JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 42

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 43

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If a JS7 - Agent Cluster is used then the following configuration has to be applied for Director Agent instances:

Primary Director Agent Instance Configuration

Code Block
languagetext
titlePrimary Director Agent instance general configuration file example: agent.conf
linenumberstrue
collapsetrue
# Cluster configuration: not required
  • A Primary Director Agent instance does not require any configuration items for cluster operation.

Secondary Director Agent Instance Configuration

Code Block
languagetext
titleSecondary Director Agent Instance general configuration file example: agent.conf
linenumberstrue
collapsetrue
# Cluster configuration
js7.journal.cluster {
    node {
        is-backup = yes
    }
}
  • A Secondary Director Agent instance specifies this setting to indicate that this the instance starts as a standby node (Backup). When this setting is not in place, both instances of a Director Agent Cluster will start as standalone instances.
  • This setting is relevant for initial operation only. It is independent of which Director Agent instance later on will be the active one and which instance will be the standby one.
  • This setting has to be added by users before starting a Secondary Director Agent instance.

...

  • This setting is used for Director Agent instances in cluster mode only, it is not used for standalone Director Agent instances.
  • The registration of Primary and Secondary Director Agent instances is performed by the JOC Cockpit during initial operation.
    • Therefore the only setting required for cluster operation is:
      • js7.journal.cluster.node.is-backup=yes: For a Secondary Director Agent instance this setting specifies that during initial operation the given instance will be the inactive standby node.
    • Additional settings can be applied. However, we recommend that the JOC Cockpit is used instead.
      • nodes
        • Primary, Backup: For a Primary Director Agent instance this setting specifies the URLs of the Primary and Backup (Secondary) instance. The URL includes specification of the http/https protocol, the hostname and port.

...

  • The Agent verifies the signature of deployable scheduling objects such as workflows. This can be performed for PGP and X.509 signatures. 
  • The trusted-signature-keys setting specifies the location of PGP public keys and X.509 certificates.
  • If no PGP public keys are used or if no X.509 certificates are used then this setting should not be used as it expects the indicated directory to be populated with public keys or certificates respectively.

...

It is essential that the connections between Controller and Agents and between Agents are secured. This includes:

  • using HTTPS connections which are secured by private keys and certificates,
  • using authentication between JS7 products:
    • Option 1 (recommended):
      • applying mutual authentication between Controller and Agent,
      • applying mutual authentication between Director Agent instances and
    Subagent
      • Subagents in an Agent Cluster.
    • Option 2:
      • applying password authentication between components should mutual authentication not be in place.


Code Block
languagetext
titleSecure configuration example: private.conf
linenumberstrue
collapsetrue
# Security configuration
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }

    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }

    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                store-password="jobscheduler"
                # alias=
            }

            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password="jobscheduler"
                    # alias=
                 }
            ]
        }
    }
}

Client Authentication with Controller

Consider that client authentication is an alternative to Password Authentication with Controller.

Anchor
js7-auth-users-Controller
js7-auth-users-Controller
Controller Connections

...

  • This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
  • Note that the Controller element element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances.
  • This setting specifies the distinguished name indicated with The distinguished-names element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.
    • The Agent configuration specifies the distinguished names of the Controller instances that access the Agent by use of a Client Authentication certificate. For a Standalone Controller there is a single distinguished name, for a Controller Cluster each instance's distinguished name is specified.
    • Note that the common name (CN) setting element in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.

Client Authentication with Director Agent

...

    • The following command can be used to read the distinguished name from a certificate file:

      Code Block
      titleExample for OpenSSL command to read a certificate's distinguished name
      # read distinguished name from the pairing Controller instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject

# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE

Client Authentication with Director Agent

Consider that client authentication an alternative to Password Authentication with Director Agent.

Anchor
js7-auth-users-Director
js7-auth-users-Director
Director Agent Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Subagent ID of pairing Director Agent instance
            subagent-id {
                 permissions = [ AgentDirector ]
                 distinguished-names=[
                    "DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
         }
    }
}

Explanation:

  • This setting applies to use of the Subagent component within a Director Agent instance in a JS7 - Agent Cluster.
  • Note that the subagent-id element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa.
  • The permissions element should be used as indicated.
  • The distinguished-names element identifies the pairing Director Agent instance's Client Authentication certificate. The certificate acts as a replacement for a password.
    • Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.

    • The following command can be used to read the distinguished name from a certificate file:

      Code Block
      titleExample for OpenSSL command to read a certificate's distinguished name
      # read distinguished name from the pairing Director Agent instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject

# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE

Password Authentication with Controller

Consider that password authentication is an alternative to Client Authentication with Controller.

Anchor
js7-auth-users-password-Controller
js7-auth-users-password-Controller
Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth
Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Agent Cluster ID for connections by primary/secondary Director Agent instance
            agent-cluster {
        # User accounts for     distinguished-names=[https connections
        users {
           "DNQ=SOS CA, CN=director-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
        # Controller ID for connections by primary/secondary Controller instance
      "DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" Controller {
                ]password="plain:secret"
            }
        }
    }
}

Explanation:

  • This setting applies to the use of a Subagent with a Director Agent in an JS7 - Agent Cluster.
  • Similar to a Controller that orchestrates Standalone Agents the Director Agent orchestrates Subagents.
    • Subagents do not know of a Controller, they know of a Director AgentAgent with a Standalone Controller or with a Controller Cluster.
  • Note that the agent-cluster element Controller element name is an example that has to be replaced by the Agent Cluster Controller ID which is specified with the same value during installation of the Agent Cluster. This is not the Primary/Secondary Directory Agent IDboth cluster Controller instances.
  • This setting specifies the distinguished names password indicated with the Director Agent Controller instance's Client Authentication certificates. The certificate acts as a replacement for a password.
    • The Agent configuration specifies the distinguished names of any Director Agent instances that access the current Director Agent instance or Subagent instance by use of a Client Authentication certificate.
    • Note that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.

