JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 31 Next »

Introduction

  • Users benefit from the certificate authority included with JOC Cockpit to create and to roll-out private keys and certificates.
    • This includes simplified roll-out to Controller and Agent instances to establish secure HTTPS connections.
    • The build-in certificate authority is applicable when operating JOC Cockpit in a low or medium security level, see JS7 - Security Architecture.
  • The built-in certificate authority
    • creates X.509 certificates for HTTPS Mutual Authentication
      • between JOC Cockpit and Controller instances,
      • between Primary and Secondary Controller instances,
      • between Controller instances and Agents.
    • is not used to create server authentication certificates for access to JOC Cockpit. Access is performed by user browsers, therefore it is preferable to use a server authentication certificate that is signed by a known certificate authority for which user browsers include the root certificate.
  • Users benefit from simplified rollout of private keys and certificates when using the built-in certificate authority.

JS7 provides a Certificate Rollout Client available with Controller and Agents instance Start Scripts to create and to roll-out private keys and certificates using the built-in certificate authority. Rollout of private keys and certificates created with an external certificate authority are not in scope of the Command Line Client. The functionality includes

  • to authenticate with JOC Cockpit by use of a security token, see JS7 - Certificate Authority - Manage Certificates with JOC Cockpit,
  • to request a private key and certificate to be created by JOC Cockpit on-the-fly,
  • to update a Controller or Agent instance's configuration for use of the private key and certificate with HTTPS mutual authentication.

Certificate Rollout

Rollout of certificates includes to perform the following steps

  • JOC Cockpit
  • Controller/Agent Instance
    • Both components include the Certificate Rollout Client that is available from the Controller/Agent Instance Start Script.
    • The Certificate Rollout Client connects to JOC Cockpit. Authentication is performed by use of the one-time security token generated with the previous step.
    • The JOC Cockpit certificate authority is requested to create a private key and server/client certificate for the specified host. Private key and certificate are created on-the-fly and are returned to the Certificate Rollout Client. In addition, JOC Cockpit stores the certificate with its database. The Certificate Rollout Client
      • stores the private key in a keystore file,
      • stores the server/client certificate in a truststore file,
      • updates the configuration in the ./config/private/private.conf file.

Certificate Rollout Client

The Controller/Agent Instance Start Script for Unix and Windows includes the Certificate Rollout Client and is available from the following locations:

Standard Arguments

The following arguments are used independently from an HTTP or HTTPS connection to JOC Cockpit:

ArgumentRequiredDescriptionExample
--joc-uriYes

URI of the JOC Cockpit instance from which to receive the private key and certificate.

--joc-uri=http://myhost.example.com:4446
--tokenYes

UUID of the security token for one-time authentication with JOC Cockpit.

--token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b
--dn-onlyNoFlag to receive relevant Distinguished Names (DN) to update the private.conf file, without generating certificates.--dn-only
--subject-dnYes

The subject of the requested certificate includes the Distinguished Name (DN) consisting of CN, OU, O, L, S, C attributes. The hostname of the requesting client is specified as CN.

--subject-dn="CN=myhost, OU=IT Operations, O=SOS,  L=Berlin, S=Berlin, C=DE"
--sanYes

The Subject Alternative Name (SAN) specifies the hostname of the requesting client and optionally variations of the hostname, e.g. the domain part (FQDN). Alternative hostnames are separated by comma.

--san="myhost, myhost.example.com"
--key-aliasYes

Alias name used when storing the requested private key and certificate to the target keystore.

--key-alias="MyKeyAlias"
--ca-aliasYes

Alias name used when storing the requested CA certificate in both, the target keystore and truststore.

--ca-alias="MyTrustedCertificateAlias"




--target-keystoreYes

Path to the keystore to which the requested private key and certificate should be stored.

--target-keystore=/var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12
--target-keystore-typeNo

Type of the keystore used. Supported values include: PKCS12 (default),
JKS (deprecated).

--target-keystore-type=PKCS12
--target-keystore-passNo

Password for access to the keystore.

--target-keystore-pass="YourKeystorePassword"
--target-keystore-entry-passNo

Password for the requested private key that should be added to the keystore.

