JS7 JobScheduler

Space shortcuts

Page tree

Introduction

  • The JS7 - Identity Services provide local management of user accounts for authentication and authorization.
  • The JS7 - Shiro Identity Service was a built-in service available from the JOC Cockpit.
    • The Shiro Identity Service was available for early releases of JS7.
    • The Shiro Identity Service has been discontinued: 
      FEATURE AVAILABILITY ENDING WITH RELEASE 2.4.0
  • The JS7 - Shiro Identity Service Migration Tool is available for users who upgrade from early JS7 2.0, 2.1 releases and from JS1 1.12, 1.13 releases.
    • A Shiro Identity Service configuration will be migrated to a JS7 - JOC Identity Service.
    • Migration tools will remain in place and can be applied throughout future JS7 2.x releases independently of the fact that the Shiro Identity Service has been discontinued.

When to migrate

  • Users of JS7:
    • JS7 releases up to 2.3 can be operated with an existing Shiro Identity Service configuration.
    • Later JS7 releases require migration of the Shiro Identity Service configuration.
  • Users of JS1:
    • Users of JS1 releases 1.12 and 1.13 who migrate to JS7 should apply the migration procedure.

What to migrate

The following applies for use of Shiro with releases 1.12, 1.13, 2.0, 2.1, 2.2:

  • The JOC Cockpit stores user accounts, hashed passwords and role assignments
    • in its database and
    • in the JETTY_BASE/resources/joc/shiro.ini.active file (for information purposes).
      • Users can create a copy of the shiro.ini.active file, add their modifications and submit changes by renaming the file to shiro.ini.
      • With the next login of a user the shiro.ini file will be applied and its contents are added to the JS7 database.
      • As a result of this operation the shiro.ini file is renamed to shiro.ini.active. A previously available shiro.ini.active file is renamed to shiro.ini.backup.
  • The migration procedure includes specifying the location of the shiro.ini.active file or a file with an arbitrary name holding the latest Shiro configuration.

How to migrate

For migration purposes the JS7 Identity Service management script is used: joc_manage_identity_service.sh|.cmd

The script is executed in the JS7 environment to which the Shiro configuration should be migrated. The script is available from:

  • JETTY_HOME/install/joc_manage_identity_service.sh |.cmd
  • If not otherwise specified during installation then the JETTY HOME directory defaults to:
    • /opt/sos-berlin.com/js7/joc (for Unix environments)
    • Program Files\sos-berlin.com\js7\joc (for Windows environments)

The management script is invoked like this:

Run the management script for Shiro migration with Unix
/opt/sos-berlin.com/js7/joc/install/joc_manage_identity_service.sh import <shiro-configuration-file>
Run the management script for Shiro migration with Windows
C:\Program Files\sos-berlin.com\js7\joc\install\joc_manage_identity_service.cmd import <shiro-configuration-file>


The <shiro-configuration-file> specifies the file holding the latest Shiro configuration which is to be migrated: see What to migrate. Users can copy the file to their JS7 environment. A connection to the JobScheduler installation which the Shiro configuration is being migrated from is not required.

Execution of the management script performs the following operations in JS7:

  • Add an Identity Service with Service Type JOC and the name JOC-FROM-SHIRO:
    • For each LDAP realm included with the <shiro-configuration-file> a corresponding Identity Service is created form the name of the LDAP realm.
  • Populate roles of the JOC-FROM-SHIRO Identity Service:
    • Any roles and permissions from the  <shiro-configuration-file> are added to the JOC-FROM-SHIRO Identity Service.
  • Populate accounts of the JOC-FROM-SHIRO Identity Service:
    • Any user accounts from the  <shiro-configuration-file> are added to the JOC-FROM-SHIRO Identity Service.
    • This includes adding assignments of roles to user accounts provided that assignments and roles are specified.
    • This includes adding hashed passwords stored in the <shiro-configuration-file>.
      • JS7 implements its own password hashing algorithm. However, password hashes migrated from Shiro can be used with JS7.
      • When a user changes the password then the JS7 password hashing algorithm is applied.
      • This procedure is intended for smooth migration which does not force users to change passwords.
  • Should the management script find existing configuration items with the same name in the JOC-FROM-SHIRO Identity Service, for example, matching names of roles or user accounts, then they will not be overwritten from the <shiro-configuration-file>.

If things go terribly wrong then refer to the JS7 - Rescue in case of lost access to JOC Cockpit article.



  • No labels