Page History
...
Info | ||
---|---|---|
| ||
If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the attached archives:
|
...
- The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usagesuse.
- The Agent is provided with:
- a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
- a truststore that holds the certificate chain - consisting of the Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller instance's certificate.
- Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
- Keystore:
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-keystore.p12
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/https-keystore.p12
- Windows:
- Truststore:
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-truststore.p12
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/https-truststore.p12
- Windows:
- Keystore:
...
- The following configuration items have to be added tp to the Agent's
private.conf
configuration file. For details see the JS7 - Agent Configuration Items article.- Mutual Authentication
Code Block language bash title Agent Configuration for Mutual Authentication linenumbers true js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary Controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=js7-controller-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=js7-controller-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } }
- This setting specifies the distinguished names that are available from the subjects of Controller instance certificates. Note that the common name (CN) attribute specifies the hostname of a Controller instance. The configuration authenticates a given Controller instance as the distinguished name is unique for a server certificate and therefore replaces the use of passwords.
- Keystore and truststore locations:
Code Block language bash title Agent Configuration for Keystore and Truststore Locations linenumbers true js7 { web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password=jobscheduler store-password=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password=jobscheduler } ] } } }
- The configuration items described above specify the locations of the keystore and truststore.
- Note the optional use of a key password and store password for keystores and the use of a store password for truststores.
- Mutual Authentication
...
--publish
The Agent image is prepared to accept HTTPS requests on port4443
. If the Agent is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port4443
. The same port has to be assigned theRUN_JS_HTTPS_PORT
environment variable.--env=RUN_JS_HTTPS_PORT
The port assigned to this environment variable is the same as the inside HTTPS port specified with the--publish
option.
...
Overview
Content Tools