JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 11

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Identity Service Deployment Script

CommandCategoryDocumentation
get-account / store-accountAccounts
rename-account / remove-account
get-account-permission
set-account-password / reset-account-password
enable-account / disable-account
get-role / store-roleRoles



rename-role / remove-role


get-permission / set-permission

Permissions



rename-permission / remove-permission


get-folder / set-folder

Folders



rename-folder / remove-folder


get-service / store-service

Identity Services



rename-service / remove-service



The script is offered for download and can be applied for frequently used operations:

...

  • get-permission
    • Returns permissions the indicated role.
  • set-permission
    • Assigns the role one or more permission that are specified from permission identifiers.
    • If the --excluded switch is used, then permission is denied. This applies to JOC Cockpit permissions and to all Controller permissions.
    • The Controller ID can be specified using the --controller-id option for permissions that should be limited to the given Controller.
  • rename-permission
    • Renames an existing permission by switching permission identifier.
  • remove-permission
    • Removes the indicated permission from the role.

...

Folder Permissions

  • get-folder
    • If the --folder option is used, returns the indicated folder and otherwise returns all folders assigned the given role.
  • set-folder
    • Assigns the indicated role one or more folders. If more than one folder is specified, then they are separated by comma, for example --folder=/accounting,/reporting.
    • The --recursive switch can be used to specify that sub-folders similarly should be accessible to the given role.
  • rename-folder
    • Switches folder assignment to a different folder.
  • remove-folder
    • Removes the indicated folder from the role.

...

  • -h | --help
    • Displays usage.
  • -v | --verbose
    • Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
    • When used twice as with -v -v then curl verbose output will be displayed.
  • -p | --password
    • Asks the user for interactive keyboard input of the password used for the account specified with the --user option..
    • The switch is used for secure interactive input as an alternative to use of the option --password=<password>.
  • -a | --account-password
    • When used with the store-account and set-account-password commands, asks the user for interactive keyboard input of the existing password used for the account.
    • The switch is used for secure interactive input as an alternative to use of the --account-password=<password> option.
  • -n | --new-password
    • When used with the set-account-password command, asks the user for interactive keyboard input of the new password used for the account.
    • The switch is used for secure interactive input as an alternative to use of the --new-account-password=<password> option.
  • -f | --force-password-change
    • When used with the store-account command, specifies that the user will be challenged to type a new password on next login.
    • The switch is used for existing accounts. Use of the switch is not required in the following situations that will automatically challenge the user to specify a new password on next login:
      • For new accounts using the initial passwords and for accounts assigned a password using the --account-password option or switch.
      • If the account is assigned a password using the set-account-password command.
      • If the account's password is reset to the initial password using the reset-account-password command
  • -e | enabled
    • When  used with the get-account command, filters results to enabled accounts.
    • When used with the remove-account command, filters that enabled accounts only will be removed.
  • -d | disabled
    • When  used with the get-account command, filters results to disabled accounts.
    • When  used with the store-account command, specifies that the indicated account will be deactivated.
    • When used with the remove-account command, filters that disabled accounts only will be removed.
    • When  used with the store-service command, specifies that the Identity Service will be deactivated.
  • -x | --excluded
    • When used with the set-permission command, specifies that the permission will be denied. This applies to JOC Cockpit permissions and to all Controller permissions.
  • -q | --required
    • When used with the store-service command, specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
  • -r | --recursive
    • When used with the set-folder and rename-folder commands, specifies that folder permissions are applied to sub-folders.
  • --single-factor-certificate
    • When used with the store-service command, specifies that a certificate acts as a single factor for authentication.
  • --single-factor-password
    • When used with the store-service command, specifies that a password acts as a single factor for authentication.
  • --show-logs
    • Displays the log output created by the script if the --log-dir option is used.
  • --make-dirs
    • If directories are missing that are indicated with the --log-dir option then they will be created.

...

The following examples illustrate typical use cases.

