Page History
...
- Rollout of JS7 JOC Cockpit is considered critical as the software allows jobs to be executed on a larger number of servers.
- Attention should be paid to the integrity of the sources for JS7 component downloads.
- This includes intermediate devices on which JS7 software installers are stored in a user's environment.
- One option is to run the JOC Cockpit Installer Script from
sudo
and to use the digest functionality that compares the script to a hash value stored with thesudoers
file.
- The solution for updating, upgrading and patching the JS7 JOC Cockpit is based on shell scripting by design
- to provide readability and to rely only on OS commands,
- to prohibit the use of any 3rd-party components and additional dependencies that require code to be executed on the machines that run the JOC Cockpit.
- The JOC Cockpit Installer Script can be integrated in a number of ways:
- by running one's own SSH script on top of the JOC Cockpit Installer Script,
- by use of tools such as Ansible®, Puppet® that make use of an SSH Client,
- by use of JS7 workflow automation as explained below.
- It is recommended that a separate Standalone Controller and Agent are used for rollout purposes.
- Access to the Controller and Agent for rollout should be securely managed.
...
Certificate Store Management Script
The JOC Cockpit Installer Certificate Store Management Script is provided for download and can be used to automate updates, upgrades and patches of JS7 JOC Cockpitsthe creation of keystores and truststores.
- The script is available for Linux, MacOS® and AIX® using bash, dash, ksh, and zsh shells.
- The script terminates with exit code 0 to signal success, with exit code 1 for command line argument errors and with exit code 2 for non-recoverable errors.
- The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.Consider information from JS7 - JOC Cockpit Command Line Operation.
Download
Find the JOC Cockpit Installer Certificate Store Management Script for download from from JS7 - Download.
Usage
Invoking the JOC Cockpit Installer Certificate Store Management Script without arguments displays the usage clause:
Code Block | ||
---|---|---|
| ||
Usage: js7_installcreate_certificate_jocstore.sh [Options] [Switches] Options: --setup-dir=<directory>keystore=|keystore-file=<file> | required: directorypath to whichkeystore thefile JOCin Cockpit installer should be extractedPKCS12 format --setup-responsetruststore=|truststore-file=<file> | requiredoptional: setup response file used path to installtruststore JOCfile Cockpit,in default: joc_install.xmlPKCS12 format --releasekey=<release<private-key-number>file> | optional: release number such as 2.2.3 for download if --tarball is not used| required: path to private key file in .pem format --tarball=<tar-gz-archive>cert=|certificate=<cert-file> | optionalrequired: the path to certificate file ain .tar.gz archive that holds the JOC Cockpit tarball, pem format --alias=<alias-name> | required: alias name for keystore entry --password=<password> | if| notrequired: specifiedpassword thefor JOC Cockpit tarball is downloaded from the SOS web sitecertificate store --home=<directory>ca-bundle=<ca-bundle-file> | optional: homepath directoryto ofCA JOCBundle Cockpitcertificate iffile --patch or --backup-dir is usedin .pem format --ca-patchroot=<issue-key><ca-root-file> | optional: identifiespath ato patchCA forRoot ancertificate existingfile JOCin Cockpit.pem installationformat --licenseca-key=<key-file> intermediate=<ca-file[,ca-file]> | optional: specifies the path to aCA licenseIntermediate keycertificate file thatin should be installed.pem format --licensebackup-bindir=<binary-file><directory> | optional: specifies the path to the js7-license.jar binary file for licensed code to| beoptional: installed backup directory for existing certificate stores --log-dir=<directory> | optional: log directory for log output |of this script Switches: -h | --help if not specified the file is downloaded from the SOS web site --backup-dir=<directory> | optional: backup directory for existing JOC Cockpit| homedisplays directoryusage --log-dir=<directory>chain | optional: log directory for log output of this script --http-port=<http(s)-port> | optional: specifies the http/https port the JOC Cockpit| isadd operatedcertificate for,chain default:to 4446keystore --show-logs | shows log output of the script --make-dirs port can be prefixed by network interface, e.g. joc.example.com:4446 --ini=<ini-file[,ini-file]> | optional: one or more Jetty config files http.ini, https.ini, ssl.ini etc.| willcreates bethe copiedspecified to <home>/jetty_base/start.d/ directories if they do not exist |
Explanation:
- Options
--keystore
or--keystore-file
...
