JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 50

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 51

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • On the Controller instance's server create the keystore using openssl and the keytool from your Java JRE or JDK or a third party utility.
    • For use with a third party utility create a keystore, e.g. https-keystore.p12, in PKCS12 format and import:
      • Controller private key and certificate for Server Authentication
    • For use with openssl and keytool create the keystore with the private key and certificate for Server Authentication from the command line. The examples below show a possible approach for certificate management - however, there are other ways of achieving similar results.

      • Example for importing a private key and CA-signed certificate to a PKCS12 keystore:

        Code Block
        languagebash
        titleExample how to import a private key and CA-signed certificate to a PKCS12 keystore
        # Assume the fully qualified domain name (FQDN) of the Controller server to be "controller.example.com"

# If the Controller's CA-signed certificate is provided from a pkcs12 keystore (certificate.p12), extract the certificate to a .crt file in PEM format (controller.example.com.crt)
# openssl pkcs12 -in certificate.p12 -nokeys -out controller.example.com.crt

# Import the Controller's private key (controller.example.com.key) and certificate (controller.example.com.crt) from PEM format to a new keystore (controller.example.com.p12)
openssl pkcs12 -export -in controller.example.com.crt -inkey controller.example.com.key --name controller.example.com -out "JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12"

      • Example for creating a private key and self-signed certificate and import to a keystore

        • Refer to examples available from JS7 - How to create self-signed Certificates, chapter Creating a Server Certificate.

          Code Block
          languagebash
          titleExample how to create a private key and self-signed certificate
          # Creating the private key and self-signed certificate for the given validity period
./create_certificate.sh --dns=controller.example.com --days=365

        • Refer to examples available from JS7 - How to add SSL TLS Certificates to Keystore and Truststore.

          Code Block
          titleExample how to add a private key and self-signed certificate to a PKCS12 keystore
          # Adding the private key and certificate to a keystore
./js7_create_certificate_store.sh \
    --keystore=JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12 \
    --key=controller.example.com.key \
    --cert=controller.example.com.crt \
    --alias=controller.example.com \
    --password="jobscheduler"


          When using additional arguments for creation of a truststore then users have the truststore available for the later step 4:

          Code Block
          titleExample how to add a private key and self-signed certificate to a PKCS12 keystore and the Root CA Certificate to a truststore
          # Adding the private key and certificate to a keystore and Root CA Certificate to a truststore
./js7_create_certificate_store.sh \
    --keystore=JS7_CONTROLLER_CONFIG_DIR/private/https-keystore.p12 \
    --truststore=JS7_CONTROLLER_CONFIG_DIR/private/https-truststore.p12 \ 
    --key=controller.example.com.key \
    --cert=controller.example.com.crt \
    --alias=controller.example.com \
    --password="jobscheduler" \
    --ca-root=root-ca.crt
    • With the keystore being set up, specify the relevant properties with the JS7_CONTROLLER_CONFIG_DIR/private/private.conf configuration file:

      • Example

        Code Block
        languagetext
        titleExample for private.conf file specifying the Controller keystore
        js7 {
    web {
        # keystore location for https connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                store-password="jobscheduler"
            }
        }
    }
}


        Explanation:
        • js7.web.https.keystore.file is used for the path to the keystore.
        • js7.web.https.keystore.key-password is used for access to the private key.
        • js7.web.https.keystore.store-password is used for access to the keystore. Passwords for private key and keystore have to match when using PKCS12 keystores.

  • On the Controller instance's server create the keystore using the keytool from your Java JRE or JDK or a third party utility.
    • For use with a third party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
      • Root CA Certificate
    • The examples below show a possible approach for certificate management - however, there are other ways of achieving similar results.

      • Example for importing a Root CA Certificate to a PKCS12 keystore:

        Code Block
        languagebash
        titleExample how to import a Root CA Certificate to a PKCS12 keystore
        # Import Root CA Certificate in PEM format to a PKCS12 truststore (https-truststore.p12)
keytool -importcert -alias "root-ca" -file "root-ca.crt" -keystore "JS7_CONTROLLER_CONFIG_DIR/private/https-truststore.p12" -storetype PKCS12

...

Show If
matchall
userap

Risk Mitigation

The descriptions above indicate use of a Root CA certificate Certificate for verification of Client Authentication certificates when it comes to mutual authentication.

  • In fact use of a Root CA certificate Certificate allows any clients with a Client Authentication certificate signed by the same Root CA certificate or Intermediate CA to be authenticated. This implication might allow an unwanted number of clients to access a Controller. By design the only clients to access a Controller should be JOC Cockpit instances.
  • Coping strategies include:
    • using a separate certificate authority to sign Client Authentication certificates for access to Controllers.
    • importing individual Client Authentication certificates to the Controller's truststore instead of using a Root CA certificateCertificate.

Notes

  • A restart of the relevant product is required to apply modifications to either the the Controller JS7_CONFIG_DIR/private/private.conf file or to JOC Cockpit configuration files.

...