JOC Cockpit - HTTPS Authentication

Scope

• The connection of the user's browser to the JOC Cockpit can be secured by HTTPS.
• The connection of the JOC Cockpit - REST Web Service to the JobScheduler Master can be secured by HTTPS.
• This article describes the steps required to set up secure HTTPS communication with Jetty and with the JobScheduler Master.
  • Consider the JOC Cockpit - Architecture for an overview of components and connections.
  • Consider the JobScheduler Universal Agent - HTTPS Agent and Master Authentication for securing the connections between a Master and Agents.

Prerequisites

• The only prerequisite is to have the Java Keytools installed with your Java JRE.

Set up a secure connection to JOC Cockpit as a web application in Jetty

In the following JOC_HOME, JETTY_HOME and JETTY_BASE are used which locate three directories. If you installed Jetty with the JOC installer then

• JOC_HOME is the installation path which is specified during the JOC installation
  
  • C:\Program Files\sos-berlin.com\joc (default on Windows)
  • /opt/sos-berlin.com/joc (default on Linux)
• JETTY_HOME = JOC_HOME/jetty
• JETTY_BASE is Jetty's base directory which is specified during the JOC installation
  
  • C:\ProgramData\sos-berlin.com\joc (default on Windows)
  • /home/<setup-user>/sos-berlin.com/joc (default on Linux)

Step 1: Add the HTTPS module to Jetty

• Run the following command an replace the JETTY_HOME and JETTY_BASE placeholders as specified above:
  
  

  add https module

  java -jar "JETTY_HOME/start.jar" -Djetty.home="JETTY_HOME" -Djetty.base="JETTY_BASE" --add-to-start=https

• Having executed the above command you should find a new folder JETTY_BASE/etc
  
  • Jetty expects a keystore in this folder with the name "keystore" as default.

  • You can copy the JETTY_HOME/etc/keystore to JETTY_BASE/etc/keystore as a workaround but you should use your own keystore for later on (see step 2). This is not recommended as in particular, the keystore from JETTY_HOME/etc/keystore expires after a short lifetime.

    Jetty doesn't start if it doesn't find a keystore corresponding its settings.

• In addition some entries in the JETTY_BASE/start.ini configuration file for SSL settings such as the HTTPS port are added.

Step 2: Create the Java Keystore for Jetty

• Create the Java Keystore using the Keytools from your Java JRE.
  • Generate the Java Keystore with the private key and certificate for the Jetty and export the certificate to the keystore that is later on used by the browsers.

    • Example

      Sample for generate Keystore with private key and certificate

      keytool -genkey -alias "joc" -dname "CN=jocHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 1024 -keypass secret_key -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store

      Explanations

      • Replace the JETTY_BASE placeholder as specified above.
      • The -dname option specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer.
      • The -keypass option accepts the password that you will need later on to manage your private key. 
      • The -keystore option specifies the location of your Keystore file.
      • The -storepass option specifies the password for access to your Keystore file.
  • This Keystore can also be used as a Truststore where the certificates of a number of JobScheduler Masters are imported. The alias of each certificate has to be unique during the import.
    

    • Example

      Sample for import master certificate

      keytool -importcert -noprompt -file "master-https.pem" -alias "master-host-port" -keystore "JETTY_BASE/etc/joc.jks" -storepass secret_store -trustcacerts

  • Alternatively, you can import the JobScheduler Master certificates into the default Java Truststore (JAVA_HOME/lib/security/cacerts) of the Java installation which is used by Jetty, however, this setting will get lost if you change the Java version.

Step 3: Configure Jetty

• Edit the following entries in the JETTY_BASE/start.ini configuration file corresponding to the Java Keystore

   

  ## Keystore file path (relative to $jetty.base)
  jetty.sslContext.keyStorePath=etc/joc.jks
  
  ## Truststore file path (relative to $jetty.base)
  jetty.sslContext.trustStorePath=etc/joc.jks
  
  ## Keystore password
  jetty.sslContext.keyStorePassword=secret_store
  
  ## KeyManager password
  jetty.sslContext.keyManagerPassword=secret_key
  
  ## Truststore password
  jetty.sslContext.trustStorePassword=secret_store

  
  Explanations

  • Specify the location of the Keystore with the keyStorePath setting and optionally of the Truststore with the trustStorePath setting. A location relative to the JETTY_BASE directory can be specified.
  • Specify the password for your Keystore with the keyStorePassword setting. If a Truststore is used then specify its password accordingly with the trustStorePassword setting.
  • The password specified with the keyManagerPassword setting is used for acces to your private key.
    