Getting

...

Identity Services

Code Block
languagebash
titleExamples for Getting Status InformationIdentity Services
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# get statuslist informationof for Standalone JOC Cockpit
response=$(./operate-joc.sh statusIdentity Services
./deploy-identity-service.sh get-service "${request_options[@]}")

# returnsget Identity response
{"clusterState":{"_text":"ClusterUnknown","severity":2},"controllers":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller","host":"localhost","id":20,"isCoupled":false,"javaVersion":"21+35-2513","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"STANDALONE","securityLevel":"HIGH","startedAt":"2024-09-03T09:52:38.918Z","surveyDate":"2024-09-23T10:10:01.496Z","title":"Standalone Controller","url":"http://localhost:4444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"H2","version":"1.4.200 (2019-10-14)"},"deliveryDate":"2024-09-23T10:10:01.499Z","jocs":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"STANDALONE","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":1,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:09:43.682Z","memberId":"localhost:1ce420678f21a574e6adeb2f218f5bd40ed1b1bf9005414bcf060fba2e4c5a67","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"securityLevel":"HIGH","startedAt":"2024-09-19T20:55:34.522Z","title":"My JOC Cockpit","url":"http://localhost:4446","version":"2.7.2"}]}
# get severity from status information
echo "$response" | jq -r '.jocs[0].componentState.severity // empty'
echo "$response" | jq -r '.jocs[0].connectionState.severity // empty'
echo "$response" | jq -r '.jocs[0].controllerConnectionStates[0].state.severity // empty'
echo "$response" | jq -r '.jocs[0].version // empty'
echo "$response" | jq -r '.database.componentState.severity // empty'
echo "$response" | jq -r '.database.connectionState.severity // empty'

# get status information for JOC Cockpit Cluster
response=$(./operate-joc.sh status "${request_options[@]}")
# returns response
{"clusterState":{"_text":"ClusterCoupled","severity":0},"controllers":[{"clusterNodeState":{"_text":"inactive","severity":1},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":2,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"PRIMARY","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.271Z","surveyDate":"2024-09-23T10:07:16.768Z","title":"PRIMARY CONTROLLER","url":"http://localhost:4444","version":"2.7.2"},{"clusterNodeState":{"_text":"active","severity":0},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":3,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"BACKUP","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.972Z","surveyDate":"2024-09-23T10:07:16.737Z","title":"SECONDARY CONTROLLER","url":"http://localhost:44444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"MySQL","version":"5.7.33"},"deliveryDate":"2024-09-23T10:07:16.773Z","jocs":[{"clusterNodeState":{"_text":"active","severity":0},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":3,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:13Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:41Z","title":"PRIMARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"},{"clusterNodeState":{"_text":"inactive","severity":1},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":false,"host":"localhost","id":1,"instanceId":"joc#1","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:12Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:40Z","title":"SECONDARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"}]}
# get severity from status information
echo "$response" | jq -r '.clusterState.severity // empty'
echo "$response" | jq -r '.controllers[0].componentState.severity // empty'
echo "$response" | jq -r '.controllers[0].connectionState.severity // empty'
echo "$response" | jq -r '.controllers[1].componentState.severity // empty'
echo "$response" | jq -r '.controllers[1].connectionState.severity // empty'
echo "$response" | jq -r '.jocs[0].componentState.severity // empty'
echo "$response" | jq -r '.jocs[0].connectionState.severity // empty'
echo "$response" | jq -r '.jocs[0].version // empty'
echo "$response" | jq -r '.database.componentState.severity // empty'
echo "$response" | jq -r '.database.connectionState.severity // empty'

Getting Version Information

Service
./deploy-identity-service.sh get-service "${request_options[@]}" --service=JOC-INITIAL

Creating and Updating Identity Services

Code Block
languagebash
titleExamples for Creating and Updating Identity Services
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# store Identity Service
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=OIDC

