JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 41

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 42

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anchor
js7-journal-cluster
js7-journal-cluster
Director Agent Cluster Configuration

If a JS7 - Agent cluster Cluster is used then the following configuration has to be applied for Director Agent instances:

...

  • A Secondary Director Agent instance specifies this setting to indicate that this instance starts as a standby node (Backup). When this setting is not in place, both instances of a Director Agent Cluster will start as standalone instances.
  • This setting is relevant for initial operation only. It is independent of which Director Agent instance later on will be the active one and which instance will be the standby one.
  • This setting has to be added by the user users before starting a Secondary Director Agent instance.

...

  • HTTPS keystore and truststore are used to hold private keys and certificates.
    • Keystore and truststore settings accept the path to a file in PKCS12 format or in PEM format.
    • The keystore holds the Agent's private key and certificate. This information is used:
      • for Server Authentication with JOC Cockpit and
      • for Client Authentication with Agents.
    • The truststore holds the certificate(s) used to verify:
      • Client Authentication certificates presented by a Controller and
      • Server Authentication certificates challenged by pairing Controllers.
  • Optionally a separate HTTPS client keystore can be used:
    • The client keystore is used for HTTPS mutual authentication and holds a private key and certificate created for Client Auth extended key usage. 
    • When using HTTPS mutual authentication then:
      • a single certificate can be used that is generated for both Server Auth and Client Auth extended key use. In this case do not use the HTTPS client keystore but use the HTTPS keystore to hold the certificate.
      • separate certificates can be used with the certificate for Server Auth key usage being stored with the HTTPS keystore and the certificate for Client Auth key use being stored with the HTTPS client keystore.
    • For details see 
      Jira
      serverSOS JIRA
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId6dc67751-9d67-34cd-985b-194a8cdc9602
      keyJS-1959
  • Keystore and Truststore locations are specified. In addition:
    • a password for the private keys included in the keystore and a password for access to the keystore can be specified,
    • for the truststore a password for access to the truststore can be specified.
  • Passwords for keystores and truststores do not tend to improve security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Agent. This mechanism is not too different from hiding the key under your doormat. In fact, limiting ownership and access permissions for keystore and truststore files to the JS7 Agent's run-time account are more important than using a password.
    • The key-password is used for access to a private key in keystore.
    • The store-password setting is used for access to a keystore or to a truststore.
    • For PKCS12 (*.p12) keystores both settings have to use the same value. The settings can be omitted if no passwords are used.
  • The alias setting can be used for example with a keystore that holds a number of private keys from which the relevant private key is selected by its alias name.

...

  • This setting is used to specify the location of a keystore and any truststores used for HTTPS connections.
  • Keystore and truststore files are expected in PKCS12 format or in PKCS#12 PEM format.
  • keystore
    • The keystore includes the private key for the Agent's incoming HTTPS connections.
    • Private key types RSA and ECDSA are supported. 
    • file:  the full path to the location of the keystore file is expected.
      • Default: ${js7.config-directory}"/private/https-keystore.p12"
    • key-password: Any keys included with the keystore are protected with a password. The same password has to be used for all private keys in the given keystore.
    • store-password: The keystore file is protected by a password.
    • alias: can be used for example with a keystore that holds a number of private keys from which the relevant private key is selected by its alias name.
  • client-keystore
    • Use of this setting is optional. It can be used if separate certificates for Server Authentication and Client Authentication are used.
    • The Client Authentication private key and certificate can be added to this keystore.
    • Included configuration items correspond to the keystore setting.
  • truststores
    • A truststore contains the certificates or public keys for the Agent's incoming HTTPS connections.
      • Certificates are signed by a Certificate Authority (CA) - alternatively a self-signed certificate can be used.
      • It is recommended that certificates are used instead of public keys.
      • Certificates of type X.509 are supported.
    • file:  the full path to the location of the truststore file is expected.
      • Default: ${js7.config-directory}"/private/https-truststore.p12"
    • store-password: A truststore file is protected by a password.
    • alias: can be used for example with a truststore that holds a number of certificates from which the relevant certificate is selected by its alias name.
    • A number of truststores can be specified by repeating the file and store-password settings.

...