Page History
...
The Certificate Authority available from the JOC Cockpit provides the following functions:
- creation of creating a Root CA private key Private Key and certificateCertificate, self-signing of issuing the Root CA certificateCertificate,
- The Root CA private key Private Key and certificate Certificate are stored in the the JS7 - Database.
- creation of private keys and certificates creating the Private Keys and Certificates for each Controller and Agent instance, self-signing the resulting certificatesCertificates.
- The private keys Private Keys and certificates Certificates are not stored with the JS7 database, instead, they are requested by Controller and Agent instances, are created on-the-fly and are forwarded to the requester.
- creation of creating the security tokens that allow Controller instances and Agents to authenticate their request for a private key Private Key and certificateCertificate.
- Security tokens are applied during JS7 - Certificate Authority - Rollout Certificates for HTTPS Connections.
- Security tokens are created for one-time use, they are invalidated after being used once or if their lifetime has been exceeded.
Certificate Management includes performing the following steps:
- managing the Root CA private key Private Key and certificate Certificate with JOC Cockpit,
- creating security tokens for Controller and Agent instances with JOC Cockpit,
- requesting private keys Private Keys and certificates Certificates to be created on-the-fly by Controller and Agent instances.
...
To set up the Certificate Authority (CA), a Root CA private key Private Key and self-signed certificate issued Certificate have to be created in an initial step.
The JS7 - Profiles - SSL Key Management sub-view of the JS7 - Profiles can be accessed by user accounts that are assigned the administrator role. To be more precise, this sub-view is available to user accounts that are assigned the the sos:products:joc:adminstration:manage
role - see JS7 - Default Roles and Permissions for more information.
...
- Operations offered from this sub-view include:
- generating the Root CA private key Private Key and certificate Certificate and self-signing issuing the certificateCertificate,
- importing and updating private keys Private Keys and selfCA-signed certificates Certificates which have been generated by an external Certificate Authority.
- Note that updates to the Root CA private key Private Key and certificate Certificate require new private keys Private Keys and certificates Certificates to be created for the Controller instances and Agents.
- Existing private keys Private Keys and certificates Certificates remain in place with Controllers and Agents, they continue to work but cannot be verified by a user.
- It is therefore recommended that new private keys Private Keys and certificates Certificates are created and rolledout rolled out within a foreseeable time.
- JOC Cockpit only supports ECDSA key algorithms as RSA key algorithms are not considered secure for the future.
If the Root CA private key Private Key and certificate Certificate are to be generated by the JOC Cockpit then the following popup window appears:
...
- The DN can include any attributes allowed.
- The DN has to include the CN attribute
- Example:
CN=JS7 Root CA, OU=IT Operations, O=SOS, LL=Berlin, SST=Berlin, C=DE
For details see the JS7 - Profiles - SSL Key Management article.
Manage Private Keys and Certificates for Controllers and Agents
For security reasons private keys Private Keys and certificates Certificates of Controllers and Agents are not stored with JOC Cockpit. Instead, the Start Script that ships with each Controller and Agent instance requests that they are created by the Certificate Rollout Client. The Certificate Rollout Client:
- does not require user/password authentication for JOC Cockpit but is started with a security token that authenticates the client.
- requests that the JOC Cockpit creates a private key Private Key and certificate Certificate on-the-fly which are returned to the client as a response to its request.
- adds the private key Private Key to the Controller or Agent instance's keystore and adds the certificate Certificate to the respective truststore.
- updates the Controller or Agent instance's configuration to use the updated keystore and truststore.
As a result the Controller or Agent instance is equipped with a TLS/SSL certificate Certificate and is ready to accept HTTPS connections.
The JOC Cockpit's User->Manage Controllers/Agents menu is used to create security tokens for individual Controller and Agent instances:
- You Users can use the Controller's action menu to create one-time security tokens for Controller instances.
- You Users can select one or more Agents to create one-time security tokens per Agent, then use the Create one-time Token button.
- After selection of the Controller or Agents a popup window is displayed that asks for the lifetime of the token.
...
- The security token is valid until its lifetime expires.
- It is recommended that short lifetimes such as 30 minutes which are sufficient to perform the steps for rollout of certificates to the respective Controller and Agents are used.
- The lifetime is specified for a time zone as the user browser's time zone and the time zone of the server operating a Controller instance or an Agent might differ.
- Security tokens become invalid after one-time use. Cleanup of expired security tokens is performed automatically by the JOC Cockpit.
- Security tokens are shown displayed in the user interface once they have been generated.
...
- The expiration date and a key symbol are displayed for each Agent for which a security token has been created:
- hitting the key symbol causes the security token to be displayed,
- the security token is displayed along with a button to copy the security token value to the user's clipboard.
- Once the security token has been copied to the clipboard, a session (SSH, RDP) to the server that hosts the Controller instance or Agents should be established and the steps for JS7 - Certificate Authority - Rollout Certificates for HTTPS Connections performed that are required to specify for specification of the security token for authentication with the JOC Cockpit.
...