Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Uwe Risse

Saved on

compared with

New Version 2

changes.mady.by.user Uwe Risse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Scope

  • If using LDAP for authentication it is possible to secure the connection with starttls
  • This article describes the steps required to set up communication with starttls

Prerequisites

  • The Java Keytools is installed with your Java JRE.
  • Your LDAP server is configured to use starttls
  • Your When using starttls your LDAP Realm configuration in the shiro configuration file contains 
    ldapRealm.useStartTls=true

Set up a secure connection to your LDAP Server 

This configuration is applied in order to enable starttls in the communication to the LDAP Server.

...

  • JOC_HOME is the installation path which is specified during the JOC Cockpit installation:
  • JETTY_HOME = JOC_HOME/jetty
  • JETTY_BASE is Jetty's base directory which is specified during the JOC Cockpit installation:

Step 1: Create the Java Keystore for Jetty

  • Create the Java Keystore using the Keytools from your Java JRE.
    • Generate the Java Keystore with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.

      • Example

        Code Block
        titleSample for generate Keystore with private key and certificate
        keytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 1024 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store

        Explanations

        • Replace the JETTY_BASE placeholder as specified above.
        • The -dname option specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer.
        • The -keypass option accepts the password that you will need later on to manage your private key. 
        • The -keystore option specifies the location of your Keystore file.
        • The -storepass option specifies the password for access to your Keystore file.

 

Step 2: Configure Jetty

  • Edit the following entries in the JETTY_BASE/resources/joc/startjoc.ini configuration properties configuration file corresponding to the Java Keystore:

    Code Block
    ## Keystore file path (relative to $jetty.base)
jetty.sslContext.keyStorePath=etc/joc.jks

## Truststore file path (relative to $jetty.base)
jetty.sslContext.trustStorePath=etc/joc.jks

## Keystore password
jetty.sslContext.keyStorePassword=secret_store

## KeyManager password
jetty.sslContext.keyManagerPassword=secret_key

## Truststore password
jetty.sslContext.trustStorePassword=secret_store###############################################################################
### Location of the Java trustore which contains the certificates of each 
### JobScheduler Master for HTTPS connections. Path can be absolute or relative
### to this file.
truststore_path = ../../etc/joc.jks


    Explanations

    • Specify the location of the Keystore with the keyStorePath setting and optionally of the Truststore with the trustStorePathtruststore_path setting. A location relative to the JETTY_BASE directory can be specified.
    • Specify the password for your Keystore with the keyStorePassword setting. If a Truststore is used then specify its password accordingly with the trustStorePassword setting.
    • The password specified with the keyManagerPassword setting is used for acces to your private key.

     

Step 3: Import your certificat to the JOC Cockpit Web Service Truststore

The following steps are performed on the server that hosts the JOC Cockpit.

    • Example

      Code Block
      titleSample for import master certificate
      keytool -importcert -noprompt -file "myCertificatemy_LDAP_Certificate.pem" -alias "my_alias" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts