Introduction

Certificates can be used for mutual authentication:

• The client (Browser Client, REST Client) challenges the JOC Cockpit server to present its server authentication certificate that will be verified by the client.
• The JOC Cockpit server challenges the client to present its client authentication certificate that is verified by JOC Cockpit.

With JOC Cockpit being set up for mutual authentication the certificates can be used

• to enforce two-factor authentication with clients having to provide a certificate and a password,
• to allow single-factor authentication using a certificate instead of a password.

Authentication Strategies

Two-factor Authentication

This includes to require both account/password authentication and certificate based authentication.

Find details from the JOC Cockpit - HTTPS Mutual Authentication - Two-factor Authentication article.

Single-factor Authentication

This boils down to use either account/password authentication or to allow certificate based authentication alternatively.

Find

Certificates for Authentication

Clients

Certificates are available with the Client's certificate store.

• Browser Clients
  • FireFox (any platform): supports use of an individual certificate store that is available with the browser, see Options -> Privacy & Security -> Certificates.
  • Chrome, Vivaldi, Edge (Windows): supports use of the Windows Certificate Store
  • Chrome, Vivaldi (Linux): supports use of an individual certificate store that is available with the browser, see Options -> Privacy
  • Chrome, Safari (Mac OS): supports use of the Mac OS Certificate Store
• REST Clients
  • JS7 PowerShell Module (Connect-JS7): Windows, Linux, Mac OS: supports use of a Key Store (.p12); Windows: supports use of the Windows Certificate Store
  • JobScheduler PowerShell Module (Connect-JobScheduler): Windows, Linux, Mac OS: supports use of a Key Store (.p12); Windows: supports use of the Windows Certificate Store
  • Other REST Clients: depends on implementation

Certificate Encryption Algorithms

X.509 Certificates with RSA or ECDSA encryption algorithms can be used.

Certificate Management

Self-signed certificates and certificates signed by trusted root certification authorities can be used.

For use with self-signed certificates the root certificate has to be added to the Client's certificate store. Certificates from trusted root certification authorities frequently are available from a Client's key store.

Certificate Verification

When connecting from a Client, e.g. a browser, to the JOC Cockpit server then JOC Cockpit will