JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Kanika Agrawal

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

  • If JOC Cockpit is installed for the high security level then deployment of workflows requires external signing.
    • For the low security level the Private Key of the root account available with the JS7 - Database is used for all users.
    • For the medium security level the user's individual Private Key available with the JS7 database is used.
    • For the high security level signing is performed outside of JOC Cockpit. No Private Keys are stored with JOC Cockpit and the JS7 database.
  • For details see JS7 - Security Architecture.

Users have a choice how to perform signing and deployment of workflows:

Prerequisites

Required: User Signing Certificate

Each user Users with the permission to deploy has workflows have to add his their X.509 signing certificate to JOC Cockpit.Signing Certificate to their profile like this:

Image Modified

Optional: Root CA Certificate

In addition, the X.509 certificate of the Root CA that Certificate which signed the user's signing certificate can be added to JOC Cockpit. There is a single Root CA certificate Certificate for all user profiles.

Image Modified

  • Any user signing certificates have to be published to available with the Controller instances and Agents. Certificates are stored to the in the config/private/trusted-x509-keys folder sub-directory of Controller and Agent installations.
  • If a Root CA certificate Certificate is present in JOC Cockpit , then it is sufficient to add the Root CA certificate Certificate to the the config/private/trusted-x509-keys folder of  sub-directory of Controller and Agent installations.
    • No further user signing certificates have to be added to the Controller instances or Agents as long as the user signing certificates were are created by the given same Root CA.
    • This mechanism implies that any user signing certificate signed by the same Root CA certificate Certificate will be accepted.
    • Users who do not wish to use this implicit mechanism should not add the Root CA certificate Certificate to the Controller instances and Agents but should add individual user signing certificates only.

Deployment Process Overview

  • The user has Users have to export the desired configuration of scheduling objects with the workflows using the Export operation available from the JOC Cockpit's Configuration view.

    • Other deployable objects such as File Order Sources, Job Resources, Notice Boards, Resource Locks etc. do not require signing.
    • Releasable objects that are not digitally signed include Calendars, Schedules, Script Includes, Job Templates etc.
  • Deployment tasks include to:

    • Exporting workflows using

    • export scheduling objects with the checkbox "for Signing" checked to an to a .tar.gz/.zip export archive file (.zip).

    • unpack Extracting the exported export archive file.
      • The export archive contains file includes a meta_inf file and related folders and the configurationsfiles for workflows.
    • Signing the extracted workflow files.
    • sign the configurations and store the signature - base64 encoded - in the Storing the base64 encoded signature file for each workflow file in same folder.
    • Each Note that each signature file has to use the same name as the original configuration workflow with an additional filename file extension.
      • for X.509 RSA/ECDSA signatures signature files use the filename file extension " .pem" or ".sig" respectively.
      • for PGP signatures PGP signature files use the default filename file extension " .asc".
    • pack the archive once again to add signature files and make sure Adding signature files to a .tar.gz/.zip import archive file. This includes that the meta_inf file is still available with in the root top-level folder of the import archive file.
    • upload Uploading the import archive file using the Import And and Deploy button .

Example

Export

...

Signing

...

Image Removed

Signing the configuration

For this example, we use OpenSSL to sign the configuration file:

Code Block
languagebash
openssl dgst -sha256 -sign c:\tmp\sos.private-ec-key.pem -out c:\tmp\example-wf.workflow.json.sha256 c:\tmp\example-wf.workflow.json

...

  • the signer algorithm

...

  • the private key file to sign the content of the original configuration file

...

  • the path to the output file
  • the file contains the binary representation of the signature

...

Code Block
languagebash
openssl base64 -in c:\tmp\example-wf.workflow.json.sha256 -out c:\tmp\example-wf.workflow.json.pem
  • base64
    • OpenSSL switch to encode base64
  • -in c:\tmp\example-wf.workflow.json.sha256
    • the newly created binary signature file
  • -out c:\tmp\example-wf.workflow.json.pem
    • the base64 encoded text signature file according to the JOC Cockpit deployment naming convention

Copy the newly created text signature file to the same folder as the scheduling object file.

Pack the archive once again or add the file to the existing archive.

The exported archive contains the meta_inf file. This file does not have to be signed. Make sure the file is present in the root folder of the target archive.

...

Image Removed

...

    • available from the JOC Cockpit's Configuration view..

Resources