...
Flowchart |
---|
browser [label=" User Browser ",fillcolor="lightskyblue"] Master [label=" JobScheduler Master ",fillcolor="lightskyblue"] JOC [label=" JOC Cockpit ",fillcolor="lightskyblue"] browser_Truststore [label="User Browser Truststore\ntruststore location is product dependent\nCA Certificates",fillcolor="orange"] Master_Keystore [label="Master Keystore\n./config/private/private-https.jks\nMaster Private Key",fillcolor="orange"] JOC_Truststore [label="JOC Cockpit Truststore\n./jetty_base/etc/joc-https.jks\nCA certificates\nMaster certificates",fillcolor="orange"] JOC_Keystore [label="JOC Cockpit Keystore\n./jetty_base/etc/joc-https.jks\nCA Certificates\nJOC Cockpit Private Key\nJOC Cockpit Certificates",fillcolor="orange"] browser_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] JOC_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] JOC_Truststore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate",fillcolor="white"] JOC_Keystore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"] JOC_Keystore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate",fillcolor="white"] Master_PrivateKey [shape="ellipse",label="Master Private Key",fillcolor="white"] Master_Keystore_Certificate [shape="ellipse",label="Master Certificate",fillcolor="white"] Master_Truststore_Certificate [shape="ellipse",label="Master Certificate",fillcolor="whitechartreuse"] JOC_PrivateKey [shape="ellipse",label="JOC Cockpit Private Key",fillcolor="white"] JOC_Certificate [shape="ellipse",label="JOC Cockpit Certificate",fillcolor="white"] Master -> Master_Keystore Master -> Master_Truststore_Certificate [label=" transfer to JOC Cockpit "] Master_Keystore-> Master_PrivateKey -> Master_Keystore_Certificate [label=" add to keystore "] browser -> JOC [label=" establish JOC Cockpit connection "] browser -> browser_Truststore [label=" use certificate repository "] browser_Truststore -> browser_Truststore_CA_RootCertificate [label=" added to truststore by Group Policies "] JOC -> JOC_Keystore JOC_Keystore -> JOC_Keystore_CA_RootCertificate -> JOC_Keystore_CA_IntermediateCertificate -> JOC_PrivateKey -> JOC_Certificate [label=" add to keystore "] JOC -> JOC_Truststore JOC_Truststore -> JOC_Truststore_CA_RootCertificate -> JOC_Truststore_CA_IntermediateCertificate [label=" add to truststore "] JOC_Truststore_CA_IntermediateCertificate -> Master_Truststore_Certificate [label=" add to truststore "] |
The Master's private key and certificate are added to the Master's keystore. In case of a self-signed certificate the certificate is added to the JOC Cockpit truststore as well. This step can be skipped if a CA-signed certificate is used as the Root Certificate and Intermediate Certificate in the JOC Cockpit truststore are sufficient to verify any Master certificates.
Anchor | ||||
---|---|---|---|---|
|
...
- The JOC Cockpit Keystore can also be used as a Truststore where the certificates of a number of JobScheduler Masters are imported.
Example for JKS Keystore
Code Block language bash title Example how to import the Master public certificate to JOC Cockpit JKS Keystore # import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit JKS keystore (joc-https.jks) keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.jks" -storepass jobscheduler -trustcacerts
Example for PKCS12 Keystore
Code Block language bash title Example how to import the Master public certificate to JOC Cockpit PKCS12 Keystore # import Master public certificate from a file in PEM format (master-https.crt) identified by its alias name (master-https) to the JOC Cockpit PKCS12 keystore (joc-https.p12) keytool -importcert -noprompt -file "master-https.crt" -alias "master-https" -keystore "JETTY_BASE/etc/joc-https.p12" -storepass jobscheduler -storetype PKCS12 -trustcacerts
Explanations
- The alias of each certificate has to be unique for the target Keystore.
- Alternatively, you can import the JobScheduler Master certificates into the default Java Truststore (
JAVA_HOME/lib/security/cacerts
) of the Java installation which is used by Jetty, however, this setting will be lost if you switch the Java version.
If you use the Keystore of your JOC Cockpit Web Service in Jetty as the Truststore of the JobScheduler Master certificates then add the location of the Truststore to the
JETTY_BASE/resources/joc/joc.properties
configuration file like this:Example for JKS keystore format
Code Block language text ### Location of the Java truststore that contains the certificates of each ### JobScheduler Master for HTTPS connections. The path can be absolute or relative ### to joc.properties truststore_path = ../../etc/joc-https.jks truststore_password = jobscheduler
Example for PKCS12 keystore format
Code Block language text ### Location of the Java truststore that contains the certificates of each ### JobScheduler Master for HTTPS connections. The path can be absolute or relative ### to joc.properties truststore_path = ../../etc/joc-https.p12 truststore_type = PKCS12 truststore_password = jobscheduler
- Explanations
- The relative path from the above example looks up the Keystore in the
JETTY_BASE/etc
directory.
- The relative path from the above example looks up the Keystore in the
The hostname verification can be added optionally in the
JETTY_BASE/resources/joc/joc.properties
configuration file.Code Block ################################################################################ ### Should hostname verification be carried out for https certificate. ### Default false https_with_hostname_verification = true
Caveat
- In order to apply modifications to ./config/private/private.conf files of the Master or to any configuration files of JOC Cocckpit a restart of the respective component is required.