Page History
Table of Contents |
---|
Introduction
The article is focused on configuration items used for HTTPS Server Authentication with passwords. For a complete overview of settings see JS7 - Controller Configuration Items and JS7 - Agent Configuration Items,
- HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without the use of passwords.
- The purpose of Server Authentication is to secure the identity of an HTTP server and to encrypt the communication between client and server.
- The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any HTTP client could perform a man-in-the-middle attack by, for example, pretending to be a Controller that connects to an Agent.
- Please refer to the communication scheme between JS7 products as described in the JS7 - System Architecture article:
- User browsers acting as HTTPS clients establish connections to JOC Cockpit as an HTTPS server.
- JOC Cockpit acting as an HTTPS client establishes connections to Controller instances acting as HTTPS servers.
- Controller instances acting as HTTPS clients establish connections to Agents acting as HTTPS servers.
- We recommend applying It is recommended to apply TLS mutual authentication. However, there might be reasons why use of Client Authentication is not an immediate option, for example:
- Use of a wildcard certificate for Server Authentication leverages the effort for certificate management. At the same time such certificates cannot be used for Client Authentication.
- If mutual authentication is not an immediate option then passwords can be used by following the recommendations made in this article.
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
js7 { auth { # User accounts for HTTPS connections users { # Controller ID for connections by primary/secondary Controller instance js7_devController { } password="plain:secret" # History account } # History account of JOC Cockpit (used to release events) History { password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08" } # JOC account of JOC Cockpit (requires UpdateRepoUpdateItem permission for deployment) JOC { password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE" permissions=[ UpdateItem ] } } # for each Agent specify Agent ID and plain text password for authentication agents { agent-dev-001="plain:secret-agent-001" agent-dev-002="secret-002="plain:secret-agent-002" agent-003="plain:secret-agent-003" } } configuration { # directory for trusted public keys and certificates used with signatures trusted-signature-keys { PGP=${js7.config-directory}"/private/trusted-pgp-keys" X509=${js7.config-directory}"/private/trusted-x509-keys" } } journal { # allow History account to release unused journals users-allowed-to-release-events=[ History ] } web { # keystore and truststore location for https connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password=jobscheduler store-password=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password=jobscheduler } ] } # disable use of client authentication certificates server { auth { https-client-authentication=off } } } } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # for each Agent specify Agent ID and plain text password for authentication agents { agent-dev-001="plain:secret-agent-001" agent-dev-002="secret-002="plain:secret-agent-002" agent-003="plain:secret-agent-003" } } } |
Explanation:
- The Agent ID for each Agent is specified according to from the pattern examples
agent-dev-001001
,agent-002
etc. An Agent is assigned a unique Agent ID during initial operation with JOC Cockpit that . The Agent ID cannot be changed unless an Agent's journal is dropped. - The A plain text password
secret
is specified that is preceded withplain:
. Passwords should be quoted.
Disable Client Authentication
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
js7 { auth { # User accounts for https connections users { # Controller ID for connections by primary/secondary Controller instance js7_devController { password="plain:secret" # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/" } } } configuration { # Locations of certificates and public keys used for signature verification trusted-signature-keys { PGP=${js7.config-directory}"/private/trusted-pgp-keys" X509=${js7.config-directory}"/private/trusted-x509-keys" } } job { # Enable script execution from signed workflows execution { signed-script-injection-allowed = yes } } web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12/https-keystore.p12" key-password="jobscheduler" keystore-password="jobscheduler" # store-passwordalias=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password="jobscheduler" # alias= } ] } # Disable use of client authentication certificates server { auth { https-client-authentication=off } } } } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # User accounts for https connections users { # Controller ID for connections by primary/secondary Controller instance js7_devController { password="plain:secret" # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/" } } } |
Explanation:
- In this example
js7_dev
isController
is the Controller ID used by a Standalone Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during installation. The Controller ID cannot be changed unless the Controller's journal is reset. - The
password
for the Controller ID in the Agent configuration is the same as stated in the Controller configuration.- The password has to be preceded with
plain:
if a plain text password is used. - The password has to be preceded with
sha512:
if a password hashed with this algorithm is used- There are a number of ways to create sha512 hash values from passwords.
- One possible solution includes using:
openssl passwd -6
- The password has to be preceded with
...
Overview
Content Tools