JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 13

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • On the JOC Cockpit server create the truststore using the keytool from your Java JRE or JDK or some third party utility.
    • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
      • Root CA certificate
    • For use with keytool create the truststore in JKS or PKCS12 format with the Root CA certificate. The below examples suggest one possible approach for certificate management, however, there may be other ways how to achieve similar results.

      • Example for import of a Root CA certificate to a PKCS12 truststore:

        Code Block
        languagebash
        titleExample how to import a CA-signed certificate into to a PKCS12 Truststore
        # import Root CA certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12"

...

      •  -storetype PKCS12

      • Example for import of a Root CA certificate to a JKS truststore:

        Code Block
        languagebash
        titleExample how to import a CA-signed certificate to a JKS Truststore
        # import Root CA certificate in PEM format to a JKS truststore (https-truststore.jks)
keytool -import -alias "root-ca" -file "RootCACertificate.crt" -keystore "JETTY_BASE/

...

See above chapter Step 3: Configure Jetty for configuration of the keystore with JETTY_BASE/start.ini.

  • Edit the following entries in the JETTY_BASE/start.ini configuration file use of the keystore:

    Code Block## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=
      • resources/joc/https-truststore.
    p12 ## Truststore password jetty.sslContext.trustStorePassword=jobscheduler
      • jks" -storetype JKS

Anchor
client_authentication_configure_jetty
client_authentication_configure_jetty
Step 2: Configure Jetty

See above chapter Step 3: Configure Jetty for configuration of the keystore with JETTY_BASE/start.ini.

  • Edit the following

    Explanation:
    • Specify the location of the truststore with the trustStorePath setting. A location relative to the JETTY_BASE directory can be specified.
    • Specify the password for access to the truststore with the trustStorePassword setting.

    Specify the settings to enforce client authentication with the following entries in the JETTY_BASE/start.ini configuration file use of the keystore: 

    Code Block
    ## forceTruststore usefile ofpath client(relative authentication certificatesto $jetty.base)
jetty.sslContext.needClientAuth=falsetrustStorePath=resources/joc/https-truststore.p12

## Truststore password
jetty.sslContext.wantClientAuth=true
jetty.sslContext.endpointIdentificationAlgorithm=

    Explanation:

    trustStorePassword=jobscheduler


    Explanation:

    • Specify the location of the truststore with the trustStorePath setting. A location relative to the JETTY_BASE directory can be specified.
    • Specify the password for access to the truststore with the trustStorePassword setting.

  • Specify the settings to enforce client authentication with the following entries in the JETTY_BASE/start.ini configuration file: 

    Code Block
    ## force use of client authentication certificates
jetty.sslContext.needClientAuth=false
jetty.sslContext.wantClientAuth=true
jetty.sslContext.endpointIdentificationAlgorithm=

    Explanation:

Risk Mitigation

The above explanations indicate use of a Root CA certificate for verification of Client Authentication certificates when it comes to mutual authentication.

  • In fact use of a Root CA certificate allows any clients that dispose of a Client Authentication certificate signed by the same Root CA certificate or Intermediate CA certificates to be authenticated. This implication might allow an unwanted number of clients to access JOC Cockpit.
  • Coping strategies include
    • to use a separate certificate authority to sign Client Authentication certificates for access to JOC Cockpit.
    • to import individual Client Authentication certificates to the JOC Cockpit truststore instead of using a Root CA certificateFind explanations from the JS7 - Authentication article.

Notes

  • A restart of JOC Cockpit is required to apply modifications to the JOC Cockpit JETTY_BASE/start.ini and JETTY_BASE/resources/joc/joc.properties configuration files .

...