Page History

...

• On the Controller instance's server create the keystore using the keytool from your Java JRE or JDK or a third party utility.
  • For use with a third party utility create a keystore, e.g. https-keystore.p12, in PKCS12 format and import:
    • Controller private key and certificate for Server Authentication
    • Root CA certificate
    • Intermediate CA certificate(s)
  • For use with keytool create the keystore with the private key and certificate for Server Authentication from the command line. The examples below show one possible approach for certificate management - however, there are other ways of achieving similar results.

    • Example for creating a private key and CA-signed certificate with PKCS12 keystore:

      Code Block
      language bash title Example how to create and add a private key and CA-signed certificate to a PKCS12 keystore
      # If the Controller's private key and certificate are to be provided with a .jks keystore (keypair.jks) then temporarily convert the keystore to pkcs12 (keystore.p12) # for later use with openssl, assuming the alias name of the Controller's private key to be "controller-https.example.com" # keytool -importkeystore -srckeystore keypair.jks -srcstoretype JKS -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias controller.example.com # assuming the Controller's private key from a pkcs12 keystore (keystore.p12), store the Controller's private key in a .key file in PEM format (controller-https.key) openssl pkcs12 -in keystore.p12 -nocerts -out controller-https.key # concatenate CA Root certificate and CA Intermediate certificate(s) to a single CA Bundle certificate file (ca-bundle.crt) cat RootCACertificate.crt > ca-bundle.crt cat CACertificate.crt >> ca-bundle.crt # Export the Controller's private key (controller-https.key), Controller's certificate (controller-https.crt) and CA Bundle (ca-bundle.crt) in PEM format to a new keystore (https-keystore.p12) # assuming the fully qualified domain name (FQDN) of the Controller server is "controller.example.com" openssl pkcs12 -export -in controller-https.crt -inkey controller-https.key -chain -CAfile ca-bundle.crt -name controller.example.com -out JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12 # IF you require use of a .jks keystore type then convert the pkcs12 keystore, assuming the alias name of the Controller private key being "controller-https.example.com" # keytool -importkeystore -srckeystore https-keystore.p12 -srcstoretype PKCS12 -destkeystore JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks -deststoretype JKS -srcalias controller.example.com

    • Example for creating private key and self-signed certificate with PKCS12 keystore:

      Code Block
      language bash title Example how to generate a private key and self-signed certificate for import into a PKCS12 keystore collapse true
      # generate the Controller's private key with alias name "controller.example.com" in a keystore (https-keystore.p12) # use the fully qualified domain name (FQDN) assumed to be "controller.example.com" and name of your organization for the distinguished name # consider that PKCS12 keystores require the use of the same key password and store password keytool -genkey -alias "controller.example.com" -dname "CN=controller.example.com,O=organization" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12" -storepass jobscheduler -storetype PKCS12

    • Example for creating a private key and self-signed certificate with JKS keystore:

      Code Block
      language bash title Example how to generate a private key and self-signed certificate for import into a JKS keystore collapse true
      # generate the Controller's private key with the alias name "controller.example.com" in a keystore (https-keystore.jks) # use the fully qualified domain name (FQDN) assumed to be "controller.example.com" and name of your organization for the distinguished name keytool -genkey -alias "controller.example.com" -dname "CN=controller.example.com,O=organization" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.jks" -storepass jobscheduler -storetype JKS

    • Explanation:

      • The -dname option specifies the certificate issuer, therefore use your own set of CN, O, OU, DC that specify the issuer's Distinguished Name. The O setting is required for the issuer.
      • The -keypass option accepts the password that you will need later on to manage your private key.
      • The -keystore option specifies the location of the keystore file. The keystore file should be in reach of the Controller, it is recommended using the private sub-folder in the JS7_CONTROLLER_CONFIG_DIR directory.
      • The -storepass option specifies the password for access to the keystore file.
      • The -storetype option is used to specify the PKCS12 or JKS keystore format.
  • With the keystore set up, specify the relevant properties with the JS7_CONTROLLER_CONFIG_DIR/private/private.conf configuration file:

    • Example

      Code Block
      language text title Example for private.conf file specifying the Controller keystore
      js7 { web { # keystore location for https connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" } } } }

      
      

      Explanation:
      • js7.web.https.keystore.file is used for the path to the keystore.
      • js7.web.https.keystore.key-password is used for access to the private key.
      • js7.web.https.keystore.store-password is used for access to the keystore.

...