...
If a JS7 - Agent Cluster is used then the following configuration has to be applied for Director Agent instances:
Primary Director Agent Instance Configuration
Code Block |
---|
language | text |
---|
title | Primary Director Agent instance general configuration file example: agent.conf |
---|
linenumbers | true |
---|
collapse | true |
---|
|
# Cluster configuration: not required
|
- A Primary Director Agent instance does not require any configuration items for cluster operation.
Secondary Director Agent Instance Configuration
Code Block |
---|
language | text |
---|
title | Secondary Director Agent Instance general configuration file example: agent.conf |
---|
linenumbers | true |
---|
collapse | true |
---|
|
# Cluster configuration
js7.journal.cluster {
node {
is-backup = yes
}
}
|
- A Secondary Director Agent instance specifies this setting to indicate that this the instance starts as a standby node (Backup). When this setting is not in place, both instances of a Director Agent Cluster will start as standalone instances.
- This setting is relevant for initial operation only. It is independent of which Director Agent instance later on will be the active one and which instance will be the standby one.
- This setting has to be added by users before starting a Secondary Director Agent instance.
...
- This setting is used for Director Agent instances in cluster mode only, it is not used for standalone Director Agent instances.
- The registration of Primary and Secondary Director Agent instances is performed by the JOC Cockpit during initial operation.
- Therefore the only setting required for cluster operation is:
js7.journal.cluster.node.is-backup=yes
: For a Secondary Director Agent instance this setting specifies that during initial operation the given instance will be the inactive standby node.
- Additional settings can be applied. However, we recommend that the JOC Cockpit is used instead.
nodes
Primary, Backup
: For a Primary Director Agent instance this setting specifies the URLs of the Primary
and Backup
(Secondary) instance. The URL includes specification of the http/https protocol, the hostname and port.
...
- The Agent verifies the signature of deployable scheduling objects such as workflows. This can be performed for PGP and X.509 signatures.
- The
trusted-signature-keys
setting specifies the location of PGP public keys and X.509 certificates. - If no PGP public keys are used or if no X.509 certificates are used then this setting should not be used as it expects the indicated directory to be populated with public keys or certificates respectively.
...
It is essential that the connections between Controller and Agents and between Agents are secured. This includes:
- using HTTPS connections which are secured by private keys and certificates,
- using authentication between JS7 products:
- Option 1 (recommended):
- applying mutual authentication between Controller and Agent,
- applying mutual authentication between Director Agent instances and
Subagent - Subagents in an Agent Cluster.
- Option 2:
- applying password authentication between components should mutual authentication not be in place.
Code Block |
---|
language | text |
---|
title | Secure configuration example: private.conf |
---|
linenumbers | true |
---|
collapse | true |
---|
|
# Security configuration
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
configuration {
# Locations of certificates and public keys used for signature verification
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
job {
# Enable script execution from signed workflows
execution {
signed-script-injection-allowed = yes
}
}
web {
# Locations of keystore and truststore files for HTTPS connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password="jobscheduler"
store-password="jobscheduler"
# alias=
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password="jobscheduler"
# alias=
}
]
}
}
}
|
Client Authentication with Controller
Consider that client authentication is an alternative to Password Authentication with Controller.
Anchor |
---|
| js7-auth-users-Controller |
---|
| js7-auth-users-Controller |
---|
|
Controller Connections
...
- This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller
element element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances. - This setting specifies the distinguished name indicated with The
distinguished-names
element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.- The Agent configuration specifies the distinguished names of the Controller instances that access the Agent by use of a Client Authentication certificate. For a Standalone Controller there is a single distinguished name, for a Controller Cluster each instance's distinguished name is specified.
- Note that the common name (CN) setting element in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.
Client Authentication with Director Agent
...
Client Authentication with Director Agent
Consider that client authentication an alternative to Password Authentication with Director Agent.
Anchor |
---|
| js7-auth-users-Director |
---|
| js7-auth-users-Director |
---|
|
Director Agent Connections Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for https connections
users {
# Subagent ID of pairing Director Agent instance
subagent-id {
permissions = [ AgentDirector ]
distinguished-names=[
"DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
Explanation:
- This setting applies to use of the Subagent component within a Director Agent instance in a JS7 - Agent Cluster.
- Note that the
subagent-id
element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf
file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - The
permissions
element should be used as indicated. - The
distinguished-names
element identifies the pairing Director Agent instance's Client Authentication certificate. The certificate acts as a replacement for a password.
Password Authentication with Controller
Consider that password authentication is an alternative to Client Authentication with Controller.
Anchor |
---|
| js7-auth-users-password-Controller |
---|
| js7-auth-users-password-Controller |
---|
|
Controller Connections Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth |
Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for https connections
users {
# Agent Cluster ID for connections by primary/secondary Director Agent instance
agent-cluster {
# User accounts for distinguished-names=[https connections
users {
"DNQ=SOS CA, CN=director-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
# Controller ID for connections by primary/secondary Controller instance
"DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" Controller {
]password="plain:secret"
}
}
}
} |
Explanation:
- This setting applies to the use of a Subagent with a Director Agent in an JS7 - Agent Cluster.
- Similar to a Controller that orchestrates Standalone Agents the Director Agent orchestrates Subagents.
Subagents do not know of a Controller, they know of a Director AgentAgent with a Standalone Controller or with a Controller Cluster.- Note that the
agent-cluster
element Controller
element name is an example that has to be replaced by the Agent Cluster Controller ID which is specified with the same value during installation of the Agent Cluster. This is not the Primary/Secondary Directory Agent IDboth cluster Controller instances. - This setting specifies the distinguished names password indicated with the Director Agent Controller instance's Client Authentication certificates. The certificate acts as a replacement for a password.
