Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

The built-in certificate authority offers the functionalityCertificate Authority available from the JOC Cockpit provides the following functions:

  • creating to create a Root CA private key Private Key and certificateCertificate, to self-sign issuing the Root CA certificateCertificate,
    • The Root CA private key Private Key and certificate Certificate are stored with the in the JS7 - Database.
  • to create private keys and certificates per creating the Private Keys and Certificates for each Controller and Agent instance, to sign the resulting certificatesself-signing the Certificates.
    • The private keys Private Keys and certificates Certificates are not stored with the JS7 database, instead, they are requested by Controller and Agent instances, are created on-the-fly and are forwarded to the requester.
  • to create creating the security tokens that allow Controller instances and Agents to authenticate their request for a private key Private Key and certificateCertificate.

Certificate Management includes to perform performing the following steps:

  • to manage managing the Root CA private key Private Key and certificate Certificate with JOC Cockpit,
  • to create creating security tokens for Controller and Agent instances with JOC Cockpit,
  • to request private keys and certificates requesting Private Keys and Certificates to be created on-the-fly by Controller and Agent instances.

...

To set up the Certificate Authority (CA), a Root CA private key Private Key and self-signed certificate issued Certificate have to be created from in an initial step.

The JS7 - Profiles offer the JS7 - Profiles - SSL Key Management sub-view to view of the JS7 - Profiles can be accessed by user accounts that are assigned the administrator role. To be more precise, this sub-view is available to user accounts that are assigned the the sos:products:joc:adminstration:manage role , - see JS7 - Default Roles and Permissions for more information.

Explanation:

  • Operations offered from this sub-view include:
    • to generate generating the Root CA private key Private Key and certificate Certificate and to self-sign issuing the certificateCertificate,
    • to import and to update the private key and self-signed certificate in case that they are importing and updating Private Keys and CA-signed Certificates which have been generated by an external Certificate Authority.
  • Consider Note that updates to the Root CA private key Private Key and certificate Certificate require new private keys and certificates for Private Keys and Certificates to be created for the Controller instances and Agents to be created.
    • Existing private keys Private Keys and certificates Certificates remain in place with Controllers and Agents, they continue to work but cannot be verified by a user.
    • It is therefore recommended to create and to rollout new private keys and certificates that new Private Keys and Certificates are created and rolled out within a foreseeable time.
  • JOC Cockpit supports ECDSA key algorithms only as RSA key algorithms are not considered secure for the future.

If the Root CA private key and certificate is Private Key and Certificate are to be generated by the JOC Cockpit then the following popup window appears:


Image Modified


The requested Distinguished Name (DN) is a unique identifier for the certificate.

  • The DN can include any attributes allowed.
  • The DN has to include the CN attribute
  • Example:
    • CN=JS7 Root CA, OU=IT Operations, O=SOS,  LL=Berlin, SST=Berlin, C=DE

For details see see the JS7 - Profiles - SSL Key Management article.

Manage Private Keys and Certificates for Controllers and Agents

For security reasons private keys Private Keys and certificates Certificates of Controllers and Agents are not stored with JOC Cockpit. Instead, they are requested to be created by use of a command line client the Start Script that ships with each Controller and Agent instance . The command line clientrequests that they are created by the Certificate Rollout Client. The Certificate Rollout Client:

  • does not require user/password authentication for JOC Cockpit but is started with a security token that authenticates the client.
  • requests that the JOC Cockpit to create a private key and certificate creates a Private Key and Certificate on-the-fly that which are returned to the client as a response to its request.
  • adds the private key Private Key to the Controller or Agent instance's keystore and adds the certificate Certificate to the respective truststore.
  • updates the Controller or Agent instance's configuration to use the updated keystore and truststore.

As a result the Controller or Agent instance is equipped with an a TLS/SSL certificate Certificate and is ready to accept HTTPS connections.

The The JOC Cockpit's User->Manage Controllers/Agents menu of JOC Cockpit offers is used to create security tokens for individual Controller and Agents Agent instances individually:

  • You Users can use the Controller's action menu to create one-time security tokens for Controller instances.
  • You Users can select one or more Agents to create one-time security tokens per Agent. Then , then use the Create one-time Token button.
  • After selection of the Controller or Agents a popup window is displayed that asks for the lifetime of the token.


Image Modified


Explanation:

  • The security token is valid until its lifetime expires. 
    • It is recommended to use that short lifetimes such as 30 minutes that which are sufficient to perform the steps for roll-out rollout of certificates to the respective Controller and Agents are used.
    • The lifetime is specified for a time zone as the user browser's time zone and the time zone of the server operating a Controller instance or an Agent might differ.
  • Security tokens become invalid after one-time use. Cleanup of expired security tokens is performed automatically by the JOC Cockpit.
  • Once the security Security tokens are generated they are visible from displayed in the user interface once they have been generated.


Explanation:

  • Each The expiration date and a key symbol are displayed for each Agent for which a security token has been created displays the expiration date and offers a key symbol:
    • when hitting the key symbol causes the security token will to be displayed,
    • display of the security token offers is displayed along with a button to copy the security token value to the user's clipboard.
  • Having copied Once the security token has been copied to the clipboard, proceed by switching to , a session (SSH, RDP) to the server that hosts the Controller instance 's or Agents server should be established and perform the steps for JS7 - Certificate Authority - Rollout Certificates for HTTPS Connections that require to specify performed that are required for specification of the security token for authentication with the JOC Cockpit.