Introduction
Installation, updates and upgrades are performed using the .tar.gz/.zip installer archives provided for the initial installation of newer releases.
- JS7 - Installation instructions apply.
- For environments with a larger number of JOC Cockpit instances the update, upgrade and patch processes can be automated in a number of ways:
- Users can use their preferred tools such as Ansible®, Puppet®, Chef®.
- Users can apply the JOC Cockpit Installer Script that is described in this article either standalone or in combination with such tools.
Security
Secure rollout of JS7 components is critical. It is therefore recommended that the solution described here is adjusted to suit specific security needs.
- Rollout of JS7 JOC Cockpit is considered critical as the software allows jobs to be executed on a larger number of servers.
- Attention should be paid to the integrity of the sources for JS7 component downloads.
- This includes intermediate devices on which JS7 software installers are stored in a user's environment.
- One option is to run the JOC Cockpit Installer Script from
sudo
and to use the digest functionality that compares the script to a hash value stored with thesudoers
file.
- The solution for updating, upgrading and patching the JS7 JOC Cockpit is based on shell scripting by design
- to provide readability and to rely only on OS commands,
- to prohibit the use of any 3rd-party components and additional dependencies that require code to be executed on the machines that run the JOC Cockpit.
- The JOC Cockpit Installer Script can be integrated in a number of ways:
- by running one's own SSH script on top of the JOC Cockpit Installer Script,
- by use of tools such as Ansible®, Puppet® that make use of an SSH Client,
- by use of JS7 workflow automation as explained below.
- It is recommended that a separate Standalone Controller and Agent are used for rollout purposes.
- Access to the Controller and Agent for rollout should be securely managed.
Certificate Store Management Script
The Certificate Store Management Script is provided for download and can be used to automate the creation of keystores and truststores.
- The script is available for Linux, MacOS® and AIX® using bash, dash, ksh, and zsh shells.
- The script terminates with exit code 0 to signal success, with exit code 1 for command line argument errors and with exit code 2 for non-recoverable errors.
- The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.
Download
Find the Certificate Store Management Script for download from JS7 - Download.
Usage
Invoking the Certificate Store Management Script without arguments displays the usage clause:
Usage: js7_create_certificate_store.sh [Options] [Switches] Options: --keystore=|keystore-file=<file> | required: path to keystore file in PKCS12 format --truststore=|truststore-file=<file> | optional: path to truststore file in PKCS12 format --key=<private-key-file> | required: path to private key file in .pem format --cert=|certificate=<cert-file> | required: path to certificate file in .pem format --alias=<alias-name> | required: alias name for keystore entry --password=<password> | required: password for certificate store --ca-bundle=<ca-bundle-file> | optional: path to CA Bundle certificate file in .pem format --ca-root=<ca-root-file> | optional: path to CA Root certificate file in .pem format --ca-intermediate=<ca-file[,ca-file]> | optional: path to CA Intermediate certificate file in .pem format --backup-dir=<directory> | optional: backup directory for existing certificate stores --log-dir=<directory> | optional: log directory for log output of this script Switches: -h | --help | displays usage --chain | add certificate chain to keystore --show-logs | shows log output of the script --make-dirs | creates the specified directories if they do not exist
Explanation:
- Options
--keystore
- Specifies the path to a PKCS12 keystore file that should hold the private key and certificate for HTTPS connections to JS7 components.
- Users are free to specify any file name, typically the name
https-keystore.p12
is used. - Further settings in the
ssl.ini
file such as the keystore password have to be deployed from a copy of the file using the--ini
option. - Assigning a keystore for HTTPS connections disables HTTP access and enables HTTPS access only to JOC Cockpit. The same port is alternatively used for HTTP and HTTPS connections.
--truststore-file
- Specifies the path to a PKCS12 truststore file that holds the certificate(s) for HTTPS connections from JOC Cockpit to a Controller instance, LDAP server etc.
- Users are free to specify any file name, typically the name
https-truststore.p12
is used. The truststore file will be copied to the<home>/jetty_base/resources/joc
directory. - If a truststore file is made available then the JOC Cockpit's
<home>/jetty_base/start.d/ssl.ini
file has to hold a reference to the truststore location and optionally the truststore password. It is therefore recommended to use the--ini
option to deploy an individualssl.ini
file. The following settings are automatically updated in thessl.ini
file:jetty.sslContext.trustStorePath
: specifies the path to the truststore relative to the<home>/jetty_base/resources/joc
directory.
- Further settings in the
ssl.ini
file such as the truststore password have to be deployed from a copy of the file using the--ini
option.
