Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Identity Service Deployment Script offered for Unix Shell can be applied to perform frequently used operations to mange manage accounts, roles and and JS7 - Identity Services.

Identity Service Deployment Script

...

Operations on accounts are available to Identity Services that hold account information using the service types JOC, KEYCLOAK-JOC, LDAP-JOC, OIDC-JOC, CERTIFICATE and FIDO service types. For Identity Services that manage accounts on their own such as KEYCLOAK, LDAP, OIDC, the JOC Cockpit does not provide account information. For details see JS7 - Identity Services.

  • get-account
    • Returns information about the indicated account or all accounts if the --account option is not specified. 

    • Accounts can be filtered:
      • The --enabled switch will filter results to active accounts
      • The --disabled switch will filter results to inactive accounts.
  • store-account
    • Stores an account to the Identity Service. 
      • An existing role can be assigned using the --role option.
      • The password can be specified using the --account-password option. Consider to use secure input from the commandline using the -a switch. If no password is specified then the initial password is assigned. If a password is specified or the initial password is used, then JOC Cockpit will challenge the user to specify a new password on next login.
      • The --force-password-change switch can be used to make JOC Cockpit challenge the user to specify a new password on next login. The operation is available for existing accounts that hold a password. For new accounts and for accounts assigned a new password users are automatically challenged to specify a new password on next login.
      • The --disabled switch can be used to deactivate an account when it is created. For later enabling/disabling of existing accounts see enable-account and disable-account commands.
    • Handling of passwords allows the API user to specify passwords for other accounts. However, for the affected account accounts users will have to change the password on next login.
  • rename-account
    • Renames the indicated account.
  • remove-account
    • Removes the indicated account from the Identity Service.
  • get-account-permission
    • Returns the list of permissions per role assigned the given account.
  • set-account-password
    • Sets the password for the indicated account. Consider to use secure input from the commandline using the -a switch.
    • The user will be challenged to specify a new password on next login.
  • reset-account-password
    • Resets the account's password to the initial password.
    • The user will be challenged to specify a new password on next login.
  • enable-account
    • Activates the account which allows login to JOC Cockpit.
  • disable-account
    • Deactivates the account which denies login to JOC Cockpit.

...

  • get-permission
    • Returns permissions of the indicated role.
  • set-permission
    • Assigns the a role one or more permission permissions that are specified from permission identifiers using the --permission option. If more than one permission identifier is used, then they are separated by comma, for example example --permission='sos:products:controller:view','sos:products:controller:agents:view'. Use of single quotes or double quotes is recommended.
    • If the --excluded switch is used, then permissions are denied. This applies to JOC Cockpit and to all Controllers for which the indicated permissions will be denied.
    • The Controller ID can be specified using the --controller-id option to limit permissions to the given Controller.
  • rename-permission
    • Switches an existing permission to a different permission.
  • remove-permission
    • Removes the indicated permission permissions from the role. One or more permissions can be specified separated by comma.

Folder Permissions

Folder permissions are used to apply permissions to certain folders in the JOC Cockpit inventory and to limit user access to folders.

...

