JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 46

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 47

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • using HTTPS connections which are secured by private keys and certificates,
  • using authentication between JS7 products:
    • Option 1 (recommended):
      • applying mutual authentication between Controller and Agent,
      • applying mutual authentication between Director Agent instances and Subagents in an Agent Cluster.
    • Option 2:
      • applying password authentication between components should mutual authentication not be in place.

Find examples of private.conf files for Agent configuration:

Standalone Agent Configuration

Find an example for download: private.conf-example-standalone-agent

Client Authentication with Controller

Consider that client authentication is an alternative to Password Authentication with Controller.

Anchor
js7-auth-users-Controller
js7-auth-users-Controller
Controller Connections

Code Block
languageyml
linenumberstrue
Code Block
languagetext
titleSecure configuration example: private.conf
linenumberstrue
collapsetrue
# Security configuration
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }

    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }

    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                store-password="jobscheduler"
                # alias=
            }

            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password="jobscheduler"
                    # alias=
                 }
            ]
        }
    }
}

Director Agent Configuration

The following configuration applies to use of a Director Agent in a JS7 - Agent Cluster

A single Director Agent and a Director Agent Cluster of two instances can be used.

Client Authentication with Controller

}

Explanation:

  • This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
  • Note that the Controller element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of Controller instances.
  • The distinguished-names element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.
    • The Agent configuration specifies the distinguished names of the Controller instances that access the Agent by use of a Client Authentication certificate. For a Standalone Controller there is a single distinguished name, for a Controller Cluster each instance's distinguished name is specified.
    • Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.

    • The following command can be used to read the distinguished name from a certificate file:

      Code Block
      titleExample for OpenSSL command to read a certificate's distinguished name
      # read distinguished name from the pairing Controller instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject

# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE

Password Authentication with Controller

Consider that password authentication is an alternative to Client Consider that client authentication is an alternative to Password Authentication with Controller.

Anchor
js7-auth-users-password-Controller
js7-auth-users-

...

password-Controller
Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller auth {
        # User accounts for     distinguished-names=[https connections
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
users {
            # Controller ID for connections by primary/secondary Controller instance
      "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" Controller {
                ]password="plain:secret"
            }
        }
    }
}

Explanation:

  • This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
  • Note that the Controller element  element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances.The distinguished-names element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.
  • The Agent configuration specifies the distinguished names of the Controller instances that access the Agent by use of a Client Authentication certificate. For a Standalone Controller there is a single distinguished name, for a Controller Cluster each instance's distinguished name is specified.
  • Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.
    • The following command can be used to read the distinguished name from a certificate file:
    Code Block
    titleExample for OpenSSL command to read a certificate's distinguished name
    # read distinguished name from the pairing Controller instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject

# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE

Client Authentication with pairing Director Agent Instance

Consider that client authentication an alternative to Password Authentication with pairing Director Agent Instance.

...

  • This setting specifies the password indicated with the Controller instance's js7.auth.agents configuration item. Passwords should be quoted.
    • The password can be specified as plain text preceded by plain:.
    • The password can be specified as a hashed value preceded by sha512:.

Director Agent Configuration

The following configuration applies to use of a Director Agent in a JS7 - Agent Cluster

A single Director Agent instance and a Director Agent Cluster of two instances can be used. For a single Director Agent instance the explanations provided for the Primary Director Agent apply, settings related to a Secondary Director Agent should be omitted.

Find examples for download:

Client Authentication with Controller

Consider that client authentication is an alternative to Password Authentication with Controller.

The same settings apply as explained for Standalone Agents, see Client Authentication with Controller.

Client Authentication with pairing Director Agent Instance

Consider that client authentication an alternative to Password Authentication with pairing Director Agent Instance.

Anchor
js7-auth-users-Director
js7-auth-users-Director
Director Agent Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Subagent ID of pairing Director Agent instance
            subagent-id {
                permissions = [ AgentDirector ]
                distinguished-names=[
                    "DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

Explanation:

...

users {
            # Subagent ID of pairing Director Agent instance
            subagent-id {
                permissions = [ AgentDirector ]
                distinguished-names=[
                    "DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

Explanation:

  • This setting applies to use of the Subagent component within a Director Agent instance in a JS7 - Agent Cluster.
  • Note that the subagent-id element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For the private.conf file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa.
  • The permissions element should be used as indicated.
  • The distinguished-names element identifies the pairing Director Agent instance's Client Authentication certificate. The certificate acts as a replacement for a password.
    • Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.

    • The following command can be used to read the distinguished name from a certificate file:

      Code Block
      titleExample for OpenSSL command to read a certificate's distinguished name
      # read distinguished name from the pairing Director Agent instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject

# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE

Password Authentication with Controller

Consider that password authentication is an alternative to Client Authentication with Controller.

The same settings apply as explained for Standalone Agents, see Password Authentication with Controller

...

Code Block
titleExample for OpenSSL command to read a certificate's distinguished name
# read distinguished name from the pairing Director Agent instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject

# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE

Password Authentication with Controller

Consider that password authentication is an alternative to Client Authentication with Controller.

...

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                password="plain:secret"
            }
        }
    }
}

Explanation:

...

.

Password Authentication with pairing Director Agent Instance

...

The following configuration applies to use of Subagents in a JS7 - Agent Cluster. 

Find an example for download: private.conf-example-subagent

Client Authentication with Director Agent Instances

...