Introduction

The JS7 allows to operate JOC Cockpit in one of the Security Levels low, medium, high, for details see JS7 - Security Architecture.

• low: workflows are digitally signed from a single Private Key used by all user accounts in JOC Cockpit. The Private Key is stored in the JS7 database.
• medium: workflows are digitally signed from Private Keys per user accounts in JOC Cockpit. The Private Key is stored in the JS7 database.
• high: workflows have to be digitally signed outside of JOC Cockpit. Users export workflows from the JS7 inventory to a .tar.gz/.zip export archive.

For an overview of the signing process see JS7 - Deployment of Workflows for High Security Level.

The following example is provided for manual signing and deployment of workflows.

For automated signing and deployment see

• JS7 - Signing Workflows with X.509 Certificates using Unix Shell Script
• JS7 - Signing Workflows with X.509 Certificates using PowerShell Script
• JS7 - Signing Workflows with X.509 Certificates using PowerShell CI CD pipeline

Example for Deployment Process

Export

• Click Export in the context menu of a folder or use the Export button in the right upper corner of the Configuration view:
  
  
  
  
• In the Export popup window check the checkbox for Signing:
  
  
  
  
• Select the workflows to deploy.

Signing

The following steps are explained for manual signing. For automated signing see JS7 - Signing Workflows for High Security Level.

It is essential that the signing procedure is performed on a secure device and in a secure manner outside of the host operating JOC Cockpit.

Extract the export archive file and preserve the folder structure of included workflow files:

Signing Workflow Files

This example makes use of OpenSSL to sign a workflow file in two steps:

openssl dgst -sha256 -sign c:\tmp\sos.private-ec-key.pem -out c:\tmp\example-wf.workflow.json.sig.bin c:\tmp\example-wf.workflow.json

• -sha256
  • The signer algorithm
• -sign c:\tmp\sos.private-ec-key.pem
  • The Private Key file used to sign the workflow file
• -out c:\tmp\example-wf.workflow.json.sig.bin
  • The path to the output file that contains the binary representation of the signature
• c:\tmp\example-wf.workflow.json
  • The path to the original workflow file.
    
    
    

openssl base64 -in c:\tmp\example-wf.workflow.json.sig.bin -out c:\tmp\example-wf.workflow.json.sig

• base64
  • OpenSSL switch to transform the signature file from binary encoding to base64 encoding
• -in c:\tmp\example-wf.workflow.json.sig.bin
  • The binary encoded signature file as created in step 1)
• -out c:\tmp\example-wf.workflow.json.sig
  • The base64 encoded signature file to be created that carries a .sig extension and that will be picked up later on by JOC Cockpit when importing workflows and signatures.

The procedure for adding workflow files and signature files to an import archive includes the following steps:

• base64 encoded signature files have to be available in the same folder as the workflow file.
• Creating a .tar.gz/.zip import archive file that includes the workflow files and signature files.
  • The exported archive contains the meta_inf file. This file does not have to be signed. However, it should be present in the top-level folder of the import archive file.
• Importing and deploying the archive file using the Import and Deploy operation of JOC Cockpit.
  
  

Enter the signing algorithm using default Java names:

Supported signing algorithm names include:

During import, any workflow files and the signature files from the import archive file will be deployed to Controller instances & Agents. This includes validation by Controller instances and Agents independently. After successful validation the workflows will be available in a deployed state that is ready to accept orders for workflow execution.