JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 10

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • If X.509 private keys are used for the signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective private key has to be in place with the Agent.
  • If PGP private keys are used for the signing of objects then the public key matching the signing key has to be in place with the Agent.
  • The Agent expects certificates/public keys in the following locations:
    • X.509 Certificates
      • Location:
        • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-x509-keys
        • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-x509-keys
      • The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension .pem.
      • Note that instead of individual certificates for each signing key, the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
    • PGP Public Keys
      • Location:
        • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-pgp-keys
        • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-pgp-keys
      • PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension .asc.
      • Note that for each PGP private key that is used for signing, the corresponding public key has to be available with the Agent.
    • By default the Agent ships with an X.509 certificate from SOS that matches the default signing key available with the JOC Cockpit root account.
  • In order to add individual certificates/public keys, add the relevant files to the locations specified above according to the key type. To revoke certificates/public keys accordingly remove the relevant files from the location specified above for the key type.
  • The locations for certificates/public keys specified above can be accessed from the Docker volume specified with the --mount option for the Agent's container directory /var/sos-berlin.com/js7/agent/var_4445/config. The locations for X.509 certificates and PGP public keys are available from sub-directories.

...

Info
titleKeystore, Truststore and Configuration out-of-the-box

If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the attached archives:

  • Download
  • The archives include the folders:
    • config.http
      • This folder includes the agent.conf configuration file and the private sub-directory with signing certificates.
      • The contents of this folder corresponds to what you get with the default installation of an Agent.
    • config.https
      • This folder includes the agent.conf configuration file and the private sub-directory with signing certificates and private.conf, keystore and truststore files.
      • The private key and certificate is created by SOS and works for use with Docker containers that have been started with the following hostnames:
        • js7-agent-primary
        • js7-agent-secondary
        • js7-controller-primary
        • js7-controller-secondary
      • As the private key is publicly available you should not consider this a solution for securing your HTTPS connections. However, for evaluation purposes it saves the effort of creating and signing key pairs.
    • To apply the configuration, replace the contents of the config folder that is mounted to an Agent container with the contents of the config.http or config.https folders as required.

...

  • --publish The Agent image is prepared to accept HTTPS requests on port 4443. If the Agent is not operated in a Docker container network then an outside port of the Docker container's host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
  • --env=RUN_JS_HTTPS_PORT The port assigned to this environment variable is the same as the inside HTTPS port specified with the --publish option.

...