--target-keystore-entry-pass="YourKeystoreEntryPassword"




--target-truststoreYes

Path to the truststore to which the trusted CA certificate should be stored.

--target-truststore=/var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12
--target-truststore-typeNo

Type of the truststore used. Supported values include: PKCS12 (default),
JKS (deprecated).

--target-truststore-type=PKCS12
--target-truststore-passNo

Password for access to the truststore.

--target-truststore-pass="YourTruststorePassword"

--helpNoDisplays usage information, this option has to be specified as the only command line option and has no value.


Explanation:

  • Arguments qualified as required have to be used with any request to JOC Cockpit to create a private key and certificate.
  • The --joc-uri argument specifies the URL for JOC Cockpit. When used with the HTTPS protocol then check the next section for additional arguments.
  • The --target-keystore is located in the Controller or Agent instance's ./config/private directory.

  • The --dn-only argument if present adds related DNs to the private.conf file in the Controller or Agent instances' ./config/private directory. No certificates/keys are generated.

Arguments for use with JOC Cockpit HTTPS Connections

The following arguments are used in addition to standard arguments in case that JOC Cockpit is set up for HTTPS connections:

ArgumentRequiredDescriptionExample
--source-truststoreNo

Path to the truststore holding the trusted certificate(s) to connect to JOC Cockpit by HTTPS.

--source-truststore=/home/sos/public/js7-truststore.p12
--source-truststore-typeNo

Type of the truststore used. Supported values include: PKCS12 (default),
JKS (deprecated).

--source-truststore-type=PKCS12
--source-truststore-passNo

Password for access to the truststore.

--source-truststore-pass="YourTruststorePassword"
--source-certificateNo

Path to a certificate file holding the JOC Cockpit server authentication certificate.

--source-certificate=/home/sos/public/js7-joc-cockpit.crt
--source-ca-certNo

Path to the CA certificate file(s) that are used to verify the JOC Cockpit server authentication certificate. A number of paths can be specified, separated by comma.

--source-ca-cert="/home/sos/public/intermediate_ca.crt, /home/sos/public/root_ca.crt"


Explanation:

  • An HTTPS connection to JOC Cockpit requires to verify the JOC Cockpit server authentication certificate.
  • The --source-truststore-* arguments are used to specify a truststore that holds the root CA certificate and optionally any intermediate CA certificates involved in signing the JOC Cockpit server authentication certificate.

  • The --source-certificate and --source-ca-cert arguments are used as an alternative to --source-truststore-* arguments in case that JOC Cockpit server authentication certificates are available from individual files instead of being available from a common truststore. Supported certificate formats include PEM.

Arguments for use with JOC Cockpit HTTPS Connections using Mutual Authentication

The following arguments are used in addition to HTTPS connection arguments in case that JOC Cockpit is setup for JOC Cockpit - HTTPS Mutual Authentication.

ArgumentRequiredDescriptionExample
--source-keystoreNo

Path of the keystore holding the client's private key and certificate for client authentication.

--source-keystore=/home/sos/private/js7-keystore.p12
--source-keystore-typeNo

Type of keystore used. Supported values include: PKCS12 (default),
JKS (deprecated).

--source-keystore-type=PKCS12
--source-keystore-passNo

Password for access to the keystore holding the private key for client authentication.

--source-keystore-pass="YourKeystorePassword"
--source-keystore-entry-passNo

Password for the private key entry in the keystore.

--source-keystore-entry-pass="YourKeystoreEntryPassword"
--source-private-keyNo

Path to the private key file holding the client authentication private key.

--source-private-key=/home/sos/private/client.key


Explanation:

  • An HTTPS connection to JOC Cockpit with mutual authentication requires
    • to verify the JOC Cockpit server authentication certificate by the requesting client and
    • to verify the client authentication certificate of the requesting client by JOC Cockpit.
  • The --source-keystore-* arguments are used to specify a keystore that holds the client's private key and certificate for client authentication.

  • The --source-private-key argument is used as an alternative to --source-keystore-* arguments in case that the private key is available from an individual file instead of a keystore.