  • get-service
    • If the --service option is used, returns the indicated Identity Service and otherwise returns the list of Identity Services.
  • store-service
    • Stores the indicated Identity Service.
    • The following options and switches can be used: 
      • The --service-type option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
      • The --required switch specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
      • The --disabled switch can be used to deactivate an Identity Serivce which denies login by any accounts using the Identity Service.
      • The --ordering option can be used to specifiy the position of the Identity Service in the list of Identity Services.
      • The --authentication-scheme option allows to specify the following values: SINGLE-FACTOR, TWO-FACTOR.
        • Single-factor authentication specifies that the Identity Service is used as a single factor for authentication.
          • The --single-factor-certificate switch is used for the JS7 - Certificate Identity Service to specify that a certificate acts as the single factor for authentication.
          • The --single-factor-password switch is used to specify that a password is used as the single factor for authentication.
        • Two-factor authentication specifies that a second Identity Service is used and that successful authentication with both Identity Services is required. For example an Identity Serivce using the LDAP service type can use FIDO as a second factor. This implies that secrets are stored on different media: the LDAP password is stored with the user's brain while the FIDO secret is stored on the user's device, for example on a USB key or in an authenticator application on a smartphone. 
  • rename-service
    • Renames the indicated Identity Service.
  • remove-service
  • get-service-settings
    • Returns settings from an Identity Service. For example, the LDAP, OIDC and FIDO Identity Services hold confiugration items with their service settings.
    • Settings are returned in JSON format and can be stored to environment variables or to files, for example
      • settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
      • ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > /tmp/ldap.settings.json
  • store-service-settings
    • Stores Identity Service settings that have previously been retrieved using the get-service-settings command.
    • Settings are expected in JSON format from the value of the --settings option. If settings have previousyl previously been stored to a file, then they can be assigned like this:
      • settings=$(cat ./examples/ldap-settings.json)
      • ./deploy-identity-service.sh get-service-settings ... --settings="$settings"

...

  • --url
  • --user
    • Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the --client-cert and --client-key options then their common name (CN) attribute has to match the user account.
    • If a user account is specified then a password can be specified using the --password option or interactive keyboard input can be prompted using the -p switch.
  • --password
    • Specifies the password used for the account specified with the --user option for login to JOC Cockpit.
    • Password input from the command line is considered insecure. Consider use of the -p switch offering a secure option for interactive keyboard input.
  • --ca-cert
    • Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
  • --client-cert
    • Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
  • --client-key
    • Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
  • --timeout
    • Specifies the maximum duration for requests to the JS7 REST Web Service. Default: 60 seconds.
  • --controller-id
    • Specifies the identification of the Controller.
  • --account
    • When used with commands on accounts, specifies the related account.
    • When used with the remove-account, reset-account-password, enable-account and disable-account commands, one or more accounts can be specified separated by commeacomma, for example:: --account=user1,user2.
  • --new-account
    • When used with the rename-account command, specifies the new name of the account.
  • --account-password
    • When used with the store-account and set-account-password commands, specifies the account's password.
    • Command line input for passwords is considered insecure. Consider use of the -a switch for secure interactive keyboard input for passwords.
  • --new-password
    • When used with the set-account-password commands command, specifies the account's new password.
    • Command line input for passwords is considered insecure. Consider use of the -n switch for secure interactive keyboard input for passwords.
  • --service
    • Specifies the name of the Identity Service.
  • --service-type
    • The option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
  • --ordering
    • When used with the store-role command, specifies the role's position in the list of roles. If the option is not used, then a newly added role will be appended.
    • When used with the store-service command, specifies the Identity Service's position in the list of Identity Services. The ordering of Identity Services specifies the sequence by which Identity Services will be triggered if more than one Identity Service is used for authentication.
  • --new-service
    • When used with the rename-service command, specifies the new name of the Identity Service.
  • --authentication-scheme
    • When used with the store-service command, specifies single-factor or two-factor authentication using one of the values: SINGLE-FACTOR, TWO-FACTOR.
  • --role
    • For Specifies the name of a role. for role-based or permission-based command specifies the name of a rolecommands.
    • If more than one role is specified, then they are separated by comma, for example: --role=administrator,business-user.
  • --new-role
    • When used with the rename-role command, specifies the new name of the role.
  • --permission
    • When used with the set-permission, rename-permission and remove-permission commands, specifies the permission identifiers to be used. For available permission identifiers see JS7 - Default Roles and Permissions.
    • If more than one permission is used, then permission identifiers are separated by comma, for example: --permission='sos:products:controller:view','sos:products:controller:agents:view'
  • --new-permission
    • When used with the rename-permission command, specifies the new permission identifier.
  • --folder
    • Specifies the folder to which permissions are applied and that limit user access to JOC Cockpit inventory folders.
    • If more than one folder is used, then they are separated by comma, for example --folder=/accounting,/reporting.
  • --new-folder
    • When used with the rename-folder command, specifies the new permission identifier.
  • --audit-message
    • Specifies a message that is made available to the Audit Log.
    • Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
  • --audit-time-spent
    • Specifies the time spent to perform an operation which is added to the Audit Log.
    • The option can be specified if the --audit-message option is used.
  • --audit-link
    • Specifies a link (URL) which is added to the Audit Log.
    • The option can be specified if the --audit-message option is used.
  • --log-dir
    • If a log directory is specified then the script will log information about processing steps to a log file in this directory.
    • File names are created according to the pattern: operatedeploy-identity-jocservice.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
    • For example: operatedeploy-identity-jocservice.20222024-0310-19T20-50-45.log

