JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 8

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleKeystore, Truststore and Configuration out-of-the-box

If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the attached archives:

  • Download
  • The archives include the folders:
    • config.http
      • This folder includes the agent.conf configuration file and the private sub-directory with signing certificates.
      • The contents of this folder corresponds to what you get with the default installation of an Agent.
    • config.https
      • This folder includes the agent.conf configuration file and the private sub-directory with signing certificates and private.conf, keystore and truststore files.
      • The private key and certificate is created by SOS and works for use with Docker containers that are have been started for with the following hostnames:
        • js7-agent-primary
        • js7-agent-secondary
        • js7-controller-primary
        • js7-controller-secondary
      • As the private key is publicly available you should not consider this a solution to secure for securing your HTTPS connections. However, for evaluation purposes it saves the effort of creating and signing key pairs.
    • To apply the configuration, replace the contents of the config folder that is mounted to an Agent container with the contents of the config.http or config.https folders as required.

...

  • The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usagesuse.
  • The Agent is provided with:
    • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
    • a truststore that holds the certificate chain - consisting of the Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller instance's certificate.
  • Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
    • Keystore:
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-keystore.p12
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-keystore.p12
    • Truststore:
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-truststore.p12
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-truststore.p12

...

  • The following configuration items have to be added tp to the Agent's private.conf configuration file. For details see the JS7 - Agent Configuration Items article.
    • Mutual Authentication
      • Code Block
        languagebash
        titleAgent Configuration for Mutual Authentication
        linenumberstrue
        js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=js7-controller-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=js7-controller-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
      • This setting specifies the distinguished names that are available from the subjects of Controller instance certificates. Note that the common name (CN) attribute specifies the hostname of a Controller instance. The configuration authenticates a given Controller instance as the distinguished name is unique for a server certificate and therefore replaces the use of passwords.
    • Keystore and truststore locations:
      • Code Block
        languagebash
        titleAgent Configuration for Keystore and Truststore Locations
        linenumberstrue
        js7 {
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}
      • The configuration items described above specify the locations of the keystore and truststore.
      • Note the optional use of a key password and store password for keystores and the use of a store password for truststores.

...

  • --publish The Agent image is prepared to accept HTTPS requests on port 4443. If the Agent is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
  • --env=RUN_JS_HTTPS_PORT The port assigned to this environment variable is the same as the inside HTTPS port specified with the --publish option.

...