Configuring the JOC Cockpit

Consider that it is not required to configure the JOC Cockpit - it runs out-of-the-box. The default configuration includes that

• HTTP connections are used that expose unencrypted communication between clients and JOC Cockpit. Authentication is performed by hashed passwords.

Users who intend to operate a compliant and secure job scheduling environment should consider the below explanations for

• HTTPS connections that encrypt communication between clients, e.g. user browsers, and JOC Cockpit. In addition, consider JOC Cockpit - Two-factor Authentication.
• HTTPS connections between JOC Cockpit and Controller instances for mutual authentication.

Security: Use with HTTPS Connections

The JOC Cockpit by default is prepared for connections using the HTTP and the HTTPS protocols. There are two purposes for use of HTTPS connections:

• The JOC Cockpit is accessed by clients using the HTTPS protocol.
• The JOC Cockpit connects to the Controller using the HTTPS protocol with mutual authentication.

In order to activate HTTPS consider the following prerequisites.

Provide Keystore, Truststore and Configuration

Connections to JOC Cockpit instances are established from a client, e.g. a user browser. If the HTTPS protocol is used then consider that clients have to hold the server certificate in their truststore. For CA signed server certificates clients can use the root CA certificate or intermediate CA certificate that signed the server certificate.

• The JOC Cockpit instance's private key has to be created for Server Authentication key usage. If the Controller instance is configured for mutual authentication then the Client Authentication extended key usage has to be available from the JOC Cockpit instance's private key.
• The JOC Cockpit instance is provided
  • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
  • a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller's certificate.
• Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
  • Keystore
    • Windows: C:\ProgramData\sos-berlin.com\js7\joc\resources\joc\https-keystore.p12
    • Unix: /var/sos-berlin.com/js7/joc/resources/joc/https-keystore.p12
  • Truststore
    • Windows: C:\ProgramData\sos-berlin.com\js7\joc\resources\joc\https-truststore.p12
    • Unix: /var/sos-berlin.com/js7/joc/resources/joc/https-truststore.p12

The default configuration of JOC Cockpit ships with the above keystore and truststore files. Users can add their private keys and certificates to the respective keystore/truststore. The corresponding configuration items are in place by default. 

JOC Cockpit Keystore and Truststore for Client Connections

• The JOC Cockpit instance's start.ini configuration file by default holds the following configuration items. For details see JS7 - JOC Cockpit Configuration Items
  JOC Cockpit Configuration for Keystore and Truststore Locations with HTTPS Client Connections

  ## Keystore file path (relative to $jetty.base)
  jetty.sslContext.keyStorePath=resources/joc/https-keystore.p12
  
  ## Truststore file path (relative to $jetty.base)
  jetty.sslContext.trustStorePath=resources/joc/https-truststore.p12
  
  ## Keystore password
  jetty.sslContext.keyStorePassword=jobscheduler
  
  ## KeyManager password (same as keystore password for pkcs12 keystore type)
  jetty.sslContext.keyManagerPassword=jobscheduler
  
  ## Truststore password
  jetty.sslContext.trustStorePassword=jobscheduler
  
  ## Connector port to listen on
  jetty.ssl.port=4443

• Keystore and truststore locations:
  • The above configuration items specify the locations of keystore and truststore.
  • Consider optional use of a key password and store password for keystores and of a store password for truststores.

JOC Cockpit Keystore and Truststore for Controller Connections

• The JOC Cockpit instance's joc.properties configuration file by default holds the following configuration items. For details see JS7 - JOC Cockpit Configuration Items
  JOC Cockpit Configuration for Controller HTTPS Connections

  ################################################################################
  ### Location, type and password of the Java truststore which contains the
  ### certificates of each JS7 Controller for HTTPS connections. Path can be
  ### absolute or relative to this file.
  
  keystore_path = ../../resources/joc/https-keystore.p12
  keystore_type = PKCS12
  keystore_password = jobscheduler
  key_password = jobscheduler
  
  truststore_path = ../../resources/joc/https-truststore.p12
  truststore_type = PKCS12
  truststore_password = jobscheduler

• This setting specifies the location of the keystore and truststore.

Run JOC Cockpit Container for HTTPS Connections

The following additional arguments are required for HTTPS connections:

#!/bin/sh

docker run -dit --rm \
      ...
      --publish=17443:4443 \
      --env="RUN_JS_HTTPS_PORT=4443" \
      ...

Explanations:

• --publish The JOC Cockpit image is prepared to accept HTTPS requests on port 4443. If the JOC Cockpit instance is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
• --env=RUN_JS_HTTPS_PORT The port assigned this environment variable is the same as the inside HTTPS port specified with the --publish option.

Note:

• When using HTTPS connections then consider to drop the HTTP port of the JOC Cockpit instance by omitting the following above settings:
  • --publish=17446:4446 This mapping should be dropped in order to prevent incoming traffic to the JOC Cockpit instance's HTTP port.