Page History
Table of Contents |
---|
Introduction
- When JOC Cockpit is installed for a high security level then deployment of scheduling objects forces external signing.
- For the low security level the private key of the
root
account available with the JS7 database is used for all users. - For the medium security level the user's individual private key available with the JS7 database is used.
- For the high security level signing is performed outside of JOC Cockpit.
- For the low security level the private key of the
- For details see JS7 - Security Architecture.
Prerequisites
Required: User Signing Certificate
Each user with the permission to deploy has to add their X.509 signing certificate to JOC Cockpit:
Optional: Root CA Certificate
In addition, the X.509 certificate of the Root CA which signed the user's signing certificate can be added to JOC Cockpit. There is a single Root CA certificate for all user profiles.
...
- Any user signing certificates have to be rolled out to the Controller and Agents. Certificates are stored in the
config/private/trusted-x509-keys
folder of Controller and Agent installations. - If a Root CA certificate is present in JOC Cockpit, then it is sufficient to add the Root CA certificate to the
config/private/trusted-x509-keys
folder of Controller and Agent installations.- No further user
signing
certificates have to be added to the Controller or Agents as long as the user signing certificates is created by the given Root CA. - This mechanism implies that any user signing certificate signed by the same Root CA certificate will be accepted.
- Users who do not wish to use this implicit mechanism should not add the Root CA certificate to the Controller and Agents but should only add individual user signing certificates.
- No further user
Deployment Process Overview
The user has to export the desired configuration of scheduling objects with the Export operation available from the Configuration view.
- Deployment tasks include:
Exporting scheduling objects with the checkbox "for Signing" checked to an archive file (.zip).
- Unpacking the exported archive.
- The archive contains a
meta_inf
file and the configurations.
- The archive contains a
- Signing the configuration files of scheduling objects and storing the signature - base64 encoded - in a file in the same folder.
- Note that each signature file has to use the same name as the original configuration file of the scheduling object with an additional filename extension.
- for RSA/ECDSA signatures use the filename extension ".pem" or ".sig" respectively.
- for PGP signatures use the default filename extension ".asc".
- Packing the archive once again to add the signature files and make sure that the
meta_inf
file is still available with the root folder of the archive. - Uploading the archive using the Import And Deploy button.
Example
Export
- Click Export in the context menu of the folder to export or from the button in the top right corner:
- In the Export popup window check the checkbox for Signing:
- Select the scheduling objects to deploy.
Signing
It is recommended that the signing procedure is performed on a secure device. It is essential that the signing process is performed in a secure manner outside of the server running the JOC Cockpit.
...