# store required Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=LDAP --required \
    --authentication-scheme=SINGLE-FACTOR --

# store required Identity Service using two-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=FIDO-Service --service-type=FIDO
./deploy-identity-service.sh store-service "${request_options[@]}" --service=LDAP-Service --service-type=LDAP --required --authentication-scheme=TWO-FACTOR

Renaming and Removing Identity Services

Code Block
languagebash
titleExamples for Renaming and Removing Identity Services
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# rename Identity Service
./deploy-identity-service.sh rename-service "${request_options[@]}" --service=Old-Service --new-service=New-Service

# remove Identity Service
./deploy-identity-service.sh remove-service "${request_options[@]}" --service=New-Service

Creating and Updating Roles

Code Block
languagebash
titleExamples for Creating and Updating Roles
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get list of roles
./deploy-identity-service.sh get-role   "${request_options[@]}" --service=JOC-INITIAL

# get role
./deploy-identity-service.sh get-role   "${request_options[@]}" --service=JOC-INITIAL --role=administrator

# store role
./deploy-identity-service.sh store-role
Code Block
languagebash
titleExample for Getting Version Information
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get JOC Cockpit version
./operate-joc.sh version "${request_options[@]}"
# returns
2.7.2

# get Controller version
./operate-joc.sh version "${request_options[@]}" --controller-id=controller
# returns
2.7.2

# get Standalone Agent version
./operate-joc.sh version --service=JOC-INITIAL --role=backoffice-user

Renaming and Removing Roles

Code Block
languagebash
titleExamples for Renaming and Removing Roles
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# rename role
./deploy-identity-service.sh rename-role "${request_options[@]}" --service=JOC-INITIAL --role=backoffice-user --agentnew-id=StandaloneAgent
# returns
2.7.2role=business-user

# get Agent Cluster versionremove role
./operatedeploy-identity-jocservice.sh versionremove-role "${request_options[@]}" --agent-id=AgentCluster
# returns
2.7.2

# get version of specific Controller and of all Agents in Agent Cluster
response=$(./operate-joc.sh versionservice=JOC-INITIAL --role=business-user

# remove roles
./deploy-identity-service.sh remove-role "${request_options[@]}" --controller-id=controllerservice=JOC-INITIAL --agent-id=AgentCluster --list)
# returns response
{
  "agentVersions":[
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","uri":"https://diragent-2-0-primary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"director_primary_001","uri":"https://diragent-2-0-primary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"director_secondary_001","uri":"https://diragent-2-0-secondary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"subagent_primary_001","uri":"https://subagent-2-0-primary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"subagent_secondary_001","uri":"https://subagent-2-0-secondary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"subagent_third_001","uri":"https://subagent-2-0-third:4443","version":"2.7.2"}
  ],
  "controllerVersions":[
    {"compatibility":"COMPATIBLE","controllerId":"controller","uri":"https://controller-2-0-standalone:4443","version":"2.7.2"}
  ],
  "jocVersion":"2.7.2"
}
# get version of specifc Agent
echo "$response" | jq -r '.agentVersions[] | select(.subagentId == "director_primary_001") | .version // empty'

Switching-over for JOC Cockpit Cluster

Code Block
languagebash
titleExample for Switching-over for JOC Cockpit Cluster
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# switch-over active role
./operate-joc.sh switch-over "${request_options[@]}" --controller-id=controller

Restarting and Running Services

role=business-user,incident-manager

Creating and Updating Permissions

Code Block
languagebash
titleExamples for Creating and Updating Permissions
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get permissions for role
./deploy-identity-service.sh get-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user

# assign permissions to role
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                            --permission='sos:products:controller:view','sos:products:controller:agents:view'

Renaming and Removing Permissions

Code Block
languagebash
titleExamples for Renaming and Removing Permissions
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# rename permission
./deploy-identity-service.sh rename-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                               --permission='sos:products:controller:deployment:manage' \
                                               --new-permission='sos:products:controller:deployment:view' --excluded