Switches

  • -h | --help
    • Displays usage.
  • -v | --verbose
    • Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
    • When used twice as with -v -v then curl verbose output will be displayed.
  • -p | --password
    • Asks the user for interactive keyboard input of the password used for the account specified with the --user option..
    • The switch is used for secure interactive input as an alternative to use of the option --password=<password>.
  • -a | --account-password
    • When used with the store-account and set-account-password commands, asks the user for interactive keyboard input of the existing password used for the account.
    • The switch is used for secure interactive input as an alternative to use of the --account-password=<password> option.
  • -n | --new-password
    • When used with the set-account-password command, asks the user for interactive keyboard input of the new password used for the account.
    • The switch is used for secure interactive input as an alternative to use of the --new-account-password=<password> option.
  • -f | --force-password-change
    • When used with the store-account command, specifies that the user will be challenged to type a new password on next login.
    • The switch is used for existing accounts. Use of the switch is not required in the following situations that will automatically challenge the user to specify a new password on next login:
      • For new accounts using the initial passwords password and for accounts assigned a password using the --account-password option or switch.
      • If the account is assigned a password using the set-account-password command.
      • If the account's password is reset to the initial password using the reset-account-password command
  • -e | enabled
    • When  used with the get-account command, filters results to enabled accounts.
    • When used with the remove-account command, filters that limits the operation to enabled accounts only will be removed.
  • -d | disabled
    • When  used with the get-account command, filters results to disabled accounts.
    • When  used with the store-account command, specifies that the indicated account will be deactivated.
    • When used with the remove-account command, filters that limits the operation to disabled accounts only will be removed.
    • When  used with the store-service command, specifies that the Identity Service will be deactivated.
  • -x | --excluded
    • When used with the set-permission command, specifies that the permission will be denied. This applies to JOC Cockpit permissions and to permissions for all Controller permissionsControllers.
  • -q | --required
    • When used with the store-service command, specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
  • -r | --recursive
    • When used with the set-folder and rename-folder commands, specifies that folder permissions are applied to sub-folders.
  • --single-factor-certificate
    • When used with the store-service command, specifies that a certificate acts as a single factor for authentication.
  • --single-factor-password
    • When used with the store-service command, specifies that a password acts as a single factor for authentication.
  • --show-logs
    • Displays the log output created by the script if the --log-dir option is used.
  • --make-dirs
    • If directories are missing that are indicated with the --log-dir option then they will be created.

...

Code Block
languagebash
titleExamples for Setting Account Password
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# store account with specific password
./deploy-identity-service.sh store-account          "${request_options[@]}" --service=JOC-INITIAL --account=test-account \
                                                    --account-password=secret

# trigger password change for account on next login
./deploy-identity-service.sh store-account          "${request_options[@]}" --service=JOC-INITIAL --account=test-account \
                                                    --force-password-change

# set account password
./deploy-identity-service.sh set-account-password   "${request_options[@]}" --service=JOC-INITIAL --account=test-account \
                                                    --account-password=secret --new-password=very-secret

# reset account to use initial password
./deploy-identity-service.sh reset-account-password "${request_options[@]}" --service=JOC-INITIAL --account=test-account

...