--truststore
- The JOC Cockpit installer is used with the
joc_install.xml
response file. This file is available after extraction of the installer tarball and specifies options for installation of the JOC Cockpit. The file is applied when invoking the installer by./setup.sh -u joc_install.xml
, see JS7 - JOC Cockpit - Headless Installation on Linux and Windows. - Users should keep their copy of the response file and specify the path with this command line option. Response files can be re-used within the same minor release of the JOC Cockpit, for example when updating from release 2.3.1 to 2.2.4. When updating, for example, from release 2.2.x to 2.3.x it is recommended a check is carride out from the installer tarball if a newer version of the file is available.
- Users should note that the response file can hold references to a license file and to a JDBC Driver .jar file. The JOC Cockpit setup is executed from the directories specified with the
--setup-dir
option. Paths can be used relative to this directory.
- The JOC Cockpit installer is used with the
--key
- Specifies the path to the file that holds the private key that should be added to the keystore.
- This argument is required if a keystore should be created, see
--keystore
.
--cert
- Specifies the path to the file that holds the certificate that should be added to the keystore.
- This argument is required if a keystore should be created, see
--keystore
.
--alias
- Specifies the alias name of the private key and certificate entry in the keystore.
- This argument is required if a keystore should be created, see
--keystore
.
--password
- Specifies the password that protects the keystore and truststore.
- Passwords for certificate stores are not intended to improve security but to prevent users from shooting themselves in their foot. For a keystore the password protects read and write access, for a truststore the password protects write access.
- This argument is required if a keystore or truststore should be created, see
--keystore
,--truststore
.
ca-bundle
- Specifies the path to a CA Bundle file that holds the CA Intermediate certificate(s) and Root CA certificate in the indicated sequence.
- This argument is required if a keystore should be created and the
--chain
switch is used. In addition this argument is required if a truststore should be created an no Root CA certificate is specified, see--ca-root
.
ca-root
- Specifies the path to a CA Root Certificate file.
- This argument is required if no CA Bundle file is specified, see
--ca-bundle
, and a keystore should be created with the--chain
argument. In addition this argument is required if a truststore should be created using the--truststore
option and no CA Bundle file is specified, see--ca-bundle
option.
ca-intermediate
- Specifies the path to one or more CA Intermediate Certificate files.
- If more than one file is specified then file names have to be separated by comma, for example
--ca-intermediate="./certs/intermediate-ca-1.crt,./certs/intermediate-ca-2.crt"
. - This argument is required if no CA Bundle file is specified, see
--ca-bundle
, and a keystore should be created with the--chain
argument.
--backup-dir
- If a backup directory is specified then an existing keystore and truststore will be added to a .tar.gz file in this directory.
- File names are created according to the pattern:
backup_js7_certificate_store.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.tar.gz
- For example:
backup_js7_certificate_store.centostest_primary.2022-03-19T20-50-45.tar.gz
--log-dir
- If a log directory is specified then the installer script logs information about processing steps to a log file in this directory.
- File names are created like this:
certificate_store._js7.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
certificate_store_js7.centostest_primary.2022-03-19T20-50-45.log
- Switches
-h | --help
- Displays usage.
--chain
- Stops a running JOC Cockpit before installation and starts the JOC Cockpit after installation using the JOC Cockpit's Start Script. This switch can be used with the
--kill
switch to control the way how JOC
- Stops a running JOC Cockpit before installation and starts the JOC Cockpit after installation using the JOC Cockpit's Start Script. This switch can be used with the
--show-logs
- Displays the log output created by the script.
--make-dirs
- If directories are missing that are indicated with the
--keystore
,--truststore
,--backup-dir
or--log-dir
options then they will be created.
- If directories are missing that are indicated with the
- Exit Codes
1
: argument errors2
: non-recoverable errors3
: this exit code is returned when used with the--restart
switch and if it cannot be identified if a JOC Cockpit instance is running4
: this exit code is returned if no--tarball
option is used and download of the tarball reports errors5
: this exit code is returned when used with the--restart
switch and if the JOC Cockpit instance cannot be started6
: this exit code is returned when used with the--restart
switch and if the JOC Cockpit instance cannot be stopped7
: this exit code indicates that the JOC Cockpit installation has failed8
: this exit code indicates failure of the JOC Cockpit installation from logs
Examples
The following examples represent typical use cases. Users should consider to specify current releases, see JS7 - Download.
