Introduction

For JS7 - Automated Deployment On Premises use of a Deployment Area is recommended.

The JS7 - Deployment Area is used for the following purposes:

• to hold the script environment for JS7 - Automated Installation and Update and for JS7 - Deployment Packaging,
• to hold the configuration files and optionally certificates for deployment of JS7 components,
• to hold the JS7 installations per JS7 release and component such as JOC Cockpit, Controller, Agent,
• to hold the archive of Deployment Packages per JS7 releases and target host,

The article explains

• how to set up a Certificate Authority (CA) to create self-signed certificates,
• how to make CA-signed and self-signed certificates available for keystores and truststores used by JS7 components.

Creating the Root Certificate Authority

Connections between the JS7 JOC Cockpit, Controller and Agents can be secured by TLS/SSL certificates used for HTTPS connections.

Users who do not wish to use HTTPS connections or who are provided certificates from their organization can skip this step.

Creating the Root CA Certificate

A Root CA Certificate is created and is later on is used to create self-signed certificates.

The create_root_ca.sh script is included with the js7.deploy/ca directory and is executed without arguments.

./ca/create_root_ca.sh

Explanation:

• When the script is executed it prompts for a number of options. Find more details about use of the script with the JS7 - How to create self-signed Certificates article.
• The following files will be created:
  • ./ca/private/root-ca.key: This file holds the Root CA private key.
  • ./ca/certs/root-ca.crt:  This file holds the Root CA Certificate.

Creating Certificates

Users who do not wish to use HTTPS connections or who are provided certificates from their organization can skip this step.

Certificates can be created individually and they can be created from scripts that generate certificates for all JS7 components involved in a scheduling environment.

Creating Certificates individually

The steps how to create individual Server/Client Authentication certificates are explained with the JS7 - How to create self-signed Certificates article.

Creating Certificates by Bulk Operations

Certificates can be created from a single step for all JS7 components involved in a scheduling environment .

• The proceeding is recommended, for example to manage certificate renewal for the scheduling environment.
• Technically bulk operations are based on individual scripts that specify which JS7 components should be equipped with certificates.
• Bulk operations include the following steps:
  • Creating a certificate using the <ca>/create_certificate.sh script as explained with the JS7 - How to create self-signed Certificates article.
  • Adding a certificate to the related keystore and creating the respective truststore using the <bin>js7_create_certificate_store.sh script, see JS7 - How to add SSL TLS Certificates to Keystore and Truststore

The example of an individual script for bulk operations can look like this:

#!/bin/sh

set -e

SCRIPT_HOME=$(cd "$(dirname "$0")" >/dev/null && pwd)

DEP_CA=${DEP_CA:-$(dirname "${SCRIPT_HOME}")/ca}
DEP_BIN=${DEP_BIN:-$(dirname "${SCRIPT_HOME}")/bin}
DEP_CONFIG=${DEP_CONFIG:-$(dirname "${SCRIPT_HOME}")/config}

create_self_signed_certs()
{
  server=$1
  config=$2

  ${DEP_CA}/create_certificate.sh --dns=${server},${server}.sos --days=365

  if [ ! -d "${config}" ]
  then
      mkdir -p "${config}"
  fi

  cp ${DEP_CA}/certs/${server}.crt ${config}/

  ${DEP_BIN}/js7_create_certificate_store.sh \
    --keystore=${config}/https-keystore.p12 \
    --truststore=${config}/https-truststore.p12 \
    --key=${DEP_CA}/private/${server}.key \
    --cert=${DEP_CA}/certs/${server}.crt \
    --alias=${server} \
    --password=jobscheduler \
    --ca-root=${DEP_CA}/certs/root-ca.crt \
    --chain \
    --make-dirs
}


# Function               Host                 Location
create_self_signed_certs centostest-primary   ${DEP_CONFIG}/agents/instances/agent_001/config/private
create_self_signed_certs centostest-secondary ${DEP_CONFIG}/agents/instances/agent_002/config/private

create_self_signed_certs centostest-primary   ${DEP_CONFIG}/controllers/instances/standalone/config/private

create_self_signed_certs centostest-primary   ${DEP_CONFIG}/joc/instances/standalone/resources

Explanation:

• The script makes use of the create_self_signed_certs() function that is repeatedly executed.
• The function is parameterized by
  • the name of the host (centostest-primary, centostest-secondary) for which the certificate is created,
  • the location to which the certificate should be stored.
    • Consider the JS7 - Deployment Area - Directory Layout to identify the locations used by the example.

Resources

• JS7 - Deployment - Getting Started
  
  • JS7 - Deployment - Setting up the Deployment Area
  • JS7 - Deployment - Managing Deployments
  • JS7 - Deployment - Managing Ownership