# remove permission
./deploy-identity-service.sh remove-permission
Code Block
languagebash
titleExample for Restarting and Running Services
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# restart service: cluster, history, dailyplan, cleanup, monitor
./operate-joc.sh restart-service "${request_options[@]}" --service-type=history

# run service: dailyplan, cleanup
./operate-joc.sh run-service=JOC-INITIAL --role=business-user \
                                               --permission='sos:products:controller:deployment:view'

# remove permissions
./deploy-identity-service.sh remove-permission "${request_options[@]}" --service-type=cleanup

Checking License

Code Block
languagebash
titleExample for Checking JOC Cockpit License
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# check license
./operate-joc.sh check-license "${request_options[@]}"
# returns response
.... License type: COMMERCIAL_VALID
.... License valid: true
.... License valid from: 2021-05-05T12:22:41Z
.... License valid until: 2026-05-04T12:22:41Z

...

=JOC-INITIAL --role=business-user \
                                               --permission='sos:products:controller:deployment','sos:products:controller:agents:view'

Creating and Updating Folder Permissions

Code Block
languagebash
titleExample Examples for Getting and Storing SettingsCreating and Updating Folder Permissions
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get folder permissions for all folders assigned the indicated role
./deploy-identity-service.sh get-folder "${request_options[@]}" --service=JOC-INITIAL --role=business-user

# get settings
settings=$(./operate-jocfolder permissions for the indicated role and folder
./deploy-identity-service.sh get-settingsfolder "${request_options[@]}")

# update settings
settings=$(echo "${settings}" | jq '.dailyplan.days_ahead_submit.value = "4"')
settings=$(echo "${settings}" | jq '.dailyplan.days_ahead_plan.value = "6"')

# store settings
./operate-joc.sh store-settings --service=JOC-INITIAL --role=business-user \
                                        --folder=/accounting

# set folder permissions recursively for a number of folders
./deploy-identity-service.sh set-folder "${request_options[@]}" --settings="${settings}"

Encrypting and Decrypting

...

service=JOC-INITIAL --role=business-user \
                                        --folder=/accounting,/reporting --recursive

Renaming and Removing Folder Permissions

...

Code Block
languagebash
titleExample Examples for Encrypting Renaming and DecryptingRemoving Folder Permissions
linenumberstrue
# createcommon Privateoptions Key
opensslfor ecparam -name secp384r1 -genkey -noout -out encrypt.key

# create Certificate Signing Request
openssl req -new -sha512 -nodes -key encrypt.key -out encrypt.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Encrypt"

# create Certificate
openssl x509 -req -sha512 -days 1825 -signkey encrypt.key -in encrypt.csr -out encrypt.crt -extfile <(printf "keyUsage=critical,keyEncipherment,keyAgreement\n")


# encrypt a secret such as a password using the Certificate, the encryption result will be returned and will look like: enc:BEXbHYa...
./operate-joc.sh encrypt --in="root" --cert=encrypt.crt

# options for connection to the JS7 REST API can specify the encryption result as password and the Private Key for decryption
request_options=(--url=http://localhost:4446 --user=root --password="enc:BEXbHYa..." --key=encrypt.key --controller-id=controller)

# for example, when getting version information, the Private Key is used to decrypt the password for access to the REST API on-the-fly
./operate-joc.sh version "${request_options[@]}"

# decrypt an encrypted secret using the Private Key
./operate-joc.sh decrypt --in="enc:BEXbHYa..." --key=encrypt.keyconnection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# rename folder permissions
./deploy-identity-service.sh rename-folder "${request_options[@]}" --service=JOC-INITIAL --role=business user \
                                           --folder=/accounting --new-folder=/reporting --recursive

# remove folder permissions
./deploy-identity-service.sh remove-folder "${request_options[@]}" --service=JOC-INITIAL --role=business user \
                                           --folder=/reporting

Resources