Install or Update from Download
./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --release=2.3.1 \ --make-dirs # downloads the JOC Cockpit release indicated and extracts the installer tarball to the specified JOC Cockpit setup directory # the setup directory is created if it does not exist and the indicated response file for setup options is used
Install or Update from Download with Commercial License
./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --release=2.3.1 \ --license-key=/home/sos/example.pem \ --make-dirs # downloads the JOC Cockpit release indicated and extracts the installer tarball to the specified JOC Cockpit setup directory # the setup directory is created if it does not exist and the indicated response file for setup options is used # installs the license key file and downloads the binary file for licensed code to enable cluster operations
Install or Update from Tarball
./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.tar.gz # extracts the tarball indicated to the specified JOC Cockpit setup directory
Install or Update from Tarball with Commercial License
./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.tar.gz \ --license-key=/home/sos/example.pem \ --license-bin=/mnt/releases/js7/js7-license.jar # extracts the tarball indicated to the specified JOC Cockpit setup directory # installs the license key file and binary file for licensed code to enable cluster operations
Install or Update and Stop/Start using systemd
./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.tar.gz \ --exec-start="sudo systemctl start js7_joc" \ --exec-stop="sudo systemctl stop js7_joc" # extracts the tarball indicated to the specified JOC Cockpit setup directory # the JOC Cockpit is stopped and started using systemd commands
Install or Update and Restart
./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.tar.gz \ --restart # extracts the tarball indicated to the specified JOC Cockpit setup directory # the JOC Cockpit is stopped and started from its own instance start script
Install or Update with Return Values
retval=/tmp/js7_install_joc.$$.tmp ./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.tar.gz \ --backup-dir=/tmp/backups \ --log-dir=/tmp/logs \ --return-values=$retval \ --restart log_file=$(cat $retval | grep "log_file" | cut -d'=' -f2) backup_file=$(cat $retval | grep "backup_file" | cut -d'=' -f2) # extracts the tarball indicated to the specified JOC Cockpit setup directory, creates a log file and a backup file # return values include the path to the log file and to the backup file
Install or Update with Fallback
retval=/tmp/js7_install_joc.$$.tmp ./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.tar.gz \ --backup-dir=/tmp/backups \ --log-dir=/tmp/logs \ --return-values=$retval \ --restart \ --show-logs \ --make-dirs \ || ( backup=$(cat $retval | grep "backup_file" | cut -d'=' -f2) \ && ( test -e "$backup" ) && \ ./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=$backup \ --log-dir=/tmp/logs \ --restart \ --show-logs ) log_file=$(cat $retval | grep "log_file" | cut -d'=' -f2) backup_file=$(cat $retval | grep "backup_file" | cut -d'=' -f2) # extracts the tarball indicated to the specified JOC Cockpit setup directory, creates a backup file and a log file and restarts JOC Cockpit # should installation fail then the installation from the backup file will be reverted to
Install or Update and Apply Certificates
./js7_install_joc.sh \ --setup-dir=/home/sos/joc.setup \ --setup-response=/home/sos/joc.response/joc_install.xml \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.tar.gz \ --ini="./joc.config/http.ini,./joc.config/https.ini,./joc.config/ssl.ini" \ --http-port=4446 \ --keystore-file=./joc.config/https-keystore.p12 \ --truststore-file=./joc.config/https-truststore.p12 \ --make-dirs \ --user \ --preserve-env # extracts the tarball indicated to the specified JOC Cockpit setup directory # deploys Jetty SSL configuration files that hold references to keystore and truststore # deploys keystore and truststore files
Patch from Download
./js7_install_joc.sh \ --home=/home/sos/joc \ --release=2.3.1 \ --patch=low.patch-1 # downloads the patch indicated and extracts the tarball to the specified JOC Cockpit home directory # the patch is stored in the JOC Cockpit's jetty_base/webapps/joc/WEB-INF/classes sub-directory
Patch from Tarball
./js7_install_joc.sh \ --home=/home/sos/joc \ --tarball=/mnt/releases/js7/js7_joc_linux.2.3.1.low.patch-1.tar.gz \ --patch=low.patch-1 # extracts the patch tarball indicated to the specified JOC Cockpit home directory # the patch is stored to the JOC Cockpit's jetty_base/webapps/joc/WEB-INF/classes sub-directory
Automation
The JOC Cockpit Installer Script can be executed from a job for automated updating and upgrading of JS7 JOC Cockpit instances.
The steps for automation are similar to updating and upgrading JS7 Agents. You will find instructions for setting up workflow automation from the JS7 - Automated Update of Agent article.