- Specifies the path to a PKCS12 keystore file that should hold the private key and certificate for HTTPS connections to JS7 components.
- Users are free to specify any file name, typically the name
https-keystore.p12
is used. - If a keystore file is made available then the JOC Cockpit's
<home>/jetty_base/start.d/ssl.ini
file has to hold a reference to the keystore location and optionally the keystore password. It is therefore recommended to use the--ini
option to deploy an individualssl.ini
file. The following settings are automatically updated in thessl.ini
file:jetty.ssl.host
: optionally specifies the network interface that is available from the--http-port
option provided that the port is prefixed with the network interface, for examplejoc.example.com:4446
.jetty.ssl.port
: specifies the HTTPS port that is automatically updated from the--http-port
option.jetty.sslContext.keyStorePath
: specifies the path to the keystore relative to the<home>/jetty_base/resources/joc
directory.
- Further settings in the
ssl.ini
file such as the keystore password have to be deployed from a copy of the file using the--ini
option. - Assigning a keystore for HTTPS connections disables HTTP access and enables HTTPS access only to JOC Cockpit. The same port is alternatively used for HTTP and HTTPS connections.
--truststore-file
- Specifies the path to a PKCS12 truststore file that holds the certificate(s) for HTTPS connections from JOC Cockpit to a Controller instance, LDAP server etc.
- Users are free to specify any file name, typically the name
https-truststore.p12
is used. The truststore file will be copied to the<home>/jetty_base/resources/joc
directory. - If a truststore file is made available then the JOC Cockpit's
<home>/jetty_base/start.d/ssl.ini
file has to hold a reference to the truststore location and optionally the truststore password. It is therefore recommended to use the--ini
option to deploy an individualssl.ini
file. The following settings are automatically updated in thessl.ini
file:jetty.sslContext.trustStorePath
: specifies the path to the truststore relative to the<home>/jetty_base/resources/joc
directory.
- Further settings in the
ssl.ini
file such as the truststore password have to be deployed from a copy of the file using the--ini
option.
--truststore or --truststore-files
- The JOC Cockpit installer is used with the
joc_install.xml
response file. This file is available after extraction of the installer tarball and specifies options for installation of the JOC Cockpit. The file is applied when invoking the installer by./setup.sh -u joc_install.xml
, see JS7 - JOC Cockpit - Headless Installation on Linux and Windows. - Users should keep their copy of the response file and specify the path with this command line option. Response files can be re-used within the same minor release of the JOC Cockpit, for example when updating from release 2.3.1 to 2.2.4. When updating, for example, from release 2.2.x to 2.3.x it is recommended a check is carride out from the installer tarball if a newer version of the file is available.
- Users should note that the response file can hold references to a license file and to a JDBC Driver .jar file. The JOC Cockpit setup is executed from the directories specified with the
--setup-dir
option. Paths can be used relative to this directory.
- The JOC Cockpit installer is used with the
--backup-dir
- If a backup directory is specified then an existing JOC Cockpit's installation directory will be added to a .tar.gz file in this directory.
- File names are created according to the pattern:
backup_js7_joc.<hostname>.<release>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.tar.gz
- For example:
backup_js7_joc.centostest_primary.2.3.1.2022-03-19T20-50-45.tar.gz
--log-dir
- If a log directory is specified then the installer script logs information about processing steps to a log file in this directory.
- File names are created like this:
install_js7_joc.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
install_js7_joc.centostest_primary.2022-03-19T20-50-45.log
--http-port
- Optionally specifies the HTTP/HTTPS port that the JOC Cockpit is operated for. This argument takes precedence over the port setting in the
joc_install.xml
response file. - Only one of the protocols HTTP or HTTPS can be used as it undermines security to operate JOC Cockpit for both protocols at the same time.
- The port can be prefixed by the network interface, for example
joc.example.com:4446
. - Use of HTTPS connections requires additional settings, see
--ini
,--keystore-file
and--truststore-file
options. - When used with the
--restart
switch, the HTTP/HTTPS port is used to determine if JOC Cockpit is running.