Examples

Standard Examples

Example for use with the Controller/Agent Instance Start Script and default values

with instance startscript and default values
# use with a Controller instance
./bin/controller_instance.sh cert --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b --joc-uri=https://myhost.example.com:4446

# use with an Agent instance
./bin/agent_<port>.sh cert --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b --joc-uri=https://myhost.example.com:4446

Explanation:

  • the cert argument for the Instance Start Script to build the Java classpath and to start the Java executable.
  • The --token argument specifies the one-time token to connect to JOC Cockpit.
  • The --joc-uri argument specifies the URL for JOC Cockpit.
  • If no additional arguments are used then the Command Line Client determines default values for the Keystore and Truststore from the instances' ./config/private/private.conf configuration, including defaults for the DN and for the SAN of the certificate.

Example for use with the Controller/Agent Instance Start Script to update relevant DN entries

with instance startscript and default values
# use with a Controller instance
./bin/controller_instance.sh cert --dn-only --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b --joc-uri=https://myhost.example.com:4446

# use with an Agent instance
./bin/agent_<port>.sh cert --dn-only --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b --joc-uri=https://myhost.example.com:4446

Explanation:

  • With the  --dn-only argument only relevant Distinguished Names (DNs) will be updated to the ./config/private/private.conf configuration file.

Advanced Examples

Example for use with an HTTP Connection to JOC Cockpit

HTTP Connection to JOC Cockpit 
./bin/controller_instance.sh cert \
    --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b \
    --joc-uri=http://somehost.example.com:4446 \
    --san="myhost.example.com, myhost" \
    --subject-dn="CN=myhost, OU=IT Operations, O=SOS, C=DE, L=Berlin, ST=Berlin" \
    --key-alias=myhost \
    --ca-alias="Root CA" \
    --target-keystore=/var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12 \
    --target-keystore-pass=jobscheduler \
    --target-keystore-entry-pass=jobscheduler \
    --target-truststore=/var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12 \
    --target-truststore-pass=jobscheduler

Explanation:

  • tbd

Example for use with an HTTPS Connection to JOC Cockpit and Mutual Authentication from a Client Truststore

HTTPS Connection to JOC Cockpit with Mutual Authentication from a Client Truststore 
./bin/controller_instance.sh cert \
     --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b \
     --joc-uri=https://somehost.example.com:4446 \
     --san="myhost.example.com, myhost" \
     --subject-dn="CN=myhost, OU=IT Operations, O=SOS, C=DE, L=Berlin, ST=Berlin" \
     --key-alias=myhost \
     --ca-alias="Root CA" \
     --source-keystore=/home/sos/private/js7-keystore.p12 \
     --source-keystore-pass="" \
     --source-keystore-entry-pass="" \
     --source-truststore=/home/sos/private/js7-truststore.p12 \
     --source-truststore-pass="" \
     --target-keystore=/var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12 \
     --target-keystore-pass=jobscheduler \
     --target-keystore-entry-pass=jobscheduler \
     --target-truststore=/var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12 \
     --target-truststore-pass=jobscheduler

Explanation:

  • tbd

Example for use with an HTTPS Connection to JOC Cockpit and Mutual Authentication from a Client Key File

HTTPS Connection to JOC Cockpit with Mutual Authentication from a Client Key File 
./bin/controller_instance.sh cert \
     --token=73bfc4b8-3f15-44b9-a75b-cdb44aec8f4b \
     --joc-uri=https://myhost.example.com:4446 \
     --san="myhost.example.com, myhost" \
     --subject-dn="CN=myhost, OU=IT Operations, O=SOS, C=DE, L=Berlin, ST=Berlin" \
     --key-alias=myhost \
     --ca-alias="Root CA" \
     --source-private-key=/home/sos/private/myhost.key \
     --source-certificate=/home/sos/public/myhost.pem \
     --source-ca-cert="/home/sos/public/intermediate_ca.pem, /home/sos/public/root_ca.pem" \
     --target-keystore=var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12 \
     --target-keystore-pass=jobscheduler \
     --target-keystore-entry-pass=jobscheduler \
     --target-truststore=var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12 \
     --target-truststore-pass=jobscheduler


Explanation:

  • tbd



  • No labels