...
| Code Block |
|---|
| language | text |
|---|
| title | Secure configuration example: private.conf |
|---|
| linenumbers | true |
|---|
| collapse | true |
|---|
|
# Security configuration
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
configuration {
# Locations of certificates and public keys used for signature verification
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
job {
# Enable script execution from signed workflows
execution {
signed-script-injection-allowed = yes
}
}
web {
# Locations of keystore and truststore files for HTTPS connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password="jobscheduler"
store-password="jobscheduler"
# alias=
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password="jobscheduler"
# alias=
}
]
}
}
}
|
Director Agent Configuration
Client Authentication with Controller
Consider that client authentication is an alternative to Password Authentication with Controller.
| Anchor |
|---|
| js7-auth-users-Controller |
|---|
| js7-auth-users-Controller |
|---|
|
Controller Connections| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
...
- This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of Controller instances. - The
distinguished-names element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.
Client Authentication with pairing Director Agent Instance
Consider that client authentication an alternative to Password Authentication with pairing Director Agent Instance.
| Anchor |
|---|
| js7-auth-users-Director |
|---|
| js7-auth-users-Director |
|---|
|
Director Agent Connections| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
# User accounts for https connections
users {
# Subagent ID of pairing Director Agent instance
subagent-id {
permissions = [ AgentDirector ]
distinguished-names=[
"DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
...
- This setting applies to use of the Subagent component within a Director Agent instance in a JS7 - Agent Cluster.
- Note that the
subagent-id element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - The
permissions element should be used as indicated. - The
distinguished-names element identifies the pairing Director Agent instance's Client Authentication certificate. The certificate acts as a replacement for a password.
Password Authentication with Controller
Consider that password authentication is an alternative to Client Authentication with Controller.
| Anchor |
|---|
| js7-auth-users-password-Controller |
|---|
| js7-auth-users-password-Controller |
|---|
|
Controller Connections| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
password="plain:secret"
}
}
}
} |
...
- This setting applies to use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances. - This setting specifies the password indicated with the Controller instance's
js7.auth.agents configuration item. Passwords should be quoted.- The password can be specified as plain text preceded by
plain:. - The password can be specified as a hashed value preceded by
sha512:.
Password Authentication with pairing Director Agent Instance
Consider that password authentication is an alternative to Client Authentication with pairing Director Agent Instance.
| Anchor |
|---|
| js7-auth-users-password-Director |
|---|
| js7-auth-users-password-Director |
|---|
|
Director Agent Connections| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
# User accounts for https connections
users {
# Subagent ID of pairing Director Agent instance
subagent-id {
permissions = [ AgentDirector ]
password="plain:secret"
}
}
}
} |
...
- This setting applies to use of a Subagent within a Director Agent instance in an JS7 - Agent Cluster.
- Note that the
subagent-id element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - The
permissions element should be used as indicated. - The
password element specifies the password indicated with the pairing Director Agent instance's js7.auth.subagents configuration item. - The password can be specified as plain text preceded by
plain:. - The password can be specified as a hashed value preceded by
sha512:.
| Anchor |
|---|
| js7-auth-users-password-Director |
|---|
| js7-auth-users-password-Director |
|---|
|
Subagent Connections| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
# for each Subagent specify the Subagent ID and password
subagents {
director-001primary = "plain:secret-director-primary"
director-secondary = "plain:secret-0director-secondary"
subagent-001 = "plain:secret-subagent-1001"
subagent-002 = "plain:secret-subagent-002"
subagent-003 = "plain:secret-subagent-2003"
}
}
} |
Explanation:
- This setting applies to connections to a Subagent of a pairing Director Agent instance in a JS7 - Agent Cluster and to connections to any Subagents.
- Note that the
director-001 element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - Note that the
subagent-001 and subagent-002 element names are examples for Subagent IDs of connected Subagents. - The
password element specifies the password indicated with the pairing Director Agent instance's and any Subagent's js7.auth.users.<subagent-id>.password configuration item.
- The password must be specified as plain text preceded by
plain:. Passwords should be quoted.
Subagent Configuration
xxx
xxx
Server Authentication
| Anchor |
|---|
| js7-web-https-keystore |
|---|
| js7-web-https-keystore |
|---|
|
HTTPS Keystore and Truststore Locations
...