JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • LDAP Server URL: The LDAP Server URL specifies the protocol ldap:// for the TLS connection. The hostname (FQDN) and port are added to the LDAP Server protocol. An IP address cannot be used as it would not match the LDAP Server certificate.
  • LDAP Start TLS: This switch makes TLS the protocol for the connection to the LDAP Server.
  • LDAP Host Name Verification: This switch has to be active to check if hostnames in the LDAP Server URL and in the LDAP Server certificate match.
  • LDAP Truststore PathThe TLS protocol requires a truststore to be used which holds an X.509 certificate specified for the Extended Key Usage of Server Authentication.
    • The truststore can include a selfSelf-signed certificate issued Certificate or a CA-signed certificateCertificate. Typically the Root CA certificate Certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If this setting is not specified then JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using e.g. ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. Absolute paths cannot be specified and a path cannot be specified that lies before the JETTY_BASE directory in the file system hierarchy.
  • LDAP Truststore Password: If the LDAP truststore is protected by a password, then the password has to be specified.
  • LDAP Truststore Type: The type of the indicated truststore has to be specified being either PKCS12 or JKS (deprecated).

...

The certificates for use with both TLS and SSL protocols are distributed in a similar way.

Users can use certficates issued by a Private CA or by a Public CA.

Use with CA-signed Certificates


Flowchart
JOC [label="   JOC Cockpit   ",fillcolor="lightskyblue",fontname="Arial",fontsize="10pt"]
LDAP [label="   LDAP Server   ",fillcolor="lightskyblue",fontname="Arial",fontsize="10pt"]
 
JOC_Truststore [label="JOC Cockpit Truststore\n./jetty_base/resource/joc/joc.p12\nCA certificates",fillcolor="orange",fontname="Arial",fontsize="10pt"]
LDAP_Keystore [label="LDAP Server Keystore\nLDAP Server Private Key\nLDAP Server Certificate",fillcolor="orange",fontname="Arial",fontsize="10pt"]

CA_RootCertificate [shape="ellipse",shape="ellipse",label="Root CA Certificate",fillcolor="white",fontname="Arial",fontsize="10pt"]
CA_IntermediateCertificate [shape="ellipse",label="Intermediate CA Certificate",fillcolor="white",fontname="Arial",fontsize="10pt"]

LDAP_PrivateKey [shape="ellipse",label="LDAP Server Private Key",fillcolor="white",fontname="Arial",fontsize="10pt"]
LDAP_Keystore_Certificate [shape="ellipse",label="LDAP Server Certificate",fillcolor="white",fontname="Arial",fontsize="10pt"]

LDAP -> LDAP_Keystore 
LDAP_Keystore -> LDAP_PrivateKey -> LDAP_Keystore_Certificate [label=" in keystore ",fontname="Arial",fontsize="10pt"]

JOC -> JOC_Truststore
JOC_Truststore -> CA_RootCertificate -> CA_IntermediateCertificate [label=" add to truststore ",fontname="Arial",fontsize="10pt"]
CA_IntermediateCertificate -> LDAP_Keystore_Certificate [label=" verify in handshake ",fontname="Arial",fontsize="10pt"]

Use with

...

Self-

...

issued Certificates


Flowchart
JOC [label="   JOC Cockpit   ",fillcolor="lightskyblue",fontname="Arial",fontsize="10pt"]
LDAP [label="   LDAP Server   ",fillcolor="lightskyblue",fontname="Arial",fontsize="10pt"]
 
JOC_Truststore [label="JOC Cockpit Truststore\n./jetty_base/resource/joc/joc.p12\nLDAP Server Certificate",fillcolor="orange",fontname="Arial",fontsize="10pt"]
LDAP_Keystore [label="LDAP Server Keystore\nLDAP Server Private Key\nLDAP Server Certificate",fillcolor="orange",fontname="Arial",fontsize="10pt"]

LDAP_PrivateKey [shape="ellipse",label="LDAP Server Private Key",fillcolor="white",fontname="Arial",fontsize="10pt"]
LDAP_Keystore_Certificate [shape="ellipse",label="LDAP Server Certificate",fillcolor="white",fontname="Arial",fontsize="10pt"]
LDAP_Truststore_Certificate [shape="ellipse",label="LDAP Server Certificate",fillcolor="white",fontname="Arial",fontsize="10pt"]

LDAP -> LDAP_Keystore 
LDAP -> LDAP_Truststore_Certificate [label=" transfer to\nJOC Cockpit\ntruststore ",fontname="Arial",fontsize="10pt"]
LDAP_Keystore -> LDAP_PrivateKey -> LDAP_Keystore_Certificate [label=" in keystore ",fontname="Arial",fontsize="10pt"]

JOC -> JOC_Truststore
JOC_Truststore -> LDAP_Truststore_Certificate [label=" add to truststore ",fontname="Arial",fontsize="10pt"]
LDAP_Truststore_Certificate -> LDAP_Keystore_Certificate [label=" verify in handshake ",fontname="Arial",fontsize="10pt"]

...

  • Example for importing a certificate to a JOC Cockpit truststore in PKCS12 format:

    Code Block
    languagebash
    titleExample for import of LDAP Server Certificate to PKCS12 Keystore
    # import LDAP Server certificate to a truststore (joc.p12) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap)
keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "ldap" -keystore "JETTY_BASE/resources/joc/joc.p12" -storetype pkcs12 -storepass secret_store -trustcacerts

  • Example for importing a certificate to a JOC Cockpit truststore in JKS format:

    Code Block
    languagebash
    titleExmple for import of LDAP Server certificate to JKS Keystore
    # import LDAP Server certificate to a truststore (joc.jks) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap)
keytool -importcert -noprompt -file "ldap-certificate.crt" -alias "ldap" -keystore "JETTY_BASE/resources/joc/joc.jks" -storetype jks -storepass secret_store -trustcacerts
  • Explanation
    • The -keystore option specifies the location of the truststore file.
    • The -storepass option specifies the password for access to the truststore.
    • The certificate file ldap-ertificate.crt should be available from the LDAP Server. Transfer this file to the JOC Cockpit server. Alternatively the server certificate can be requested on-the-fly.

      • Example for request of server certificate:

        Code Block
        languagebash
        titleExample for request of server certificate from LDAP Server
        # connect to the LDAP Server (ldap_server) with the available port (636), in the server response you should find the certificate that you can copy & paste to a certificate file
openssl s_client -showcerts -connect ldap_server:636

      • If the certificate is signed by a CA then the certificate should can include the certificate chain of Root CA Root CA Certificate and Intermediate CA Certificate. Otherwise it might be required to concatenate the certificates into one file, for example:

        Code Block
        languagebash
        titleExample for use of a certificate chain
        # concatenate Root CA certificate and Intermediate CA certificate as provided from the LDAP Server to a single CA Bundle certificate file (ca-bundle.crt)
cat RootCACertificate.crt > ca-bundle.crt
cat IntermediateCACertificate.crt >> ca-bundle.crt

# import LDAP Server certificate and certificate chain to a truststore (joc.p12) by specifying the certificate file (ldap-certificate.crt) and alias name (ldap)
keytool -importcert -noprompt -file "ca-bundle.crt" -alias "ldap" -keystore "JETTY_BASE/resources/joc/joc.p12" storetype pkcs12 -storepass secret_store -trustcacerts

...