Introduction
- Users benefit from simplified rollout of keys and certificates to Controller instances and Agents when using the built-in JS7 - Certificate Authority.
- Users have a choice to use an external certificate authority or the built-in certificate authority included with JOC Cockpit.
JS7 provides a command line client available with Controller instances and Agents to create and to roll-out keys and certificates of the built-in certificate authority. Rollout of keys and certificates created with an external certificate authority are not in scope of the JS7 command line client.
Prerequisites
The following conditions have to be met before the command line client can be used to rollout keys and certificates.
- The JOC Cockpit certificate authority has to be available and the root key and certificate have been created.
- A valid token has to be generated in JOC Cockpit for the desired JS7 Controller instances and Agents.
Command Line Client
Parameters:
| Parameter | Required | Description | Example |
|---|---|---|---|
--help | No | Shows the usage information, this option has to be specified as the only command line option and has no value. | |
--token | Yes | UUID of the token for one-time authentication to JOC Cockpit to receive keys and certificates. | --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b |
--subject-dn | Yes | The SubjectDN to be used consisting of [CN, OU, O, L, S,C] where the current hostname has to be set as CN. | --subject-dn="CN=myControllerHostname, OU=development, O=SOS, L=Berlin, S=Berlin, C=DE" |
--san | Yes | The subject alternative names(SAN) should be set with variation of the hostname e.g. including the domain part. The alternatives are separated by comma. | --san="myControllerHostname.sos, myControllerHostname, sp.sos, sp" |
--joc-uri | Yes | URI of the JS7 JOC to receive the generated certificates from. | --joc-uri=https://joc-2-0-secondary:4443 |
--source-keystore | No | Path of the Keystore holding the keys to connect to JS7 JOC over HTTPS. | --source-keystore=C:/sp/devel/js7/keys/sp-keystore.p12 |
--source-keystore-type | No | Type of the keystore to connect to JS7 JOC over HTTPS. (PKCS12[default] and JKS are supported only) | --source-keystore-type=PKCS12 |
--source-keystore-pass | No | Password for the keystore holding the keys to connect to JS7 JOC over HTTPS. | --source-keystore-pass="YourKeystorePassword" |
--source-keystore-entry-pass | No | Password for the private key entry of the keystore holding the keys to connect to JS7 JOC over HTTPS. | --source-keystore-entry-pass="YourKeystoreEntryPassword" |
--source-truststore | No | Path of the Truststore holding the trusted certificates to connect to JS7 JOC over HTTPS. | --source-truststore=C:/sp/devel/js7/keys/sp-truststore.p12 |
--source-truststore-type | No | Type of the truststore to connect to JS7 JOC over HTTPS. (PKCS12[default] and JKS are supported only) | --source-truststore-type=PKCS12 |
--source-truststore-pass | No | Password for the truststore holding the keys to connect to JS7 JOC over HTTPS. | --source-truststore-pass="YourTruststorePassword" |
--source-private-key | No | Path to the private Key file used to connect to JS7 JOC over HTTPS. | --source-private-key=C:/sp/devel/js7/keys/sp/sp.key |
--source-certificate | No | Path to the certificate file used to connect to JS7 JOC over HTTPS. | --source-certificate=C:/sp/devel/js7/keys/sp/sp.cer |
--source-ca-cert | No | Path to the CA certificate file(s) used to connect to JS7 JOC over HTTPS. (Comma separated) | --source-ca-cert="C:/sp/devel/js7/keys/sp/sos_intermediate_ca.cer, C:/sp/devel/js7/keys/sp/sos_root_ca.cer" |
--target-keystore= | Yes | Path to the Keystore where the generated SSL certificates and keys should be stored. | --target-keystore=C:/sp/devel/js7/testing/CLI/controller/https-keystore.p12 |
--target-keystore-type | No | Type of the keystore to store to. (PKCS12[default] and JKS are supported only) | --target-keystore-type=PKCS12 |
--target-keystore-pass | No | Password for the keystore to store to. | --target-keystore-pass="YourKeystorePassword" |
--target-keystore-entry-pass | No | Password for the private key/certificate entry of the target keystore holding the keys for mutual https. | --target-keystore-entry-pass="YourKeystoreEntryPassword" |
--target-truststore | Yes | Path to the Truststore where the trusted ca certificate should be stored. | --target-truststore=C:/sp/devel/js7/testing/CLI/controller/https-truststore.p12 |
--target-truststore-type | No | Type of the truststore to store to. (PKCS12[default] and JKS are supported only) | --target-truststore-type=PKCS12 |
--target-truststore-pass | No | Password for the truststore to store to. |
|
--key-alias | Yes | Alias used to store the certificate and its private key in the target keystore. | --key-alias="MyKeyAlias" |
--ca-alias | Yes | Alias used to store the ca certificate in both, the target keystore and truststore. | --ca-alias="MyTrustedCertificateAlias" |
Connection to JS7 JOC over HTTP
No parameter starting with --source has to be set.
Connection to JS7 JOC over HTTPS
There are two ways supported to connect over HTTPS. Depending on the method which is chosen some optional parameters are required.
- using KeyStore/Truststore
- The following parameters have to be set
- --source-keystore
- required
- -source-keystore-type
- optional
- has to be set if JKS is used
- --source-keystore-pass
- optional
- has to be set if the keystore is secured with a password
- --source-keystore-entry-pass
- optional
- has to be set if the private key entry is secured with a password
- --source-truststore
- required
- --source-truststore-type
- optional
- has to be set if JKS is used
- --source-truststore-pass
- optional
- has to be set if the truststore is secured with a password
- --source-keystore
- The following parameters have to be set
- using key and certificate files instead of stores
- The following parameters have to be set
- --source-private-key
- required
- --source-certificate
- required
- --source-ca-cert
- required
- --source-private-key
- The following parameters have to be set
Examples
The jar file to use is present in two forms
- sos-commons-cli-2-0-0-SNAPSHOT.jar (ca. 9 KB)
- this is a standard jar file
- using this jar needs to get the complete classpath set from the outside
- sos-commons-cli-2-0-0-SNAPSHOT-jar-with-dependencies.jar (ca. 22 MB)
- this is a fat/uber jar file
- using this jar needs no classpath at all
The filename of the jar file should be changed through the setup, so that customers will later only have to call sos-commons-cli.jar or a different desired name in either way (external classpath in agent, without classpath in the controller)
For testing purpose the jar files are internally available in archiva http://archiva.sos:8080/archiva/repository/sos/com/sos-berlin/sos-commons-cli/2.0.0-SNAPSHOT/ . The files in archiva have an additional timestamp and a build number in their filenames.
Overview
Content Tools