Code Block
languagebash
titleExamples for Renaming and Removing Accounts
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# rename permissionaccount
./deploy-identity-service.sh rename-permissionaccount "${request_options[@]}" --service=JOC-INITIAL --roleaccount=businesstest-user \
                                               --permission='sos:products:controller:deployment:manage' \
                 account --new-account=test-account2                   

# remove account
./deploy-identity-service.sh remove-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account                                                -

# remove accounts
./deploy-identity-service.sh remove-account "${request_options[@]}"  --service=JOC-INITIAL --account=test-account1,test-account2

Setting up Identity Management

Setting up JOC Identity Service, Roles, Permissions and Accounts

The example is used to set up a JOC Identity Service from scratch:

  • The Identity Service is created
  • Roles for developers and operators are created.
  • Frequently used permissions are assigned the roles. For permission identifiers see JS7 - Default Roles and Permissions.
  • Accounts are created that are assigned the initial password. On next login users are challenged to change password.

Code Block
languagebash
titleExamples for Renaming and Removing Accounts
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)   # store Identity Service

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=JOC \
                                           --authentication-scheme=SINGLE-FACTOR

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator\
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=dev --role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

Setting up LDAP Identity Service, Roles, Permissions and Accounts

The example is used to set up an Identity Service from scratch:

  • The Identity Service is created. For use with Identity Services such as LDAP, OIDC, FIDO the related service settings have to be provided from .json files. Such files can be created by reading Identity Service settings.

    Code Block
    languageyml
    titleExample for LDAP settings in JSON Format
    linenumberstrue
    collapsetrue
    {
      "simple": {
        "iamLdapHost": "openldap-2-4",
        "iamLdapHostNameVerification": null,
        "iamLdapPort": 636,
        "iamLdapProtocol": "SSL"
      },
      "expert": {
        "iamLdapGroupNameAttribute": "cn",
        "iamLdapGroupRolesMap": {
          "items": [
            {
              "ldapGroupDn": "js7adm",
              

...

  • "roles": [
                "all"
              ]
            },
            {
              "ldapGroupDn": "js7usr",
              

...

  • "roles": [
                "business_user"
              ]
            }
          ]
        },
        "iamLdapGroupSearchBase": "dc=sos-berlin,dc=com",
        "iamLdapGroupSearchFilter": "(memberUid=%s)",
        "iamLdapSearchBase": "",
        "iamLdapServerUrl": "ldaps://openldap-2-4:636",
        "iamLdapUseStartTls": false,
        "iamLdapUserDnTemplate": "uid={0},ou=users,ou=sales,o=sos,dc=sos-berlin,dc=com",
        "iamLdapUserNameAttribute": "",
        "iamLdapUserSearchFilter": 

...

Setting up Identity Management

Setting up Identity Service, Roles, Permissions and Accounts

The example is used to set up an Identity Service from scratch:

  • For use with Identity Services such as LDAP, OIDC, FIDO the related service settings have to be provided from .json files. Such files can be created by reading Identity Service settings.
    ""
      }
    }
  • Roles for developers and operators are created.
  • Frequently used permissions are assigned the roles. For permission identifiers see JS7 - Default Roles and Permissions.
  • Accounts are created that are assigned the initial password. On next login users are challenged to change password.

Code Block
languagebash
titleExamples for Renaming and Removing Accounts
linenumberstrue
# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)   # store Identity Service

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR

# get settings from an existing Identity Service
#     store settings to an environment variable
# settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
#     store settings to a file
# ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > ./examples/ldap-settings.json
#     read settings from a file
# settings=$(cat ./examples/ldap-settings.json)
 
# store Identity Service settings
# ./deploy-identity-service.sh store-service-settings "${request_options[@]}" --service=My-Service --settings="$settings" --service-type=LDAP

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator\
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign to roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=dev --role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

...