Introduction
The certificate rollout with the command line client supports only the usage of the JS7 JOC Certificate Authority. Rollout of certificates generated with an external Certificate Authority are not supported.
Prerequisites
A number of conditions have to be met before the command line client can be used to rollout the generated certificates.
- A JOC CA has to be present in JS7 JOC.
- A valid token has to be generated in JS7 JOC for the desired JS7 controller/ JS7 agent.
Command Line Client
Parameters:
| Parameter | Required | Description | Example |
|---|---|---|---|
| --help | Shows the help page, this option is exclusive and has no value. | ||
| --token= | Yes | UUID of the token for a onetime authentication to JS7 JOC to receive the generated certificates. | --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b |
| --subject-dn= | Yes | The SubjectDN to be used consisting of [CN, OU, O, L, S,C] where the current hostname has to be set as CN. | --subject-dn="CN=myControllerHostname, OU=development, O=SOS, L=Berlin, S=Berlin, C=DE" |
| --san= | Yes | The subject alternative names(SAN) should be set with variation of the hostname e.g. including the domain part. The alternatives are separated by comma. | --san="myControllerHostname.sos, myControllerHostname, sp.sos, sp" |
| --joc-uri= | Yes | URI of the JS7 JOC to receive the generated certificates from. | --joc-uri=https://joc-2-0-secondary:4443 |
| --source-keystore= | No | Path of the Keystore holding the keys to connect to JS7 JOC over HTTPS. | --source-keystore=C:/sp/devel/js7/keys/sp-keystore.p12 |
| --source-keystore-type= | No | Type of the keystore to connect to JS7 JOC over HTTPS. (PKCS12[default] and JKS are supported only) | --source-keystore-type=PKCS12 |
| --source-keystore-pass= | No | Password for the keystore holding the keys to connect to JS7 JOC over HTTPS. | --source-keystore-pass="YourKeystorePassword" |
| --source-keystore-entry-pass= | No | Password for the private key entry of the keystore holding the keys to connect to JS7 JOC over HTTPS. | --source-keystore-entry-pass="YourKeystoreEntryPassword" |
| --source-truststore= | No | Path of the Truststore holding the trusted certificates to connect to JS7 JOC over HTTPS. | --source-truststore=C:/sp/devel/js7/keys/sp-truststore.p12 |
| --source-truststore-type= | No | Type of the truststore to connect to JS7 JOC over HTTPS. (PKCS12[default] and JKS are supported only) | --source-truststore-type=PKCS12 |
| --source-truststore-pass= | No | Password for the truststore holding the keys to connect to JS7 JOC over HTTPS. | --source-truststore-pass="YourTruststorePassword" |
| --source-private-key= | No | Path to the private Key file used to connect to JS7 JOC over HTTPS. | --source-private-key=C:/sp/devel/js7/keys/sp/sp.key |
| --source-certificate= | No | Path to the certificate file used to connect to JS7 JOC over HTTPS. | --source-certificate=C:/sp/devel/js7/keys/sp/sp.cer |
| --source-ca-cert= | No | Path to the CA certificate file(s) used to connect to JS7 JOC over HTTPS. (Comma separated) | --source-ca-cert="C:/sp/devel/js7/keys/sp/sos_intermediate_ca.cer, C:/sp/devel/js7/keys/sp/sos_root_ca.cer" |
| --target-keystore= | Yes | Path to the Keystore where the generated SSL certificates and keys should be stored. | --target-keystore=C:/sp/devel/js7/testing/CLI/controller/https-keystore.p12 |
| --target-keystore-type= | No | Type of the keystore to store to. (PKCS12[default] and JKS are supported only) | --target-keystore-type=PKCS12 |
| --target-keystore-pass= | No | Password for the keystore to store to. | --target-keystore-pass="YourKeystorePassword" |
| --target-keystore-entry-pass= | No | Password for the private key/certificate entry of the target keystore holding the keys for mutual https. | --target-keystore-entry-pass="YourKeystoreEntryPassword" |
| --target-truststore= | Yes | Path to the Truststore where the trusted ca certificate should be stored. | --target-truststore=C:/sp/devel/js7/testing/CLI/controller/https-truststore.p12 |
| --target-truststore-type= | No | Type of the truststore to store to. (PKCS12[default] and JKS are supported only) | --target-truststore-type=PKCS12 |
| --target-truststore-pass= | No | Password for the truststore to store to. |
|
| --key-alias= | Yes | Alias used to store the certificate and its private key in the target keystore. | --key-alias="MyKeyAlias" |
| --ca-alias= | Yes | Alias used to store the ca certificate in both, the target keystore and truststore. | --ca-alias="MyTrustedCertificateAlias" |
Connection to JS7 JOC over HTTP
No parameter starting with --source has to be set.
Connection to JS7 JOC over HTTPS
There are two ways supported to connect over HTTPS. Depending on the method which is chosen some optional parameters are required.
- using KeyStore/Truststore
- The following parameters have to be set
- --source-keystore
- required
- -source-keystore-type
- optional
- has to be set if JKS is used
- --source-keystore-pass
- optional
- has to be set if the keystore is secured with a password
- --source-keystore-entry-pass
- optional
- has to be set if the private key entry is secured with a password
- --source-truststore
- required
- --source-truststore-type
- optional
- has to be set if JKS is used
- --source-truststore-pass
- optional
- has to be set if the truststore is secured with a password
- --source-keystore
- The following parameters have to be set
- using key and certificate files instead of stores
- The following parameters have to be set
- --source-private-key
- required
- --source-certificate
- required
- --source-ca-cert
- required
- --source-private-key
- The following parameters have to be set
Examples
The jar file to use is present in two forms (http://archiva.sos:8080/archiva/repository/sos/com/sos-berlin/sos-commons-cli/2.0.0-SNAPSHOT/)
- sos-commons-cli-2-0-0-SNAPSHOT.jar
- this is a standard jar file
- using this jar needs to get the complete classpath set from the outside
- sos-commons-cli-2-0-0-SNAPSHOT-jar-with-dependencies.jar
- this is a fat/uber jar file
- using this jar needs no classpath at all
The filename of the jar file should be changed through the setup, so that customers will later only have to call sos-commons-cli.jar or a different desired name in either way (external classpath in agent, without classpath in the controller)
Overview
Content Tools