Page History
Table of Contents |
---|
Configuring the JOC Cockpit
Consider Note that it is not required necessary to configure the JOC Cockpit - it runs out-of-the-box. The default configuration includes that:
- specifies HTTP connections which are used that to expose unencrypted communication between clients and the JOC Cockpit. Authentication is performed by hashed passwords.
Users who intend to operate a compliant and secure job scheduling environment should consider the information provided below explanations forcovering:
- HTTPS connections that encrypt communication between clients, e.g. user browsers, and the JOC Cockpit. In addition, consider refer to the JOC Cockpit - Two-factor Authentication article.
- HTTPS connections between JOC Cockpit and Controller instances for mutual authentication.
Security: Use with HTTPS Connections
The By default, the JOC Cockpit by default is prepared configured for connections using the HTTP and the HTTPS protocols. There HTTPS connections are two purposes for use of HTTPS connectionsused in two ways:
- The JOC Cockpit is accessed by clients using the HTTPS protocol.
- The JOC Cockpit connects to the Controller using the HTTPS protocol with mutual authentication.
...
Note that the following prerequisites have to be fulfilled before order activating HTTPS:
Info | ||
---|---|---|
| ||
If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the attached archives:
|
Provide Keystore, Truststore and Configuration
Connections to JOC Cockpit instances are established from a client, e.g. a user browser. If the HTTPS protocol is used then consider note that clients have to hold the server certificate in their truststore. For CA signed server certificates, clients can use the root CA certificate or intermediate CA certificate that signed the server certificate.
- The JOC Cockpit instance's private key has to be created for Server Authentication key usage. If the Controller instance is configured for mutual authentication then the Client Authentication extended key usage has to be available from the JOC Cockpit instance's private key.
- The JOC Cockpit instance is provided with:
- a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
- a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller's certificate.
- Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
- Keystore:
- Windows:
C:\ProgramData\sos-berlin.com\js7\joc\resources\joc\https-keystore.p12
- Unix:
/var/sos-berlin.com/js7/joc/resources/joc/https-keystore.p12
- Windows:
- Truststore:
- Windows:
C:\ProgramData\sos-berlin.com\js7\joc\resources\joc\https-truststore.p12
- Unix:
/var/sos-berlin.com/js7/joc/resources/joc/https-truststore.p12
- Windows:
- Keystore:
The default configuration of JOC Cockpit ships with the above keystore and truststore files. Users can add their private keys and certificates to the respective relevant keystore/truststore. The corresponding configuration items are in place by default.
JOC Cockpit Keystore and Truststore for Client Connections
The JOC Cockpit instance's
start.ini
configuration file by default holds the following configuration items. For details see see the JS7 - JOC Cockpit Configuration Items article.Code Block language bash title JOC Cockpit Configuration for Keystore and Truststore Locations with HTTPS Client Connections linenumbers true ## Keystore file path (relative to $jetty.base) jetty.sslContext.keyStorePath=resources/joc/https-keystore.p12 ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12 ## Keystore password jetty.sslContext.keyStorePassword=jobscheduler ## KeyManager password (same as keystore password for pkcs12 keystore type) jetty.sslContext.keyManagerPassword=jobscheduler ## Truststore password jetty.sslContext.trustStorePassword=jobscheduler ## Connector port to listen on jetty.ssl.port=4443
- Keystore and truststore locations:
- The above configuration items listed above specify the locations of the keystore and the truststore.
- Consider the optional use of a key password and store password for keystores and the use of a store password for truststores.
JOC Cockpit Keystore and Truststore for Controller Connections
The JOC Cockpit instance's
joc.properties
configuration file by default holds the following configuration items. For details see see the JS7 - JOC Cockpit Configuration Items article.Code Block language bash title JOC Cockpit Configuration for Controller HTTPS Connections linenumbers true ################################################################################ ### Location, type and password of the Java truststore which contains the ### certificates of each JS7 Controller for HTTPS connections. Path can be ### absolute or relative to this file. keystore_path = ../../resources/joc/https-keystore.p12 keystore_type = PKCS12 keystore_password = jobscheduler key_password = jobscheduler truststore_path = ../../resources/joc/https-truststore.p12 truststore_type = PKCS12 truststore_password = jobscheduler
- This setting specifies the location of the keystore and truststore.
Run JOC Cockpit Container for HTTPS Connections
The following additional arguments are required for HTTPS connections:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/sh docker run -dit --rm \ ... --publish=17443:4443 \ --env="RUN_JS_HTTPS_PORT=4443" \ ... |
ExplanationsExplanation:
--publish
The JOC Cockpit image is prepared configured to accept HTTPS requests on port4443
. If the JOC Cockpit instance is not operated in a Docker container network then an outside port of the Docker container's host has to be mapped to the inside HTTPS port4443
. The same port has to be assigned theRUN_JS_HTTPS_PORT
environment variable.--env=RUN_JS_HTTPS_PORT
The port assigned this environment variable is the same as the inside HTTPS port specified with the--publish
option.
...
- When using HTTPS connections then , consider to drop dropping the HTTP port of the JOC Cockpit instance by omitting the following from the settings listed above settings:
--publish=17446:4446
This mapping should be dropped in order to prevent incoming traffic to the JOC Cockpit instance's HTTP port.
High Availability:
...
Operating a Cluster
JOC Cockpit can be operated as a passive cluster for high availability.
- Consider Note that the clustering operational feature of clustering is subject to to the JS7 - LicensingLicense. Without a license:
- no fail-over/switch-over will not take place between JOC Cockpit cluster members.
- you have to (re)start a Secondary JOC Cockpit instance if you want this instance to become active after the Primary JOC Cockpit instance is has shutdown or becomes become unavailable.
- The installation of JOC Cockpit cluster members is the same as explained with the JS7 - JOC Cockpit Installation for Docker Containersarticle.
- Both Primary and Secondary JOC Cockpit containers can be started from the same image.
- Both JOC Cockpit instances will become visible with each instance's Dashboard View.
...
- Navigate to the
config
volume that is mounted from the JOC Cockpit container as indicated with the JS7 - JOC Cockpit Installation for Docker Containers article. The volume is mounted to the
/var/sos-berlin.com/js7/joc/resources/joc
directory and includes the filejoc.properties
:Code Block language bash title JOC Cockpit Dashboard configuration with joc.properties linenumbers true ################################################################################ ### If JOC Cockpit is used in a cluster then type a title to identify which node ### is currently used. Further type an ordering (Primary <= 0, Standby > 0) for ### the display order in JOC's dashboard title = PRIMARY JOC COCKPIT ordering = 0
- Modify the title of the JOC Cockpit instance at your willas you require.
- Adjust the ordering, i.e. the sequence of JOC Cockpit instances displayed with in the Dashboard View from left to right starting by with 0.