- Optionally specifies the HTTP/HTTPS port that the JOC Cockpit is operated for. This argument takes precedence over the port setting in the
--ini
- Specifies one or more *.ini files that include settings for the Jetty Servlet Container, for example http.ini, https.ini, ssl.ini. The files will be copied to the JOC Cockpit installation directory. For use with HTTPS connections the following settings in the
ssl.ini
file have to be adjusted:jetty.sslContext.keyStorePath
jetty.sslContext.keyStorePassword
jetty.sslContext.keyManagerPassword
jetty.sslContext.trustStorePath
jetty.sslContext.trustStorePassword
- The option takes a number of files as arguments that are separated by comma, for example:
--ini="/js7-deployment/ssl.ini,/js7-deployement/https.ini"
.
- Specifies one or more *.ini files that include settings for the Jetty Servlet Container, for example http.ini, https.ini, ssl.ini. The files will be copied to the JOC Cockpit installation directory. For use with HTTPS connections the following settings in the
--keystore-file
Explanation:
- Options
--setup-dir
- Specifies the directory in which the installer for the JOC Cockpit should be extracted. This is not the JOC Cockpit installation directory but the directory that holds installer files.
--setup-response
- The JOC Cockpit installer is used with the
joc_install.xml
response file. This file is available after extraction of the installer tarball and specifies options for installation of the JOC Cockpit. The file is applied when invoking the installer by./setup.sh -u joc_install.xml
, see JS7 - JOC Cockpit - Headless Installation on Linux and Windows. - Users should keep their copy of the response file and specify the path with this command line option. Response files can be re-used within the same minor release of the JOC Cockpit, for example when updating from release 2.3.1 to 2.2.4. When updating, for example, from release 2.2.x to 2.3.x it is recommended a check is carride out from the installer tarball if a newer version of the file is available.
- Users should note that the response file can hold references to a license file and to a JDBC Driver .jar file. The JOC Cockpit setup is executed from the directories specified with the
--setup-dir
option. Paths can be used relative to this directory.
- The JOC Cockpit installer is used with the
--release
- Specifies a release number such as 2.3.1 for download from the SOS web site if the
--tarball
option is not used.
- Specifies a release number such as 2.3.1 for download from the SOS web site if the
--tarball
- Optionally specifies the path to a .tar.gz file that holds the JOC Cockpit installation files. If this option is not used the installer tarball will be downloaded from the SOS web site for the release indicated with the
--release
option. - Download is performed with
curl
which takes account ofhttp_proxy
andhttps_proxy
environment variables and the relevant settings from a.curlrc
file.
- Optionally specifies the path to a .tar.gz file that holds the JOC Cockpit installation files. If this option is not used the installer tarball will be downloaded from the SOS web site for the release indicated with the
--home
- Specifies the directory in which the JOC Cockpit should be installed.
--patch
- A patch is identified by the release number to which it is applied which is specified with the
--release
option and by- the JOC Cockpit security level: low, medium, high,
- a sequential number such as patch-1, patch-2.
- A patch is specified as
--patch=low.patch-1
,--patch=low.patch-2
,--patch=medium.patch-1
etc.
- For JOC Cockpit patches are consolidated, i.e. patch-2 includes any patches of patch-1.
- Patches are downloaded from the SOS web site if the
--tarball
option is not used. - Patches are added to the JOC Cockpit's
JETTY_BASE/webapps/joc/WEB-INF/classes
directory. When updating JOC Cockpit later on then theclasses
sub-directory will be emptied. - If a backup directory is specified then a JOC Cockpit's existing installation directory will be added to a .tar.gz file in this directory.
- A patch is identified by the release number to which it is applied which is specified with the
--license-key
- Optionally the path to a license key file is specified. Customers with a Commercial License receive the license key file from SOS in .pem or .crt format.
- For details see JS7 - How to apply a JS7 License Key.
- This option is an alternative to specifying the license key file with the
joc_install.xml
response file, see--setup-response
option.