- The Agent configuration specifies the distinguished names of any Director Agent instances that access the current Director Agent instance or Subagent instance by use of a Client Authentication certificate.
- Note that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.
Password Authentication with Controller
-
js7.auth.agents
configuration item. Passwords should be quoted.- The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.
Password Authentication with Director Agent
Consider that password authentication is an alternative to Client Authentication with Director Agent.
...
Director | | js7-auth-users-password- |
---|
|
...
...
Director Agent Connections
Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for https connections
users {
# Subagent ID # Controller ID for connections by primary/secondary Controller instance
of pairing Director Agent instance
subagent-id {
permissions = [ ControllerAgentDirector {]
password="plain:secret"
}
}
}
} |
Explanation:
- This setting applies to the use of a Subagent within a Director Agent instance in an Agent with a Standalone Controller or with a Controller JS7 - Agent Cluster.
- Note that the
Controller
element subagent-id
element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances.Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf
file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - The
permissions
element should be used as indicated. - The
password
element This setting specifies the password indicated with the Controller pairing Director Agent instance's js7.auth.agentssubagents
configuration item. - The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.
Password Authentication with Director Agent
Anchor |
---|
| js7-auth-users-password-Director |
---|
| js7-auth-users-password-Director |
---|
|
...
Subagent Connections
Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for httpseach connections
Subagent specify the Subagent ID and users {password
# Agent Cluster ID for connections by primary/secondary Director Agent instancesubagents {
agent-cluster {
password=director-001 = "plain:secret-0"
subagent-001 = "plain:secret-1"
subagent-002 }
= "plain:secret-2"
}
}
} |
Explanation:
- This setting applies to the use of connections to a Subagent with of a pairing Director Agent instance in an a JS7 - Agent Cluster and to connections to any Subagents.
- Note that the
Director
director-001
element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent ID instance which is specified with the same value during installation of the Primary and Secondary Director Agent instances. - This setting specifies the distinguished name indicated with the Director Agent's Client Authentication certificate. The certificate acts as a replacement for a password.
- during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the
private.conf
file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - Note that the
subagent-001
and subagent-002
element names are examples for Subagent IDs of connected Subagents. - The
password
element This setting specifies the password indicated with the pairing Director Agent instance's and any Subagent's js7.auth.subagentsusers.<subagent-id>.password
configuration item.
- The password can must be specified as plain text preceded by
plain:
. The password can be specified as a hashed value preceded by sha512:
Passwords should be quoted.
Server Authentication
Anchor |
---|
| js7-web-https-keystore |
---|
| js7-web-https-keystore |
---|
|
HTTPS Keystore and Truststore Locations
...
- HTTPS keystore and truststore are used to hold private keys and certificates.
- Keystore and truststore settings accept the path to a file in PKCS12 format or in PEM format.
- The keystore holds the Agent's private key and certificate. This information is used:
- for Server Authentication with JOC Cockpit and
- for Client Authentication with Agents.
- The truststore holds the certificate(s) used to verify:
- Client Authentication certificates presented by a Controller and
- Server Authentication certificates challenged by pairing Controllers.
- Optionally a separate HTTPS client keystore can be used:
- The client keystore is used for HTTPS mutual authentication and holds a private key and certificate created for
Client Auth
extended key usage. - When using HTTPS mutual authentication then:
- a single certificate can be used that is generated for both
Server Auth
and Client Auth
extended key use. In this case do not use the HTTPS client keystore but use the HTTPS keystore to hold the certificate. - separate certificates can be used with the certificate for
Server Auth
key usage being stored with the HTTPS keystore and the certificate for Client Auth
key use being stored with the HTTPS client keystore.
- For details see
Jira |
---|
server | SOS JIRA |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 6dc67751-9d67-34cd-985b-194a8cdc9602 |
---|
key | JS-1959 |
---|
|
- Keystore and Truststore locations are specified. In addition:
- a password for the private keys included in the keystore and a password for access to the keystore can be specified,
- for the truststore a password for access to the truststore can be specified.
- Passwords for keystores and truststores do not tend to improve keystore and truststore are not intended for security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Agent. This mechanism is not too different from hiding the key under your doormat. In fact, limiting ownership and access permissions for keystore and truststore files to the JS7 Agent's run-time account are more important than using a password, they are used to verify the integrity of certificate stores as the password used for creating and reading the certificate store must be the same.
- The
key-password
is is used for access to a private key in a keystore. - The
store-password
setting is used for access to a keystore or to a truststore. - For PKCS12 (*.p12) keystores both settings have to use the same value. The settings can be omitted if no passwords are used.
- The
alias
setting can be used for example with a keystore that holds a number of private keys from which the relevant private key is selected by its alias name.
...
- The Agent expects a signature for any deployed objects such as workflows. Such signatures are created with a private key and are verified by the Agent according to the available certificates.
- When deploying objects with JOC Cockpit:
- for a Low low Security Level JOC Cockpit creates the signature from a single private key that is used for any JOC Cockpit user accounts allowed to deploy objects.
- for a Medium medium Security Level JOC Cockpit creates the signature from the private key of the JOC Cockpit user account that deploys objects.
- for a High high Security Level the user creates the signature outside of JOC Cockpit and uploads the signed files holding scheduling objects and signatures.
- The Agent supports PGP public keys and X.509 certificates. This setting expects a directory that holds a number of public key files or certificate files.
trusted-signature-keys
PGP
: specifies the directory from which PGP public keys are used to verify the signature of deployed objects.X509
: specifies the directory from which X.509 certificates are used to verify the signature of deployed objects.
...