Page History
Table of Contents |
---|
Summary
- The Controller Controllers makes use of two configuration files:
- the general configuration from
controller.conf
- the security configuration from
private.conf
- the general configuration from
- Restart the Controller instance Controller instances have to be restarted to apply changes to any the configuration file files.
General Configuration
File: controller.conf
...
- When using HTTPS Certificates or public keys for incoming connections, see below, then an additional authentication mechanism applies: the client of the incoming connection, e.g. JOC Cockpit, is required to provide a Client Authentication certificate or a password. This includes that two certificates are in place for a secure HTTPS connection: the given Controller's Server Authentication Certificate and the JOC Cockpit's Client Authentication Certificate.
- The fact that a given certificate is used for Server Authentication and/or Client Authentication is specified with the key usage when creating and signing the certificate.
- The distinguished name that is specified with the Controller's configuration has to match the Client Authentication Certificate's or Client public key's " subject " attribute. This attribute specifies the hostname and additional information that is created when the certificate or public key is generated.
Controller
- Settings in this section are used for connections from a pairing Controller instance, e.g. for a Secondary Controller if this the given configuration is used for the Primary Controller and vice versa.
distinguished-names
:- Specifies the distinguished name as given with the subject of the Client Authentication Certificate for incoming HTTPS connections of a pairing Controller.
- Any number of distinguished names can be specified , thus allowing a number of incoming HTTPS connections from different Controllers. At a given point in time only one pairing Controller can connect to the given Controller.
History
- Settings in this section are used for the History Service of JOC Cockpit instances that access the given Controller.
distinguished-names
: same as forController
setting.password
: a password can be used in addition to use of a certificate or public key. In addition the password is applied in case that insecure incoming HTTP connections are allowed.
JOC
- Settings in this section are used for JOC Cockpit instances that access the given Controller.
distinguished-names
: same as forController
setting.password
: a password can be used in addition to use of a certificate or public key. In addition the password is applied in case that insecure incoming HTTP connections are allowed.permissions
: JOC Cockpit requires theUpdateRepo
permission to enable users to deploy objects such as workflows.
...
- For any deployed objects such as workflows the Controller expects a signature. Such signatures are created with a private key and are verified by the Controller based on the available certificates. Agents perform similar signature verification and are configured accordingly.
- When deploying objects with JOC Cockpit
- for a Low Security Level JOC Cockpit creates the signature from a single private key that is used for any JOC Cockpit user accounts allowed to deploy objects.
- for a Medium Security Level JOC Cockpit creates the signature from the private key of the JOC Cockpit user account that deploy objects.
- for a High Security Level the user creates the signature outside of JOC Cockpit and uploads the signed objects.
- The Controller supports PGP public keys and X509 certificates. This setting expects a directory respectively that holds a number of public key files or certificate files.
trusted-signature-keys
PGP
: specifies the directory from which PGP public keys are used to verify the signature of deployed objects.X509
: specifies the directory from which X509 certificates are used to verify the signature of deployed objects.
...
- This setting is used to specify the location of a keystore and any truststores used for HTTPS connections.
- Keystore and truststore files are expected in PKCS#12 format.
keystore
- The keystore includes the private key for the Controller's incoming HTTPS connections.
- Private key type types RSA and ECDSA are supported.
file
: the full path to the location of the keystore file is expected.key-password
: Any keys included with the keystore are protected with a password. The same password has to be used for any all private keys in the given keystore.store-password
: The keystore file is protected by a password.
truststores
- A truststore contains the certificates or public keys for the Controller's incoming HTTPS connections.
- Certificates are signed by a Certificate Authority (CA), alternatively a self-signed certificate can be used.
- It is recommended to use certificates instead of public keys.
- Certificates of type X509 are supported.
file
: the full path to the location of the truststore file is expected.store-password
: A truststore file is protected by a password.- A number of truststores can be specified by repeating the
file
andstore-password
settings.
- A truststore contains the certificates or public keys for the Controller's incoming HTTPS connections.
...
Overview
Content Tools