Page History
...
- If X.509 private keys are used for the signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the relevant private key has to be in place with the Controller.
- If PGP private keys are used for the signing of objects then the public key matching the signing key has to be in place with the Controller.
- The Controller expects certificates/public keys in the following locations:
- X.509 Certificates
- Location:
- Windows:
C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-x509-keys
- Unix:
/var/sos-berlin.com/js7/controller/var/config/private/trusted-x509-keys
- Windows:
- The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension
.pem
. - Note that instead of individual certificates for each signing key, the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
- Location:
- PGP Public Keys
- Location:
- Windows:
C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-pgp-keys
- Unix:
/var/sos-berlin.com/js7/controller/var/config/private/trusted-pgp-keys
- Windows:
- PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension
.asc
. - Note that for each PGP private key that is used for signing, the corresponding public key has to be available with the Controller instance.
- Location:
- By default the Controller ships with an X.509 certificate of SOS that matches the default signing key available with the JOC Cockpit
root
account.
- X.509 Certificates
- In order to add individual certificates/public keys, add the relevant files to the location specified above according to the key type. To revoke certificates/public keys accordingly remove the relevant files from the location specified above for the key type.
- The locations for certificates/public keys specified above can be accessed from the Docker volume specified with the
--mount
option for the Controller's container directory/var/sos-berlin.com/js7/controller/var/config
. The locations for X.509 certificates and PGP public keys are available from sub-directories.
...
Info | ||
---|---|---|
| ||
If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the download archives linked below:
|
...
- The following configuration items have to be added to the Controller instance's
private.conf
configuration file. For details see the JS7 - Controller Configuration Items article.- Mutual Authentication
Code Block language bash title Controller Configuration for Mutual Authentication linenumbers true js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary JOC Cockpit instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=js7-joc-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=js7-joc-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } }
- This setting specifies the distinguished names which are available from the subjects of JOC Cockpit certificates. Note that the common name (CN) attribute specifies the hostname of a JOC Cockpit instance. The configuration authenticates a given JOC Cockpit instance as the distinguished name is unique for the server certificate and therefore replaces the use of passwords.
- Keystore and truststore locations:
Code Block language bash title Controller Configuration for Keystore and Truststore Locations linenumbers true js7 { web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password="jobscheduler" } ] } } }
- The configuration items described above specify the locations of keystore and truststore.
- Note the optional use of a key password and store password for keystores and the use of a store password for truststores.
- Mutual Authentication
...
--publish
The Controller image is prepared to accept HTTPS requests on port4443
. If the Controller instance is not operated in a Docker container network, then an outside port of the Docker container's host has to be mapped to the inside HTTPS port4443
. The same port has to be assigned theRUN_JS_HTTPS_PORT
environment variable.--env=RUN_JS_HTTPS_PORT
The port assigned to this environment variable is the same as the inside HTTPS port specified with the--publish
option.
...
Overview
Content Tools