JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 2

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

  • Certificate stores can be managed from the command line and by use of tools that provide a GUI for this purpose:
    • the Java Keytool is available with from the Java JRE or JDK,
    • the Keystore Explorer is an open source utility to graphically manage certificate stores. 

Certificate Management

Certificate Management for secure connections of

...

clients to

...

JOC Cockpit

Should JOC Cockpit and JobScheduler Master be operated on the same server then no HTTPS connection between both components is required. To secure the JOC Cockpit user interface for HTTPS access by clients (user browsers or REST API clients) the following private key and certificates should be in place:


Flowchart
browserClient [label="   User Browser      Client   \nUser Browser / REST API Client   ",fillcolor="lightskyblue"]
JOC [label="   JOC Cockpit   ",fillcolor="lightskyblue"]
 
browserClient_Truststore [label="UserClient Browser Truststore\ntruststore location is product dependent\n\nCA Certificates",fillcolor="orange"]
JOC_Keystore [label="JOC Cockpit Keystore\n./jetty_base/resources/joc/jochttps-httpskeystore.p12\n\nCA Certificates\nJOC Cockpit Private Key\nJOC Cockpit/ Certificate",fillcolor="orange"]

browserClient_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"]
JOC_Keystore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"]
JOC_Keystore_CA_IntermediateCertificate [shape="ellipse",label="CA Intermediate Certificate",fillcolor="white"]

JOC_PrivateKey [shape="ellipse",label="JOC Cockpit Private Key",fillcolor="white"]
JOC_Certificate [shape="ellipse",label="JOC Cockpit Certificate",fillcolor="white"]

browserClient -> JOC [label=" establish JOC Cockpit connection "]
browserClient -> browserClient_Truststore [label=" use certificate store "]
browserClient_Truststore -> browserClient_Truststore_CA_RootCertificate [label=" addedadd to truststore, e.g. by Group Policies "]

JOC -> JOC_Keystore
JOC_Keystore -> JOC_Keystore_CA_RootCertificate -> JOC_Keystore_CA_IntermediateCertificate [label=" add to keystore "]
JOC_Keystore -> JOC_PrivateKey -> JOC_Certificate [label=" add to keystore "]

...

Then proceed with chapter Set up a secure connection of user browsers to the JOC Cockpit

Certificate Management for secure connections

...

from JOC Cockpit to

...

Controller

Should JOC Cockpit and Controller be operated on the same server and network interface then no HTTPS connection between both components is required.

Should JOC Cockpit and JobScheduler Controller be operated on different servers then both connections this connection should be secured by HTTPS

...

.

Private keys and public certificates should be distributed as follows:


Flowchart
browserClient [label="   User BrowserClient   \nUser Browser / REST Client",fillcolor="lightskyblue"]
MasterController [label="   JobScheduler MasterController   ",fillcolor="lightskyblue"]
JOC [label="   JOC Cockpit   ",fillcolor="lightskyblue"]
 
browserClient_Truststore [label="UserClient Browser Truststore\ntruststore location is product dependent\n\nCA Certificates",fillcolor="orange"]
MasterController_Keystore [label="MasterController Keystore\n./config/private/privatehttps-https.jks\nMasterkeystore.p12\n\nCA Certificates\nController Private Key / Certificate",fillcolor="orange"]
JOC_Truststore [label="JOC Cockpit Truststore\n./jetty_base/etcresources/joc/https-httpstruststore.jksp12\n\nCA certificates\nMaster certificates",fillcolor="orange"]
JOC_Keystore [label="JOC Cockpit Keystore\n./jetty_base/etcresources/joc/https-httpskeystore.jksp12\n\nCA Certificates\nJOC Cockpit Private Key\nJOC Cockpit/ CertificatesCertificate",fillcolor="orange"]

browserClient_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"]
JOC_Truststore_CA_RootCertificate [shape="ellipse",shape="ellipse",label="CA Root Certificate",fillcolor="white"]
JOC_TruststoreKeystore_CA_IntermediateCertificateRootCertificate [shape="ellipse",shape="ellipse",label="CA IntermediateRoot Certificate",fillcolor="white"]
JOC_Keystore_CA_RootCertificateIntermediateCertificate [shape="ellipse",shape="ellipse",label="CA RootIntermediate Certificate",fillcolor="white"]

