...
- Create the Java Keystore using the Keytools from your Java JRE.
- Generate the Java Keystore in JKS format with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
Example for JKS keystore format
Code Block title Sample for generate Keystore with private key and certificate keytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 10242048 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store
Example for PKCS12 keystore format
Code Block title Sample for generate Keystore with private key and certificate keytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 10242048 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jksp12" -storepass secret_store -storetype PKCS12
Explanations
- Replace the
JETTY_BASEplaceholder as specified above. - The
-dnameoption specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer. - The
-keypassoption accepts the password that you will need later on to manage your private key. - The
-keystoreoption specifies the location of your Keystore file. - The
-storepassoption specifies the password for access to your Keystore file. - The
-storepassoption is used for the PKCS12 keystore format, this option is not required for the JKS keystore format.
- Replace the
- Generate the Java Keystore in JKS format with the private key and certificate for Jetty and export the certificate to the Keystore that is later on used by the browsers.
- Alternatively apply a private key and certificate that are issued by your organization or a trusted authority.
...
- The JOC Cockpit Keystore can also be used as a Truststore where the certificates of a number of JobScheduler Masters are imported.
Example for JKS keystore
Code Block title Sample for import master certificate keytool -importcert -noprompt -file "master-https.pem" -alias "master-host-port" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts
Example for PKCS12 keystore
Code Block title Sample for import master certificate keytool -importcert -noprompt -file "master-https.pem" -alias "master-host-port" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts -storetype PKCS12
Explanations
- The alias of each certificate has to be unique for the target Keystore.
- Alternatively, you can import the JobScheduler Master certificates into the default Java Truststore (
JAVA_HOME/lib/security/cacerts) of the Java installation which is used by Jetty, however, this setting will be lost if you switch the Java version.
If you use the keystore of your JOC Cockpit Web Service in Jetty as Truststore of the JobScheduler Master certificates then add the location of the Truststore to the
JETTY_BASE/resources/joc/joc.propertiesconfiguration file like this:Example for JKS keystore format
Code Block ### Location of the Java trustore which contains the certificates of each ### JobScheduler Master for HTTPS connections. Path can be absolute or relative ### to joc.properties truststore_path = ../../etc/joc.jks
Example for PKCS12 keystore format
Code Block ### Location of the Java trustore which contains the certificates of each ### JobScheduler Master for HTTPS connections. Path can be absolute or relative ### to joc.properties truststore_path = ../../etc/joc.jks truststore_type = PKCS12 truststore_password = jobscheduler
- Explanations
- The relative path from the above example looks up the Keystore in the
JETTY_BASE/etcdirectory.
- The relative path from the above example looks up the Keystore in the
The hostname verification can be added optionally in the
JETTY_BASE/resources/joc/joc.propertiesconfiguration file.Code Block ################################################################################ ### Should hostname verification be carried out for https certificate. ### Default false https_with_hostname_verification = true
...