    

• Specify the HTTPS port with the following entry of the JETTY_BASE/start.ini configuration file (default HTTPS port is 48446):

  ## Connector port to listen on
  jetty.ssl.port=48446

Step 4: Configure JOC web services

• If you have used the Keystore in Jetty as Truststore of the JobScheduler Master certificates then add the location of the Truststore to the JETTY_BASE/resources/joc/joc.properties configuration file. 

  ### Location of the Java trustore which contains the certificates of each 
  ### JobScehduler Master for HTTPS connections. Path can be absolute or relative
  ### to joc.properties
  truststore_path = ../../etc/joc.jks 

Set up a secure connection from the JOC Cockpit Web Service to the JobScheduler Master

Step 1: Create the Java Keystore

• Create the Java Keystore using the Keytools from your Java JRE.
  • Generate the Java Keystore with the private key and the certificate for the JobScheduler Master and export the certificate to a second Keystore that is later on used by the JOC Cockpit.

    • Example

      Example how to generate a Keystore with private key and certificate

      keytool -genkey -alias "master-https" -dname "CN=jobSchedulerHost,O=myCompany" -validity 1461 -keyalg RSA -keysize 1024 -keypass jobscheduler -keystore "private-https.jks" -storepass jobscheduler

       

      Explanations

      • Replace the JETTY_BASE placeholder as specified above.
      • The -dname option specifies the certificate issuer, therefore use your own set of CN, OU, DC that specify the issuer's distinguished name. The O setting is required for the issuer.
      • The -keypass option accepts the password that you will need later on to manage your private key. 
      • The -keystore option specifies the location of your Keystore file.
      • The -storepass option specifies the password for access to your Keystore file.
         
      Sample for export certicate

      keytool -exportcert -rfc -noprompt -file "master-https.pem" -alias "master-https" -keystore "private-https.jks" -storepass jobscheduler

  • If not otherwise configured then the JobScheduler Master by default uses the password jobscheduler for the respective Keystore.
  • If you choose an individual password for the Master Keystore then adjust the following properties in the SCHEDULER_DATA/config/private/private.conf configuration file:
    • Explanations
      • jobscheduler.master.webserver.https.keystore.file is used for the path to the Keystore
      • jobscheduler.master.webserver.https.keystore.password is used for the Keystore password
      • jobscheduler.master.webserver.https.keystore.key-password is used for the password of your private HTTPS certificate

      • Example

        Sample private.conf file

        jobscheduler.master.webserver.https.keystore {
          file = "C:/ProgramData/sos-berlin.com/jobscheduler/master110/config/private/private-https.jks"
          # Backslashes are written twice (as in JSON notation):
          # file = "\\\\other-computer\\share\\my-keystore.jks"
          password = "secret"
          key-password = "secret"
        }

  • The exported certificate of each JobScheduler Master has to be imported to the Java Keystore (rather Truststore) which is used by the JOC Cockpit.

Step 2: Set up authentication to JobScheduler Master

• The JobScheduler Master HTTPS web service is only accessible to authenticated users.
• The JobScheduler Master expects HTTP Basic Authentication.

• The credentials are used from SCHEDULER_DATA/config/private/private.conf configuration file where each user has an entry of the form:

  jobscheduler.master.auth.users {
    USERNAME = "HASHSCHEME:HASHEDPASSWORD"
    ...
  }

• The HASHSCHEME can be "plain" or "sha512", e.g.

  jobscheduler.master.auth.users {
    eve = "plain:PASSWORD"
    joe = "sha512:911b0a07a8cacfebc5f1f45596d67017136c950499fa5b4ff6faffa031f3cec7f197853d1660712c154e1f59c60f682e34ea9b5cbd2d8d5adb0c834f963f30de"  # "PASSWORD"
  }

• The JOC Cockpit user has to be specified with the JobScheduler ID and must have a password in plain text.

Step 3: Set up the JobScheduler Master for HTTPS

• Specify the HTTPS port with the https_port attribute of the <config> element in the SCHEDULER_DATA/config/scheduler.xml configuration file like this:

  <spooler>
          <config http_port="40444" https_port="48444" mail_xslt_stylesheet="config/scheduler_mail.xsl" port="4444">
                  <!-- other elements -->
          </config>
  </spooler>