Page History
...
- Keystores and truststores shown in orange are required for any connections of clients to JOC Cockpit.
- Keystores and truststores shown in green are required if mutual authentication is in place, e.g. to allow certificate based authentication.
- A JOC Cockpit truststore is required. Should secure connections be used to access a Controller or an LDAP server for authentication/authorization then the truststore will hold the necessary certificates.
- Consider that similar distribution of private keys and certificates applies if a to each JOC Cockpit Cluster with a number of instances is usedinstance in a cluster.
Secure Connection Setup
In the following, JOC_HOME
, JETTY_HOME
and JETTY_BASE
placeholders are used which locate three directories. If you install Jetty with the JOC Cockpit installer then:
...
Edit the following entries in the
JETTY_BASE/start.d./ssl.ini
configuration file for use of the keystore and truststore:Code Block title Example how to use the keystore/truststore settings with the start.d/ssl.ini file ## Keystore file path (relative to $jetty.base) jetty.sslContext.keyStorePath=resources/joc/https-keystore.p12 ## Keystore password jetty.sslContext.keyStorePassword=jobscheduler ## KeyManager password (same as keystore password for pkcs12 keystore type) jetty.sslContext.keyManagerPassword=jobscheduler ## The Keystore type. jetty.sslContext.keyStoreType=PKCS12 ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12 ## Truststore password jetty.sslContext.trustStorePassword=jobscheduler ## TrustStore type. jetty.sslContext.trustStoreType=PKCS12
Explanation:- Specify the location of the keystore with the
keyStorePath
setting. A location relative to theJETTY_BASE
directory can be specified. - Specify the password for your keystore with the
keyStorePassword
setting. - The password specified with the
keyManagerPassword
setting is used for access to your private key. The same password as for thekeyStorePassword
setting has to be used for a PKCS12 keystore type. - Optionally specify the keystore type with the
keyStoreType
setting. If this setting is missing then the JVM's default keystore type will be used. - Specify the location of the truststore with the
trustStorePath
setting. A location relative to theJETTY_BASE
directory can be specified. - Specify the password for access to the truststore with the
trustStorePassword
setting. - Specify the truststore type to be one of
PKCS12
orJKS
.
- Specify the location of the keystore with the
Specify the HTTPS port with the following entries of the
JETTY_BASE/start.d/ssl.ini
configuration file (default HTTPS port is 48446):Code Block title Example how to set the port for the HTTPS protocol with the start.d/ssl.ini file ## The host/address to bind the connector to. # jetty.ssl.host=0joc.0example.0.0com ## Connector port to listen on jetty.ssl.port=48446
Explanation:- The
jetty.ssl.host
setting optionally can be used to limit port access to the specified host/network interface access. - The
jetty.ssl.port
setting specifies the port for Jetty. Consider to allow incoming connections to this port from your firewall.
- The
Step 5: Deactivating HTTP Access
...
The above explanations indicate use of a Root CA certificate Certificate for verification of Client Authentication Certificates when it comes to mutual authentication.
- In fact use of a Root CA certificate Certificate allows any clients that dispose of a Client Authentication Certificate signed by the same Root CA Certificate or Intermediate CA Certificates Certificate(s) to be authenticated. This implication might allow an unwanted number of clients to access JOC Cockpit.
- Coping strategies include
- to use a separate Certificate Authority to sign Client Authentication Certificates for access to JOC Cockpit.
- to import individual Client Authentication Certificates to the JOC Cockpit truststore instead of using a Root CA Certificate.
...