Accept expired X.509 signing certificates

Current Situation

• Controller and Agent check the validity period of the X.509 Signing Certificate used from JOC Cockpit when deploying Workflows and Job Resources.
• If the validity period is expired, then the related Workflow or Job Resource cannot be accessed. Orders will stop running and will be set to the blocked state.

Desired Behavior

• Digital signing of Workflows and Job Resources is performed with a Private Key. If the Signing Certificate expires after creating the signature, then this does not affect security. The Signing Certificate is verified from the CA Certificate stored with the Controller and Agent. If the CA Certificate expires, then it will not be used.
• Users want to deploy Workflows and Job Resources just once and keep them in place for a number of years. Short expiration periods of 1-2 years as frequently used by Public CAs do not match this situation as they force users to redeploy scheduling objects on an annual or bi-annual basis.
• Controller and Agent will accept X.509 Signing Certificates after reaching their expiration date from the certificate's notAfter property.

Maintainer Notes
Documentation is available from JS7 - Signing Certificate Renewal

Patch Availability

• A patch is available for releases in branches 2.8, 2.7, 2.6, 2.5 and is applicable to Controller and Agent instances.
• See JS7 - How to apply the change for continued use of default Signing Certificate
  • Controller
    • 2.8.x 
      • https://download.sos-berlin.com/patches/2.8.0-patch/js7_controller.2.8-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.7.0 - 2.7.2
      • https://download.sos-berlin.com/patches/2.7.0-patch/js7_controller.2.7.0-2.7.2-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.7.3 - 2.7.6
      • https://download.sos-berlin.com/patches/2.7.0-patch/js7_controller.2.7.3-2.7.6-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.6.0 - 2.6.5
      • https://download.sos-berlin.com/patches/2.6.0-patch/js7_controller.2.6.0-2.6.5-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.6.6 - 2.6.7
      • https://download.sos-berlin.com/patches/2.6.0-patch/js7_controller.2.6.6-2.6.7-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.5.0 - 2.5.8
      • https://download.sos-berlin.com/patches/2.5.0-patch/js7_controller.2.5.0-2.5.8-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.5.9 - 2.5.12
      • https://download.sos-berlin.com/patches/2.5.0-patch/js7_controller.2.5.9-2.5.12-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.4.0 - 2.4.1
      • https://download.sos-berlin.com/patches/2.4.1-patch/js7_controller.2.4.1-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • For instructions see JS7 - Patches for Controller
  • Agent
    • 2.8.x
      • https://download.sos-berlin.com/patches/2.8.0-patch/js7_agent.2.8-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.7.0 - 2.7.2
      • https://download.sos-berlin.com/patches/2.7.0-patch/js7_agent.2.7.0-2.7.2-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.7.3 - 2.7.6
      • https://download.sos-berlin.com/patches/2.7.0-patch/js7_agent.2.7.3-2.7.6-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.6.0 - 2.6.5
      • https://download.sos-berlin.com/patches/2.6.0-patch/js7_agent.2.6.0-2.6.5-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.6.6 - 2.6.7
      • https://download.sos-berlin.com/patches/2.6.0-patch/js7_agent.2.6.6-2.6.7-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.5.0 - 2.5.8
      • https://download.sos-berlin.com/patches/2.5.0-patch/js7_agent.2.5.0-2.5.8-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.5.9 - 2.5.12
      • https://download.sos-berlin.com/patches/2.5.0-patch/js7_agent.2.5.9-2.5.12-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • 2.4.0 - 2.4.1
      • https://download.sos-berlin.com/patches/2.4.1-patch/js7_agent.2.4.1-PATCH.JS-2219.jar  [ sha256 ] [ sig ] [ tsr ]
    • For instructions see JS7 - Patches for Agent