JOCController_Keystore_CA_IntermediateCertificateRootCertificate [shape="ellipse",shape="ellipse",label="CA IntermediateRoot Certificate",fillcolor="white"]

Master_PrivateKeyController_Keystore_CA_IntermediateCertificate [shape="ellipse",label="MasterCA PrivateIntermediate KeyCertificate",fillcolor="white"]
MasterController_Keystore_CertificatePrivateKey [shape="ellipse",label="MasterController Private CertificateKey",fillcolor="white"]
MasterController_TruststoreKeystore_Certificate [shape="ellipse",label="MasterController Certificate",fillcolor="chartreusewhite"]

JOC_PrivateKey [shape="ellipse",label="JOC Cockpit Private Key",fillcolor="white"]
JOC_Certificate [shape="ellipse",label="JOC Cockpit Certificate",fillcolor="white"]

MasterController -> MasterController_Keystore 
MasterController_Keystore -> Master_Truststore_CertificateController_Keystore_CA_RootCertificate -> Controller_Keystore_CA_IntermediateCertificate [label=" transferadd to JOC Cockpit keystore           "] 
MasterController_Keystore -> MasterController_PrivateKey -> MasterController_Keystore_Certificate [label=" add to keystore "]

browserClient -> JOC [label=" establish JOC Cockpit connection "]
browserClient -> browserClient_Truststore [label=" use certificate repositorystore "]
browserClient_Truststore -> browserClient_Truststore_CA_RootCertificate [label=" addedadd to truststore, e.g. by Group Policies "]

JOC -> JOC_Keystore 
JOC_Keystore -> JOC_Keystore_CA_RootCertificate -> JOC_Keystore_CA_IntermediateCertificate [label=" add to keystore "]
JOC_Keystore -> JOC_PrivateKey -> JOC_Certificate [label=" add to keystore "]

JOC -> JOC_Truststore
JOC_Truststore -> JOC_Truststore_CA_RootCertificate -> JOC_Truststore_CA_IntermediateCertificate [label=" add to truststore "] 

JOC_Truststore_CA_IntermediateCertificate -> Master_Truststore_Certificate [label=" add to truststore "]
Controller


The MasterController's private key and certificate are added to the MasterController's keystore. In case of a self-signed certificate the certificate is added to the JOC Cockpit truststore as well. This step can be skipped if a CA-signed certificate is used as the Root Certificate and Intermediate Certificate in the JOC Cockpit truststore are is sufficient to verify any Master Controller certificates.

Secure Connection Setup

Anchor
#browser
#browser
Set up a secure connection

...

for clients to

...

JOC Cockpit

This configuration is applied in order to enable users clients (user browser, REST API client) to access the JOC Cockpit by use of HTTPS with their browser.

In the following the placeholders JOC_HOME, JETTY_HOME and JETTY_BASE are used which locate three directories. If you install Jetty with the JOC installer then

  • JOC_HOME is the installation path which is specified during the JOC Cockpit installation:
    • C:\Program Files\/opt/sos-berlin.com\/js7/joc (default on WindowsLinux)
    • /opt/C:\Program Files\sos-berlin.com/\js7\joc (default on LinuxWindows)
  • JETTY_HOME = JOC_HOME/jetty
  • JETTY_BASE is Jetty's base directory which is specified during the JOC Cockpit installation:
    • C:\ProgramData\/home/<setup-user>/sos-berlin.com\/js7/joc (default on WindowsLinux)
    • /home/<setup-user>/C:\ProgramData\sos-berlin.com/\js7\joc (default on LinuxWindows)

Step 1: Add the HTTPS module to Jetty

...