Introduction

For JS7 - Automated Deployment On Premises use of a Deployment Area is recommended.

...

• to hold the script environment for JS7 - Automated Installation and Update and for JS7 - Deployment Packaging,
• to hold the configuration files and optionally certificates for deployment of JS7 componentsproducts,
• to hold the JS7 installations per JS7 release and component product such as JOC Cockpit, Controller, Agent,
• to hold the archive of Deployment Packages per JS7 releases and target host,

...

• how to set up a Certificate Authority (CA) to create self-signed certificates,
• how to make CA-signed and self-signed certificates available for keystores and truststores used by JS7 componentsproducts.

Creating the Root Certificate Authority

...

• When the script is executed it prompts for a number of options. Find more details about use of the script with the JS7 - How to create self-signed X.509 SSL TLS Certificates article.
• The following files will be created:
  • ./ca/private/root-ca.key: This file holds the Root CA private key.
  • ./ca/certs/root-ca.crt:  This file holds the Root CA Certificate.

...

Certificates can be created individually and they can be created from scripts that generate certificates for all JS7 components products involved in a scheduling environment.

...

The steps how to create individual Server/Client Authentication certificates are explained with the JS7 - How to create self-signed X.509 SSL TLS Certificates article.

Creating Certificates by Bulk Operations

Certificates can be created from a single step for all JS7 components products involved in a scheduling environment .

• The proceeding is recommended, for example to manage certificate renewal for the scheduling environment.
• Technically bulk operations are based on individual scripts that specify which JS7 components products should be equipped with certificates.
• Bulk operations include the following steps:
  • Creating a certificate using the <ca>/create_certificate.sh script as explained with the JS7 - How to create self-signed X.509 SSL TLS Certificates article.
  • Adding a certificate to the related keystore and creating the respective truststore using the <bin>js7_create_certificate_store.sh script, see JS7 - How to add SSL TLS Certificates to Keystore and Truststore

...

#!/bin/sh

set -e

SCRIPT_HOME=$(cd "$(dirname "$0")" >/dev/null && pwd)

DEP_CA=${DEP_CA:-$(dirname "${SCRIPT_HOME}")/ca}
DEP_BIN=${DEP_BIN:-$(dirname "${SCRIPT_HOME}")/bin}
DEP_CONFIG=${DEP_CONFIG:-$(dirname "${SCRIPT_HOME}")/config}

create_self_signed_certs()
{
  server=$1
  config=$2

  ${DEP_CA}/create_certificate.sh --dns=${server},${server}.sos --days=365

  if [ ! -d "${config}" ]
  then
      mkdir -p "${config}"
  fi

  cp ${DEP_CA}/certs/${server}.crt ${config}/

  ${DEP_BIN}/js7_create_certificate_store.sh \
    --keystore=${config}/https-keystore.p12 \
    --truststore=${config}/https-truststore.p12 \
    --key=${DEP_CA}/private/${server}.key \
    --cert=${DEP_CA}/certs/${server}.crt \
    --alias=${server} \
    --password=jobscheduler \
    --ca-root=${DEP_CA}/certs/root-ca.crt \
    --chain \
    --make-dirs
}


# Function               Host                 Location
create_self_signed_certs centostest-primary   ${DEP_CONFIG}/agents/instances/agent_001/config/private
create_self_signed_certs centostest-secondary ${DEP_CONFIG}/agents/instances/agent_002/config/private

create_self_signed_certs centostest-primary   ${DEP_CONFIG}/controllers/instances/standalone/config/private
create_self_signed_certs centostest-primary   ${DEP_CONFIG}/controllers/instances/cluster.primary/config/private
create_self_signed_certs centostest-secondary ${DEP_CONFIG}/controllers/instances/cluster.secondary/config/private

create_self_signed_certs centostest-primary   ${DEP_CONFIG}/joc/instances/standalone/resources
create_self_signed_certs centostest-primary   ${DEP_CONFIG}/joc/instances/cluster.primary/resources
create_self_signed_certs centostest-secondary ${DEP_CONFIG}/joc/instances/cluster.secondary/resources

Explanation:

• The script makes use of the create_self_signed_certs() function that is repeatedly executed.
• The function is parameterized by
  • the name of the host (centostest-primary, centostest-secondary) for which the certificate is created,
  • the location to which the certificate should be stored.
    • Consider the JS7 - Deployment Area - Directory Layout to identify the locations used by the example.

...

• JS7 - Deployment - Getting Started
  
  • JS7 - Deployment - Setting up the Deployment Area
  • JS7 - Deployment - Managing Deployments
  • JS7 - Deployment - Managing Ownership