Page History
...
The JS7 - Profiles hold settings that are specific for a user account and that are controlled by the user.
- Profiles include a number of categories such as Preferences, Permissions etc.
- The profile Profile includes settings used for digitally signing objects such as workflows for JS7 - Deployment of Scheduling Objects.
- The underlying security requirements are explained with in the JS7 - Secure Deployment of Scheduling Objects article.
The JS7 - Security Architecture suggest to operate suggests that the JOC Cockpit in is operated with one of the following security levels:
- Security Level Low
- Inventory objects are automatically signed with the private key Private Key that is stored with the
root
account. - Signing is automatically applied when performing the Deploy operation.
- The Profile page for Signature Key Management is available only for user accounts holding the Administrator role only, see JS7 - Authorizationthe user account that is specified as the default profile account in the JS7 - Settings, chapter: JOC Cockpit Settings.
- Inventory objects are automatically signed with the private key Private Key that is stored with the
- Security Level Medium
- Inventory objects are automatically signed with the private key Private Key that is stored with the current user's account.
- Signing is automatically applied when performing the Deploy operation.
- The Profile page for Signature Key Management is available individually for any user accounts account holding a Deploy permission, see JS7 - Default Roles and Permissions.
- Security Level High
- Inventory objects are signed outside of JOC Cockpit.
- As a consequence no A Profile page for Signature Key Management is not available.
The article is intended for an a security-aware audience that is technically familiar with digital key management. JS7 supports both X.509 and PGP certificates, the following descriptions are focused on the use of X.509 Certificates.
Profile Page
The Profile page is accessible from the user menu of an account in the upper right upper hand corner of any JOC Cockpit view:
...
The Profile page offers a number of sub-views. The following section explains describes the Signature Key Management sub-view.
...
The Signature Key Management sub-view offers allows configuration of the following settings:
CA Certificate
- A CA Certificate is required to verify the user account's private key and certificate for digital signing when performing deployments.
- This includes to check that the user account's certificate is signed with the given CA Certificate or a later CA Intermediate Certificate.
- This includes to check expiration dates of certificates.
- If an X.509 CA Certificate (Root CA Certificate or Intermediate CA Certificate) is assigned then the certificate's subject is displayed.
- Operations for CA Certificates include to
- view the CA Certificate by use of the icon,
- update the CA Certificate by use of the icon,
- import the CA Certificate by use of the icon.
View CA Certificate
...
Keys and Certificates
User accounts have to be equipped with a Private Key and Certificate issued for digital signing in order to deploy scheduling objects to Controllers and Agents:
- If a user's Certificate is signed by a Certificate Authority then it is sufficient to rollout the CA Certificate to the Controller and Agent instances to which the user should be entitled to deploy scheduling object such as workflows.
- If a user's Certificate is self-issued then the Certificate has to be rolled out to the Controller and Agent instances to which the user should be entitled to perform deployments.
Users have options about the issuer of Private Keys and Certificates:
- Use of the built-in JS7 Certificate Authority
- The JOC Cockpit provides the option of digitally signing a user account's public key from its built-in CA, see JS7 - Certificate Authority
- Users can generate a Private/Public Key pair and make the JS7 Certificate Authority sign their Public Key to a Certificate in a single operation.
- Use of an external Certificate Authority
- If an external CA is to be used then users have to create a Certificate Signing Request (CSR) outside of the JOC Cockpit and make their external CA sign this request. The resulting certificate can be added to the user's Profile in JOC Cockpit. For details see JS7 - How to create X.509 Signing Certificates.
Update CA Certificate
...
Import CA Certificate
...
Keys and Certificates
User accounts have to be equipped with a private key and certificate created for digital signing.
- JOC Cockpit does not offer to sign a user account's certificate for digital signing.
- For good reasons JOC Cockpit does not implement a CA for digital signatures.
- Instead, the user's CA should be consulted to sign a respective Certificate Signing Request. The resulting certificate can be added with JOC Cockpit.
- If users do not operate a CA or do not dispose of certificates then they can continue to use the default private key Private Key and certificate Certificate that ship with the JOC Cockpit.
- In this situation by default only the
root
account only can be used to deploy scheduling objects such as workflows which suggests to operate operating the JOC Cockpit for Security Level Low as theroot
account's key Private Key and certificate Certificate will be used for deployment signing deployments by any users user accounts. - For a The Security Level Medium each means that each user account has to be equipped with a key Private Key and certificateCertificate.
- In this situation by default only the
Operations for the user account's
...
Private Key and
...
Certificate include
...
:
- view viewing the private key and certificate by use of the Private Key and Certificate using the icon,update
- updating the private key and certificate by use of Private Key and Certificate using the icon,import the private key by use of
- importing the Private Key using the icon,
- generate the private key by use of generating the Private Key using the icon.
View Key and Certificate
The user account's private key Private Key and certificate Certificate for digital signing is displayed like this:
...
Update Key and Certificate
A user account's private key and certificate Private Key and Certificate can be created by an external CA and can be updated by pasting from the clipboard like this:
...
Import Key
A user account's private key Private Key can be created by externally and can be imported from a file like this:
Consider Note that an X.509 certificate Certificate matching the user account's private key Private Key has to be signed by a CA and has to be added by use of the using the Update Key and Certificate operation as explained above.
Generate Key
A user account's private key Private Key and optionally the Certificate can be generated like this:
Consider
Use of Key Algorithms
- When choosing Key Algorithm
PGP
orRSA
then only a Private Key will be created.Note that an X.509
...
Certificate matching the user account's
...
Public Key is signed by
...
an external CA and has to be added by
...
using the Update Key and Certificate operation as explained above.
- When choosing Key Algorithm
ECDSA
then a Private Key is created and a CA-signed Certificate is created if the JS7 Certificate Authority is in use.