--license-bin
- Optionally the path to the
js7-license.jar
binary file is specified that includes code that is available for use with a Commercial License only, see JS7 - How to apply a JS7 License Key. - Should this argument be omitted and a license key file be specified with the
--license-key
option then the binary file is downloaded from the SOS Web Site, see JS7 - Download. - This option is an alternative to specifying the license key file with the
joc_install.xml
response file, see--setup-response
option. If the response files specifies a license key then the binary file for licensed code is automatically installed.
- Optionally the path to the
--backup-dir
- If a backup directory is specified then an existing JOC Cockpit's installation directory will be added to a .tar.gz file in this directory.
- File names are created according to the pattern:
backup_js7_joc.<hostname>.<release>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.tar.gz
- For example:
backup_js7_joc.centostest_primary.2.3.1.2022-03-19T20-50-45.tar.gz
--log-dir
- If a log directory is specified then the installer script logs information about processing steps to a log file in this directory.
- File names are created like this:
install_js7_joc.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
install_js7_joc.centostest_primary.2022-03-19T20-50-45.log
--http-port
- Optionally specifies the HTTP/HTTPS port that the JOC Cockpit is operated for. This argument takes precedence over the port setting in the
joc_install.xml
response file. - Only one of the protocols HTTP or HTTPS can be used as it undermines security to operate JOC Cockpit for both protocols at the same time.
- The port can be prefixed by the network interface, for example
joc.example.com:4446
. - Use of HTTPS connections requires additional settings, see
--ini
,--keystore-file
and--truststore-file
options. - When used with the
--restart
switch, the HTTP/HTTPS port is used to determine if JOC Cockpit is running.
- Optionally specifies the HTTP/HTTPS port that the JOC Cockpit is operated for. This argument takes precedence over the port setting in the
--ini
- Specifies one or more *.ini files that include settings for the Jetty Servlet Container, for example http.ini, https.ini, ssl.ini. The files will be copied to the JOC Cockpit installation directory. For use with HTTPS connections the following settings in the
ssl.ini
file have to be adjusted:jetty.sslContext.keyStorePath
jetty.sslContext.keyStorePassword
jetty.sslContext.keyManagerPassword
jetty.sslContext.trustStorePath
jetty.sslContext.trustStorePassword
- The option takes a number of files as arguments that are separated by comma, for example:
--ini="/js7-deployment/ssl.ini,/js7-deployement/https.ini"
.
- Specifies one or more *.ini files that include settings for the Jetty Servlet Container, for example http.ini, https.ini, ssl.ini. The files will be copied to the JOC Cockpit installation directory. For use with HTTPS connections the following settings in the
--keystore-file
- Specifies the path to a PKCS12 keystore file that holds the private key and certificate for HTTPS connections to JOC Cockpit.
- Users are free to specify any file name, typically the name
https-keystore.p12
is used. The keystore file will be copied to the<home>/jetty_base/resources/joc
directory. - If a keystore file is made available then the JOC Cockpit's
<home>/jetty_base/start.d/ssl.ini
file has to hold a reference to the keystore location and optionally the keystore password. It is therefore recommended to use the--ini
option to deploy an individualssl.ini
file. The following settings are automatically updated in thessl.ini
file:jetty.ssl.host
: optionally specifies the network interface that is available from the--http-port
option provided that the port is prefixed with the network interface, for examplejoc.example.com:4446
.jetty.ssl.port
: specifies the HTTPS port that is automatically updated from the--http-port
option.jetty.sslContext.keyStorePath
: specifies the path to the keystore relative to the<home>/jetty_base/resources/joc
directory.
- Further settings in the
ssl.ini
file such as the keystore password have to be deployed from a copy of the file using the--ini
option. - Assigning a keystore for HTTPS connections disables HTTP access and enables HTTPS access only to JOC Cockpit. The same port is alternatively used for HTTP and HTTPS connections.
--truststore-file
- Specifies the path to a PKCS12 truststore file that holds the certificate(s) for HTTPS connections from JOC Cockpit to a Controller instance, LDAP server etc.
- Users are free to specify any file name, typically the name
https-truststore.p12
is used. The truststore file will be copied to the<home>/jetty_base/resources/joc
directory. - If a truststore file is made available then the JOC Cockpit's
<home>/jetty_base/start.d/ssl.ini
file has to hold a reference to the truststore location and optionally the truststore password. It is therefore recommended to use the--ini
option to deploy an individualssl.ini
file. The following settings are automatically updated in thessl.ini
file:jetty.sslContext.trustStorePath
: specifies the path to the truststore relative to the<home>/jetty_base/resources/joc
directory.