Password Authentication with Controller

  • js7.auth.agents configuration item. Passwords should be quoted.
    • The password can be specified as plain text preceded by plain:.
    • The password can be specified as a hashed value preceded by sha512:.

Password Authentication with Director Agent

Consider that password authentication is an alternative to Client Authentication with Director Agent.

Anchor
js7-auth-users-password-

...

Director
js7-auth-users-password-

...

Director

...

Director Agent Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Subagent ID  # Controller ID for connections by primary/secondary Controller instance
of pairing Director Agent instance
            subagent-id {
                 permissions = [ ControllerAgentDirector {]
                 password="plain:secret"
             }
        }
    }
}

Explanation:

  • This setting applies to the use of a Subagent within a Director Agent instance in an Agent with a Standalone Controller or with a Controller JS7 - Agent Cluster.
  • Note that the Controller element subagent-id element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances.Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa.
  • The permissions element should be used as indicated.
  • The password element This setting specifies the password indicated with the Controller pairing Director Agent instance's js7.auth.agentssubagents configuration item. 
    • The password can be specified as plain text preceded by plain:.
    • The password can be specified as a hashed value preceded by sha512:.

Password Authentication with Director Agent

Anchor
js7-auth-users-password-Director
js7-auth-users-password-Director

...

Subagent Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for httpseach connections
Subagent specify the Subagent ID and   users {password
            # Agent Cluster ID for connections by primary/secondary Director Agent instancesubagents {
            agent-cluster {
                 password=director-001 = "plain:secret-0"
            subagent-001 = "plain:secret-1"
            subagent-002  }
= "plain:secret-2"
         }
    }
}

Explanation:

  • This setting applies to the use of connections to a Subagent with of a pairing Director Agent instance in an a JS7 - Agent Cluster and to connections to any Subagents.
  • Note that the Director director-001 element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent ID instance which is specified with the same value during installation of the Primary and Secondary Director Agent instances.
  • This setting specifies the distinguished name indicated with the Director Agent's Client Authentication certificate. The certificate acts as a replacement for a password.
  • during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa.
  • Note that the subagent-001 and subagent-002 element names are examples for Subagent IDs of connected Subagents.
  • The password element This setting specifies the password indicated with the pairing Director Agent instance's and any Subagent's js7.auth.subagentsusers.<subagent-id>.password configuration item. 
    • The password can must be specified as plain text preceded by plain:. The password can be specified as a hashed value preceded by sha512:Passwords should be quoted.

Server Authentication

Anchor
js7-web-https-keystore
js7-web-https-keystore
HTTPS Keystore and Truststore Locations

...

  • HTTPS keystore and truststore are used to hold private keys and certificates.
    • Keystore and truststore settings accept the path to a file in PKCS12 format or in PEM format.
    • The keystore holds the Agent's private key and certificate. This information is used:
      • for Server Authentication with JOC Cockpit and
      • for Client Authentication with Agents.
    • The truststore holds the certificate(s) used to verify:
      • Client Authentication certificates presented by a Controller and
      • Server Authentication certificates challenged by pairing Controllers.
  • Optionally a separate HTTPS client keystore can be used:
    • The client keystore is used for HTTPS mutual authentication and holds a private key and certificate created for Client Auth extended key usage. 
    • When using HTTPS mutual authentication then:
      • a single certificate can be used that is generated for both Server Auth and Client Auth extended key use. In this case do not use the HTTPS client keystore but use the HTTPS keystore to hold the certificate.
      • separate certificates can be used with the certificate for Server Auth key usage being stored with the HTTPS keystore and the certificate for Client Auth key use being stored with the HTTPS client keystore.
    • For details see 
      Jira
      serverSOS JIRA
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId6dc67751-9d67-34cd-985b-194a8cdc9602
      keyJS-1959
  • Keystore and Truststore locations are specified. In addition:
    • a password for the private keys included in the keystore and a password for access to the keystore can be specified,
    • for the truststore a password for access to the truststore can be specified.
  • Passwords for keystores and truststores do not tend to improve keystore and truststore are not intended for security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Agent. This mechanism is not too different from hiding the key under your doormat. In fact, limiting ownership and access permissions for keystore and truststore files to the JS7 Agent's run-time account are more important than using a password, they are used to verify the integrity of certificate stores as the password used for creating and reading the certificate store must be the same.
    • The key-password is is used for access to a private key in a keystore.
    • The store-password setting is used for access to a keystore or to a truststore.
    • For PKCS12 (*.p12) keystores both settings have to use the same value. The settings can be omitted if no passwords are used.
  • The alias setting can be used for example with a keystore that holds a number of private keys from which the relevant private key is selected by its alias name.

...

  • The Agent expects a signature for any deployed objects such as workflows. Such signatures are created with a private key and are verified by the Agent according to the available certificates. 
  • When deploying objects with JOC Cockpit:
    • for a Low low Security Level JOC Cockpit creates the signature from a single private key that is used for any JOC Cockpit user accounts allowed to deploy objects.
    • for a Medium medium Security Level JOC Cockpit creates the signature from the private key of the JOC Cockpit user account that deploys objects.
    • for a High high Security Level the user creates the signature outside of JOC Cockpit and uploads the signed files holding scheduling objects and signatures.
  • The Agent supports PGP public keys and X.509 certificates. This setting expects a directory that holds a number of public key files or certificate files.
  • trusted-signature-keys
    • PGP: specifies the directory from which PGP public keys are used to verify the signature of deployed objects.
    • X509: specifies the directory from which X.509 certificates are used to verify the signature of deployed objects.

...