Page History
Table of Contents |
---|
Introduction
The JS7 offers allows to operate JOC Cockpit in one of the security levels low, medium, high, for details see see JS7 - Security Architecture.
...
- Users export workflows from the JOC Cockpit inventory to a .tar.gz/.zip export archive, see JS7 - Inventory Export and Import.
- Users can transfer the .tar.gz/.zip export archive to a secure computer that provides access to the user's private key for signing.
- The Workflow Signing Script can be used like this:
- Users extract the .tar.gz/.zip export archive to an arbitrary directory on a secure computer.
- The Workflow Signing Script is executed to traverse the directory hierarchy of the extracted export archive. The script will create a signature for each workflow file (*.workflow.json) that is written to a file with the same name as the workflow and the extension .sig to the workflow's location in the directory hierarchy.
- With signing being completed users add the updated directory hierarchy to a .tar.gz/.zip import archive file.
- Users upload an import the import archive file to JOC Cockpit. During import the signatures will be verified with the Root CA Certificate that is stored in the user's profile.
- Users can deploy verified workflows to the related Controller and Agents.
Prerequisites
The Workflow Signing Script requires OpenSSL to be installed. Technically the openssl
command line utility is used.
Download
Find the Workflow Signing Script for download from JS7 - Download.
...
For usage of the Workflow Signing Script see JS7 - PowerShell Examples - Sign-JS7Workflows.ps1
Environment Variables
The following environment variables can be used to provide default values for arguments of the Workflow Signing Script:
JS7_SIGN_KEYSTORE
- The environment variable can be used to populate the
-Keystore
argument from a default value.
- The environment variable can be used to populate the
JS7_SIGN_KEY
- The environment variable can be used to populate the
-Key
argument from a default value.
- The environment variable can be used to populate the
JS7_SIGN_CERT
- The environment variable can be used to populate the
-Cert
argument from a default value.
- The environment variable can be used to populate the
Exit Codes
0
: success1
: argument errors2
: non-recoverable errors
...
Code Block | ||||
---|---|---|---|---|
| ||||
$env:JS7_SIGN_KEY=/home/sos/signing.key $env:JS7_SIGN_CERT=/home/sos/signing.crt ./Sign-JS7Workflow.ps1 ` -Dir ./some/folder ` -Recurse ` -Hash sha256 # makes use of environment variables to populate the -Key and -Cert arguments # signs all *.workflow.json files in the indicated directory and sub-directories recursively # makes use of the indicated key file that holds the private key and certificate file for code signing # applies the indicated hash algorithm to signatures |
Example for Unix
Extracting an Export Archive, Signing all Workflows recursively using a Key File and Certificate File, Creating an Import Archive
Code Block | ||||
---|---|---|---|---|
| ||||
# navigate to the directory where to extract the export archive file Set-Location /home/sos/signing # extract export archive file tar -xzf /tmp/export_workflows.tar.gz # alternatively extract .zip archive file # Expand-Archive -Path /tmp/export_workflows.zip -DestinationPath . # sign workflow files recursively ./Sign-JS7Workflow.ps1 -Key /home/sos/signing.key -Cert /home/sos/signing.crt -Dir . -Recurse # compress workflow files and signature files to an import archive file for upload to JOC Cockpit tar -czf /tmp/import_workflows.tar.gz .* |
Example for Windows
Extracting an Export Archive, Signing all Workflows recursively using a Key File and Certificate File, Creating an Import Archive
...
Overview
Content Tools