X.509 CA Certificate (Root CA Certificate or Intermediate CA Certificate) is assigned then the certificate's subject is displayed.

Operations for CA Certificates include to

  • view the CA Certificate by use of the Image Modified icon,
  • update the CA Certificate by use of the Image Modified icon,
  • import the CA Certificate by use of the Image Modified icon.

View CA Certificate

A CA Certificate is displayed like this:

...

User accounts have to be equipped with a private key and certificate created issued for digital signing in order to deploy scheduling objects to Controllers and Agents:

  • If the user's certificate is signed by a Certificate Authority then it is sufficient to rollout the CA Certificate to Controller and Agent instances to which the user should be entitled to deploy scheduling object such as workflows.
  • if the user's certificate is self-signed then the user's certificate has to be rolled out to Controller and Agent instances to which the user should be entitled to perform deployments.

Users have options about the issuer of private keys and certificates:

  • Use of the built-in JS7 Certificate Authority
    • JOC Cockpit
    does not offer
    • offers to sign a user account's
    certificate
    • public key for digital signing from its built-in CA, see JS7 - Certificate Authority
    • In a single operation users can generate a private/public key pair and make the JS7 Certificate Authority sign their public key to a certificate.
  • Use of an external Certificate Authority
    • If an external CA should be consulted then users have to create a Certificate Signing Request (CSR) outside of JOC Cockpit and make their external CA sign this request
    .
    • For good reasons JOC Cockpit does not implement a CA for digital signatures.
    • Instead, the user's CA should be consulted to sign a respective Certificate Signing Request. The resulting certificate can be added with to the user's Profile in JOC Cockpit.
  • If users do not operate a CA or do not dispose of certificates then they can continue to use the default private key and certificate that ship with JOC Cockpit.
    • In this situation by default the root account only can be used to deploy scheduling objects such as workflows which suggests to operate JOC Cockpit for Security Level Low as the root account's key and certificate will be used for deployment signing deployments by any users accounts.
    • For a Security Level Medium each user account has to be equipped with a private key and certificate.

Operations for the user account's private key and certificate include to

  • view the private key and certificate by use of the Image Modified icon,
  • update the private key and certificate by use of the Image Modified icon,
  • import the private key by use of the Image Modified icon,
  • generate the private key by use of the Image Modified icon.

View Key and Certificate

The user account's private key and certificate for digital signing is displayed like this:

...

A user account's private key and optionally the certificate can be generated like this:


Use of Key Algorithms

  • When choosing Key Algorithm PGP or RSA then a private key only is created

    • Consider that an X.509 certificate matching the user account's

...

    • public key

...

    • is signed by

...

    • an external CA and has to be added by use of the Update Key and Certificate operation as explained above.

  • When choosing Key Algorithm ECDSA then a private key is created and a CA-signed certificate is created if the JS7 Certificate Authority is in use.