Introduction
The JS7 allows to operate JOC Cockpit in one of the security levels low, medium, high, for details see JS7 - Security Architecture.
- low: workflows are digitally signed from a single private key used by all user accounts in JOC Cockpit. The key is stored in the JS7 database.
- medium: workflows are digitally signed from private keys per user accounts in JOC Cockpit. The key is stored in the JS7 database.
- high: workflows have to be digitally signed outside of JOC Cockpit. Users export workflows from the JS7 inventory to a .tar.gz/.zip export archive.
For an overview of the signing process see JS7 - Deployment of Workflows for High Security Level.
The JS7 - PowerShell Module offers the Invoke-JS7WorkflowSigning cmdlet for signing of workflows and job resources when using the high security level. The article explains use of the cmdlet in pipeline for automated signing and deployment.
Workflow Signing Pipeline
The workflow signing pipeline can be used to automate steps for digital signing of workflows using X.509 certificates.
The following steps are performed in a pipeline:
- Export scheduling objects from a JOC Cockpit inventory folder
- Extract the export archive file to a local directory
- Sign workflows and job resources.
- Create import archive from signed scheduling objects
- Import and deploy scheduling objects from the import archive
# login Import-Module JS7 -force $credential = ( New-Object -typename System.Management.Automation.PSCredential -ArgumentList 'ap-si-ecdsa', ( 'ap-si-ecdsa' | ConvertTo-SecureString -AsPlainText -Force) ) Connect-JS7 -Url https://centostest-primary.sos:6446 -RootCertificatePath ./root-ca.crt -Credential $credential -Id training # export for signing Export-JS7InventoryFolder -Folder / -FilePath ./export-training.zip -Recursive -ControllerId training -ForSigning # extract export archive Remove-Item -Recurse -Force ./inventory/* Expand-Archive -Path ./export-training.zip -DestinationPath ./inventory -Force # sign workflows Invoke-JS7WorkflowSigning -Dir ./inventory -Key ./ca/ap-si-ecdsa.key -Cert ./ca/ap-si-ecdsa.crt -Hash sha512 # create import archive Compress-Archive -Path ./inventory/* -DestinationPath ./import-from-signing.zip -Force # import and deploy Import-JS7InventoryItem -FilePath "$((Get-Location).path)/import-from-signing.zip" -Deploy -ControllerId training -SignatureAlgorithm SHA512withECDSA # logout Disconnect-JS7
Explanations:
- The example makes use of the
ap-si-ecdsa
account.- A number of ways are offered for authentication, see JS7 - How to connect to JOC Cockpit using the PowerShell Module.
- In JOC Cockpit the account's profile holds the certificate that is available from the
ap-si-ecdsa.crt
file.
- For signing the account's
ap-si-ecdsa.key
Private Key file andap-si-ecdsa.crt
Certificate file are used. The hash algorithm specified has to match the algorithm (SHA256/SHA512) used when creating the Certificate and the key type (ECDSA/RSA). - For creation of Private Keys and Signing Certificates see JS7 - How to create X.509 Signing Certificates.
Resources
- JS7 - How to connect to JOC Cockpit using the PowerShell Module
- PowerShell CLI 2.0 - Cmdlets - Invoke-JS7WorkflowSigning
- JS7 - How to create X.509 Signing Certificates