JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 18

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 19

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Network connections between components use the HTTPS protocol.
  • Such connections are secured by
  • Connections are established in one direction only.

Image Modified

Certificate Management

Certificate Preparation

Image Modified

Certificate Deployment

Image Modified

Certificate Management Life Cycle

...

  • Any configuration objects are automatically signed by JOC Cockpit. This task is performed implicitly when deploying objects.
  • This mechanism is easy to use as signing operations are performed without user interaction.
  • At the same time there is no certainty about who deployed objects as any user who is authorized to deploy objects can use the respective deploy functionality from a single mouse click.


Image Added

Security Level Medium:

...

User based Signing

  • Configuration objects are signed individually with the private key of the user. This applies within the scope of permissions used in JOC Cockpit to authorize individual accounts for deploying configuration objects.
  • This mechanism is similar to implicit signing except for the fact that the private key stored with the current user's profile is used.
  • Consider that similar to implicit signing all private and public keys of users are stored in a database and therefore are accessible to a DBA or system administrator.


Image Added

Security Level High: External Signing

  • The security level requires any configuration objects to be exported and to be signed individually outside of JOC Cockpit.
  • This guarantees that at no point in time JOC Cockpit has any knowledge about the private key used for signing.
  • Security has a price: there is some effort to export a configuration, to sign it and to import the signed configuration.


Image Added

Secure Roll-out

  • A roll-out includes to transfer configuration objects between environments, e.g. from development to test and to production.
  • Steps for a roll-out include
    • that roll-out might include shared responsibilities, e.g being performed by an individual that is different from the person who managed the configuration, e.g.
      • a developer would create workflows and jobs in a development environment and deploy them to Masters and Agents in that environment.
      • an application manager would perform some quality assurance and pick up configurations from a development environment for roll-out to a test environment
      • a release manager would authorize roll-out from a test environment to a production environment.
    • to export a configuration the affected configuration objects are downloaded to a single archive file (.zip, .tar.gz)
    • to sign the downloaded configuration objects should Security Level High be in place including the tasks
      • to transfer the downloaded archive to a secure environment, e.g. a computer that is separated from the network.
      • to extract the archive to disk and to use a program that applies to company standards to sign the files included with the archive. This step includes that the user's private key is used to sign files. As a result for each file extracted from the archive a signature file is created.
      • to add the extracted files and the signature files to an archive file.
    • to transfer the archive with signed files to the target environment. This includes to use any means for file transfer such as copying between servers, use of SCP, SFTP etc.
    • to import the archive with signed files to JOC Cockpit in the target environment.
  • The final step includes to deploy the imported signed configuration objects to the target environment.
    • This task can be performed by the same individual who signed and transferred the archive file or this can require a separate role in JOC Cockpit to be authorized to deploy in the target environment.

...