...

• On the Controller instance's server create the keystore using openssl and the keytool from your Java JRE or JDK or a 3rd-party utility.
  • For use with a 3rd-party utility create a keystore, e.g. https-keystore.p12, in PKCS12 format and import:
    • Controller Private Key and Certificate for Server Authentication
  • For use with openssl and keytool create the keystore with the Private Key and Certificate for Server Authentication from the command line. The examples below show a possible approach for certificate management - however, there are other ways of achieving similar results.

    • Example for importing a Private Key and CA-signed Certificate to a PKCS12 keystore:

      Code Block
      language bash title Example how to import a Private Key and CA-signed Certificate to a PKCS12 keystore
      # Assume the fully qualified domain name (FQDN) of the Controller server to be "controller.example.com" # If the Controller's CA-signed Certificate is provided from a pkcs12 keystore (certificate.p12), extract the Certificate to a .crt file in PEM format (controller.example.com.crt) # openssl pkcs12 -in certificate.p12 -nokeys -out controller.example.com.crt # Import the Controller's Private Key (controller.example.com.key) and Certificate (controller.example.com.crt) from PEM format to a new keystore (https-keystore.p12) openssl pkcs12 -export -in controller.example.com.crt -inkey controller.example.com.key -name controller.example.com -out "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12"

    • Example for creating a Private Key and CA-signed Certificate and import to a keystore

      • Refer to examples available from JS7 - How to create X.509 SSL TLS Certificates, chapter Creating SSL/TLS Server Certificates.

        Code Block
        language bash title Example how to create a Private Key and CA-signed Certificate
        # Creating the Private Key and selfCA-signed Certificate for the given validity period ./create_server_certificate.sh --dns=controller.example.com --days=365

      • Refer to examples available from JS7 - How to add SSL TLS Certificates to Keystore and Truststore.

        Code Block
        title Example how to add a Private Key and CA-signed Certificate to a PKCS12 keystore
        # Adding the Private Key and Certificate to a keystore ./js7_create_certificate_store.sh \ --keystore=JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12 \ --key=controller.example.com.key \ --cert=controller.example.com.crt \ --alias=controller.example.com \ --password="jobscheduler"

        
        When using additional arguments for creation of a truststore then users have the truststore available for the later step 4:

        Code Block
        title Example how to add a Private Key and CA-signed Certificate to a PKCS12 keystore and the Root CA Certificate to a truststore
        # Adding the Private Key and Certificate to a keystore and Root CA Certificate to a truststore ./js7_create_certificate_store.sh \ --keystore=JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12 \   --truststore=JS7_CONTROLLER_CONFIG_DIR/private/https-truststore.p12 \    --key=controller.example.com.key \ --cert=controller.example.com.crt \ --alias=controller.example.com \ --password="jobscheduler" \ --ca-root=root-ca.crt

  • With the keystore being set up, specify the relevant properties with the JS7_CONTROLLER_CONFIG_DIR/private/private.conf configuration file:

    • Example

      Code Block
      language text title Example for private.conf file specifying the Controller keystore
      js7 { web { # keystore location for https connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" } } } }

      
      

      Explanation:
      • js7.web.https.keystore.file is used for the path to the keystore.
      • js7.web.https.keystore.key-password is used for access to the Private Key.
      • js7.web.https.keystore.store-password is used for access to the keystore. Passwords for Private Key and keystore have to match when using PKCS12 keystores.
        
        
• On the Controller instance's server create the truststore using the keytool from your Java JRE or JDK or a 3rd-party utility.
  • For use with a 3rd-party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
    • Root CA Certificate
  • The examples below show a possible approach for certificate management - however, there are other ways of achieving similar results.

    • Example for importing a Root CA Certificate to a PKCS12 truststore:

      Code Block
      language bash title Example how to import a Root CA Certificate to a PKCS12 truststore
      # Import Root CA Certificate in PEM format to a PKCS12 truststore (https-truststore.p12) keytool -importcert -alias "root-ca" -file "root-ca.crt" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-truststore.p12" -storetype PKCS12

...

• A restart of the relevant product is required to apply changes to either the the Controller JS7_CONFIG_DIR/private/private.conf file or to JOC Cockpit configuration files.

...

Resources

• JS7 - JOC Cockpit HTTPS Connections
• JS7 - Agent HTTPS Connections
• JS7 - Configuration Templates
  • JS7 - Configuration for mutual HTTPS Server Authentication and Client Authentication
  • JS7 - Configuration for HTTP Basic Authentication with Passwords
  • JS7 - Configuration for HTTPS Server Authentication with Passwords
• JS7 - How to create X.509 SSL TLS Certificates
• JS7 - How to add SSL TLS Certificates to Keystore and Truststore

...