Further settings in the
ssl.ini
file such as the truststore password have to be deployed from a copy of the file using the--ini
option. --exec-start
- This option can be used if the JOC Cockpit has been started after installation from an individual command. For example, when using systemd then the option
--exec-start=
"sudo systemctl start joc"
will start the JOC Cockpit provided that thejoc.service
file is configured for systemd. - For systemd service files see JS7 - systemd Service Files for automated Startup and Shutdown with Unix Systems.
- This option is an alternative for use of the
-restart
switch that starts the JOC Cockpit from its Start Script. If specified this option overrules the--restart
switch.
- This option can be used if the JOC Cockpit has been started after installation from an individual command. For example, when using systemd then the option
--exec-stop
- This option can be used if the JOC Cockpit has been stopped before installation from an individual command. For example, when using systemd then the option
--exec-stop="sudo systemctl stop joc"
will stop the JOC Cockpit provided that thejoc.service
file is configured for systemd. - For systemd service files see the JS7 - systemd Service Files for automated Startup and Shutdown with Unix Systems aticle.
- This option is an alternative to use of the
-restart
switch that stops the JOC Cockpit from its Start Script. If specified this option overrules the--restart
switch.
- This option can be used if the JOC Cockpit has been stopped before installation from an individual command. For example, when using systemd then the option
--return-values
- Optionally specifies the path to a file which return values will be added to in the format
<name>=<key>
. For example:log_file=install_js7_joc.centostest_primary.2022-03-20T04-54-31.log
backup_file=backup_js7_joc.centostest_primary.2.3.1.2022-03-20T04-54-31.tar.gz
- An existing file will be overwritten. It is recommended that a unique file name such as
/tmp/return.$$.$RANDOM.properties
is used. - A value from the file can be retrieved like this:
backup=$(cat /tmp/return.$$.$RANDOM.properties | grep "backup_file" | cut -d'=' -f2)
- Optionally specifies the path to a file which return values will be added to in the format
-h | --help
- Displays usage.
-u | --user
- Installs the JOC Cockpit configuration directory for the current user account, the installation directory is created by the root account using
sudo
. This switch corresponds to use of./setup.sh -u joc_install.xml
, see the JS7 - JOC Cockpit - Headless Installation on Linux and Windows for more information.
- Installs the JOC Cockpit configuration directory for the current user account, the installation directory is created by the root account using
-E | --preserve-env
- When installing for the current user account using the
-u
switch then environment variables are preserved when switching to the root account usingsudo -E
. This switch corresponds to use of./setup.sh -u -E joc_install.xml
.
- When installing for the current user account using the
--show-logs
- Displays the log output created by the script.
--make-dirs
- If directories are missing that are indicated with the
--home
,--backup-dir
or--log-dir
options then they will be created.
- If directories are missing that are indicated with the
--restart
- Stops a running JOC Cockpit before installation and starts the JOC Cockpit after installation using the JOC Cockpit's Start Script. This switch can be used with the
--kill
switch to control the way how JOC Cockpit is terminated. This switch is ignored if the--exec-start
and--exec-stop
options are used.
- Stops a running JOC Cockpit before installation and starts the JOC Cockpit after installation using the JOC Cockpit's Start Script. This switch can be used with the
--kill
- Kills a running JOC Cockpit if used with the
--restart
switch. This includes killing child processes of running tasks.
- Kills a running JOC Cockpit if used with the
1
: argument errors2
: non-recoverable errors3
: this exit code is returned when used with the--restart
switch and if it cannot be identified if a JOC Cockpit instance is running4
: this exit code is returned if no--tarball
option is used and download of the tarball reports errors5
: this exit code is returned when used with the--restart
switch and if the JOC Cockpit instance cannot be started6
: this exit code is returned when used with the--restart
switch and if the JOC Cockpit instance cannot be stopped7
: this exit code indicates that the JOC Cockpit installation has failed8
: this exit code indicates failure of the JOC Cockpit installation from logs
...
Overview
Content Tools