JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Prerequisites

Required:

Each user with the permission to deploy has to publish his own X.509 signing certificate to JOC.

Optional:

In addition a X.509 certificate of the CA the user signing certificates were generated from can be published to JOC also. There is only one CA certificate for all profiles.

  • Each user certificate has to be published to the controller/agents config/private/trusted-x509-keys folder also.
  • If a CA certificate is present in JOC it is sufficient to publish the CA certificate only to the controller/agents config/private/trusted-x509-keys folder.
    • No further user certificates are needed to be published to the controller/agents as long as they were created by the given CA.

Deploy Process Overview

  • The user has to export the desired configurations with the checkbox "forSigning" checked.
  • unpack the exported archive
    • The archive contains a meta_inf file and the configurations.
  • sign the configurations and store the signature - base64 encoded - in the same folder.
  • Each signature file has to be named the same like the original configuration with an additional filename extension.
    • for RSA/ECDSA signatures use the filename extension ".pem" or ".sig" respectively.
    • for PGP signatures use the default filename extension ".asc".
  • pack the archive again and make sure the meta_inf file is still contained in the root folder of the archive.
  • upload the archive using the Import And Deploy button.

Example

Export

  • Click on export either in the context menu of the folder you want to export or in the top right corner.
  • Check the checkbox "forSigning"
  • Select the configuration meant to deploy.

Signing

Extract the configuration with their folder structure from the archive.


Sign the configuration.

For this example we use OpenSSL to sign the configuration file.

openssl dgst -sha256 -sign c:\sp\devel\js7\keys\sos.private-ec-key.pem -out C:\sp\devel\js7\example\Example\example-wf.workflow.json.sha256
  • -sha256
    • the signer algorithm
  • -sign c:\sp\devel\js7\keys\sos.private-ec-key.pem
    • the private key file to sign the content of the original configuration file
  • -out C:\sp\devel\js7\example\Example\example-wf.workflow.json.sha256
    • the path to the output file
    • the file contains the binary representation of the signature
  • C:\sp\devel\js7\example\Example\example-wf.workflow.json
    • the path to original configuration file
openssl base64 -in C:\sp\devel\js7\example\Example\example-wf.workflow.json.sha256 -out C:\sp\devel\js7\example\Example\example-wf.workflow.json.pem
  • base64
    • openssl switch to encode base64
  • -in C:\sp\devel\js7\example\Example\example-wf.workflow.json.sha256
    • the newly created binary signature file
  • -out C:\sp\devel\js7\example\Example\example-wf.workflow.json.pem
    • the base64 encoded signature text file according to the JOC deploy naming standard

Copy the newly created signature text file to the same folder like the original file.

Pack the file again or insert it into the existing archive.

The exported archive also contains a meta_inf file. This file does not need to be signed. Make sure the file is present in the root folder of the target archive.

Import/Deploy this archive with the Import And Deploy function.

Enter the signature algorithm using the default Java names for the signature algorithm.

e.g.

OpenSSLJava with RSAJava with ECDSA
sha512SHA512withRSA-
sha256SHA256withRSASHA256withECDSA


On import the configuration and the signature from the archive will be send to the controller directly and will be validated. After that the configuration is deployed.

  • No labels