JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 7

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor changes

...

Configuring the JOC Cockpit

Consider Note that it is not required necessary to configure the JOC Cockpit - it runs out-of-the-box. The default configuration includes that:

  • specifies HTTP connections which are used that to expose unencrypted communication between clients and JOC Cockpit. Authentication is performed by hashed passwords.

Users who intend to operate a compliant and secure job scheduling environment should consider the descriptions below explanations forcovering:

  • HTTPS connections that encrypt communication between clients, e.g. user browsers, and JOC Cockpit. In addition, consider JOC Cockpit - Two-factor Authentication.
  • HTTPS connections between JOC Cockpit and Controller instances for mutual authentication.

Security: Use with HTTPS Connections

The By default, the JOC Cockpit by default is prepared configured for connections using the HTTP and the HTTPS protocols. There are two purposes for use of HTTPS connections:

  • The JOC Cockpit is accessed by clients using the HTTPS protocol.
  • The JOC Cockpit connects to the Controller using the HTTPS protocol with mutual authentication.

In order to activate HTTPS consider Note that the following prerequisites .have to be fulfilled before order activating HTTPS:


Info
titleKeystore, Truststore and Configuration out-of-the-box

If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the attached archives:

  • Download
  • The archives include the folders:
    • config.http
      • This folder includes the hibernate.cfg.xml configuration file and default keystore & truststore that are not used with the HTTP protocol.
      • The contents of this folder corresponds to what you get from the default installation of a JOC Cockpit image.
    • config.https
      • This folder includes the hibernate.cfg.xml configuration file and default keystore & truststore..
      • The private key and certificate is created by SOS and works for use with Docker containers that are started for the following hostnames:
        • js7-joc-primary
        • js7-joc-secondary
        • js7-controller-primary
        • js7-controller-secondary
      • As the private key is publicly available you should not consider this a solution to secure your HTTPS connections. However, for evaluation purposes it saves the effort of creating and signing key pairs.
    • To apply the configuration replace the contents of the config folder that is mounted to a JOC Cockpit container with the contents of the config.http or config.https folders respectively.

...

  • The JOC Cockpit instance's private key has to be created for Server Authentication key usage. If the Controller instance is configured for mutual authentication then the Client Authentication extended key usage has to be available from the JOC Cockpit instance's private key.
  • The JOC Cockpit instance is provided with:
    • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
    • a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller's certificate.
  • Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
    • Keystore
      • Windows: C:\ProgramData\sos-berlin.com\js7\joc\resources\joc\https-keystore.p12
      • Unix: /var/sos-berlin.com/js7/joc/resources/joc/https-keystore.p12
    • Truststore
      • Windows: C:\ProgramData\sos-berlin.com\js7\joc\resources\joc\https-truststore.p12
      • Unix: /var/sos-berlin.com/js7/joc/resources/joc/https-truststore.p12

...

  • The JOC Cockpit instance's start.ini configuration file by default holds the following configuration items. For details see JS7 - JOC Cockpit Configuration Items

    Code Block
    languagebash
    titleJOC Cockpit Configuration for Keystore and Truststore Locations with HTTPS Client Connections
    linenumberstrue
    ## Keystore file path (relative to $jetty.base)
jetty.sslContext.keyStorePath=resources/joc/https-keystore.p12

## Truststore file path (relative to $jetty.base)
jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12

## Keystore password
jetty.sslContext.keyStorePassword=jobscheduler

## KeyManager password (same as keystore password for pkcs12 keystore type)
jetty.sslContext.keyManagerPassword=jobscheduler

## Truststore password
jetty.sslContext.trustStorePassword=jobscheduler

## Connector port to listen on
jetty.ssl.port=4443
  • Keystore and truststore locations:
    • The above configuration items listed above specify the locations of keystore and truststore.
    • Consider optional use of a key password and store password for keystores and of a store password for truststores.

...

Code Block
languagebash
titleRun JOC Cockpit Container for HTTPS Connections
linenumberstrue
#!/bin/sh

docker run -dit --rm \
      ...
      --publish=17443:4443 \
      --env="RUN_JS_HTTPS_PORT=4443" \
      ...

ExplanationsExplanation:

  • --publish The JOC Cockpit image is prepared configured to accept HTTPS requests on port 4443. If the JOC Cockpit instance is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
  • --env=RUN_JS_HTTPS_PORT The port assigned this environment variable is the same as the inside HTTPS port specified with the --publish option.

...

  • When using HTTPS connections then , consider to drop dropping the HTTP port of the JOC Cockpit instance by omitting the following from the settings listed above settings:
    • --publish=17446:4446 This mapping should be dropped in order to prevent incoming traffic to the JOC Cockpit instance's HTTP port.

High Availability:

...

Operating a Cluster

JOC Cockpit can be operated as a passive cluster for high availability. 

  • Consider Note that the clustering operational feature of clustering is subject to JS7 - LicensingLicense. Without a license
    • no fail-over/switch-over will not take place between JOC Cockpit cluster members.
    • you have to (re)start a Secondary JOC Cockpit instance if you want this instance to become active after the Primary JOC Cockpit instance is shutdown or becomes unavailable.
  • The installation of JOC Cockpit cluster members is the same as explained with the JS7 - JOC Cockpit Installation for Docker Containers
    • Both Primary and Secondary JOC Cockpit containers can be started from the same image.
    • Both JOC Cockpit instances will become visible with each instance's Dashboard View.

...