JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Alan Amos

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Configuring the JOC Cockpit

Note that it is not necessary to configure the JOC Cockpit - it runs out-of-the-box. The default configuration:

...

  • HTTPS connections that encrypt communication between clients, e.g. user browsers, and the JOC Cockpit. In addition, refer to the JOC Cockpit - Two-factor Authentication article.
  • HTTPS connections between JOC Cockpit and Controller instances for mutual authentication.

Security: Use with HTTPS Connections

By default, the JOC Cockpit is configured for connections using the HTTP and the HTTPS protocols. HTTPS connections are used in two ways:

...

Info
titleKeystore, Truststore and Configuration out-of-the-box

If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the attached archives:

  • Download:
  • The archives include the folders:
    • config.http
      • This folder includes the hibernate.cfg.xml configuration file and default keystore & truststore that are not used with the HTTP protocol.
      • The contents of this folder corresponds to what you get from the default installation of a JOC Cockpit image.
    • config.https
      • This folder includes the hibernate.cfg.xml configuration file and default keystore & truststore..
      • The private key and certificate is created by SOS and works for use with Docker containers that are started for the following hostnames:
        • js7-joc-primary
        • js7-joc-secondary
        • js7-controller-primary
        • js7-controller-secondary
      • As the private key is publicly available you should not consider this a solution to secure your HTTPS connections. However, for evaluation purposes it saves the effort of creating and signing key pairs.
    • To apply the configuration replace the contents of the config folder that is mounted to a JOC Cockpit container with the contents of the config.http or config.https folders respectively.

Provide Keystore, Truststore and Configuration

Connections to JOC Cockpit instances are established from a client, e.g. a user browser. If the HTTPS protocol is used then note that clients have to hold the server certificate in their truststore. For CA signed server certificates, clients can use the root CA certificate or intermediate CA certificate that signed the server certificate.

...

The default configuration of JOC Cockpit ships with the above keystore and truststore files. Users can add their private keys and certificates to the relevant keystore/truststore. The corresponding configuration items are in place by default. 

JOC Cockpit Keystore and Truststore for Client Connections

  • The JOC Cockpit instance's start.ini configuration file by default holds the following configuration items. For details see the JS7 - JOC Cockpit Configuration Items article.

    Code Block
    languagebash
    titleJOC Cockpit Configuration for Keystore and Truststore Locations with HTTPS Client Connections
    linenumberstrue
    ## Keystore file path (relative to $jetty.base)
jetty.sslContext.keyStorePath=resources/joc/https-keystore.p12

## Truststore file path (relative to $jetty.base)
jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12

## Keystore password
jetty.sslContext.keyStorePassword=jobscheduler

## KeyManager password (same as keystore password for pkcs12 keystore type)
jetty.sslContext.keyManagerPassword=jobscheduler

## Truststore password
jetty.sslContext.trustStorePassword=jobscheduler

## Connector port to listen on
jetty.ssl.port=4443
  • Keystore and truststore locations:
    • The configuration items listed above specify the locations of the keystore and the truststore.
    • Consider the optional use of a key password and store password for keystores and the use of a store password for truststores.

JOC Cockpit Keystore and Truststore for Controller Connections

  • The JOC Cockpit instance's joc.properties configuration file by default holds the following configuration items. For details see the JS7 - JOC Cockpit Configuration Items article.

    Code Block
    languagebash
    titleJOC Cockpit Configuration for Controller HTTPS Connections
    linenumberstrue
    ################################################################################
### Location, type and password of the Java truststore which contains the
### certificates of each JS7 Controller for HTTPS connections. Path can be
### absolute or relative to this file.

keystore_path = ../../resources/joc/https-keystore.p12
keystore_type = PKCS12
keystore_password = jobscheduler
key_password = jobscheduler

truststore_path = ../../resources/joc/https-truststore.p12
truststore_type = PKCS12
truststore_password = jobscheduler
  • This setting specifies the location of the keystore and truststore.

Run JOC Cockpit Container for HTTPS Connections

The following additional arguments are required for HTTPS connections:

...

  • --publish The JOC Cockpit image is configured to accept HTTPS requests on port 4443. If the JOC Cockpit instance is not operated in a Docker container network then an outside port of the Docker container's host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
  • --env=RUN_JS_HTTPS_PORT The port assigned this environment variable is the same as the inside HTTPS port specified with the --publish option.

...

  • When using HTTPS connections, consider dropping the HTTP port of the JOC Cockpit instance by omitting the following from the settings listed above:
    • --publish=17446:4446 This mapping should be dropped in order to prevent incoming traffic to the JOC Cockpit instance's HTTP port.

High Availability: Operating a Cluster

JOC Cockpit can be operated as a passive cluster for high availability. 

...