...

• Keystores and truststores shown in orange are required for any connections of clients to JOC Cockpit.
• Keystores and truststores shown in green are required if mutual authentication is in place, e.g. to allow certificate based authentication.
• A JOC Cockpit truststore is required. Should secure connections be used to access a Controller or an LDAP server for authentication/authorization then the truststore will hold the necessary certificates.
• Consider that similar distribution of private keys and certificates applies if a to each JOC Cockpit Cluster with a number of instances is usedinstance in a cluster.

Secure Connection Setup

In the following, JOC_HOME, JETTY_HOME and JETTY_BASE placeholders are used which locate three directories. If you install Jetty with the JOC Cockpit installer then:

...

• Edit the following entries in the JETTY_BASE/start.d./ssl.ini configuration file for use of the keystore and truststore:

  Code Block
  title Example how to use the keystore/truststore settings with the start.d/ssl.ini file
  ## Keystore file path (relative to $jetty.base) jetty.sslContext.keyStorePath=resources/joc/https-keystore.p12 ## Keystore password jetty.sslContext.keyStorePassword=jobscheduler ## KeyManager password (same as keystore password for pkcs12 keystore type) jetty.sslContext.keyManagerPassword=jobscheduler ## The Keystore type. jetty.sslContext.keyStoreType=PKCS12 ## Truststore file path (relative to $jetty.base) jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12 ## Truststore password jetty.sslContext.trustStorePassword=jobscheduler ## TrustStore type. jetty.sslContext.trustStoreType=PKCS12

  
  Explanation:

  • Specify the location of the keystore with the keyStorePath setting. A location relative to the JETTY_BASE directory can be specified.
  • Specify the password for your keystore with the keyStorePassword setting.
  • The password specified with the keyManagerPassword setting is used for access to your private key. The same password as for the keyStorePassword setting has to be used for a PKCS12 keystore type.
  • Optionally specify the keystore type with the keyStoreType setting. If this setting is missing then the JVM's default keystore type will be used.
  • Specify the location of the truststore with the trustStorePath setting. A location relative to the JETTY_BASE directory can be specified.
  • Specify the password for access to the truststore with the trustStorePassword setting.
  • Specify the truststore type to be one of PKCS12 or JKS.
    
    

• Specify the HTTPS port with the following entries of the JETTY_BASE/start.d/ssl.ini configuration file (default HTTPS port is 48446):

  Code Block
  title Example how to set the port for the HTTPS protocol with the start.d/ssl.ini file
  ## The host/address to bind the connector to. # jetty.ssl.host=0joc.0example.0.0com ## Connector port to listen on jetty.ssl.port=48446

  
  Explanation:

  • The jetty.ssl.host setting optionally can be used to limit port access to the specified host/network interface access.
  • The jetty.ssl.port setting specifies the port for Jetty. Consider to allow incoming connections to this port from your firewall.

Step 5: Deactivating HTTP Access

...

The above explanations indicate use of a Root CA certificate Certificate for verification of Client Authentication Certificates when it comes to mutual authentication.

• In fact use of a Root CA certificate Certificate allows any clients that dispose of a Client Authentication Certificate signed by the same Root CA Certificate or Intermediate CA Certificates Certificate(s) to be authenticated. This implication might allow an unwanted number of clients to access JOC Cockpit.
• Coping strategies include
  • to use a separate Certificate Authority to sign Client Authentication Certificates for access to JOC Cockpit.
  • to import individual Client Authentication Certificates to the JOC Cockpit truststore instead of using a Root CA Certificate.

...