Page History

...

Introduction

• The JS7 components are easy to install out-of-the-box. However, a number of configuration items have to be considered when operating the JS7 for a secure environment.
• Secure operation is applied at the following areas:
  • Connection Management
    
    • Network Connections
    • Database Connections
  • Access Management
    • Authentication
    • Authorization
  • Credentials Management
    • Database Credentials
    • Job Credentials
• Secure operation includes users configuring JS7 components in a compliance conformant way.

...

• All network connections make use of HTTP
  • Connections from a user browser to the JOC Cockpit
  • Connections from the PowerShell CLI to the JOC Cockpit JS7 - REST Web Service API
  • Connections from the JOC Cockpit REST Web Service to the JS7 Controller
  • Connections from the JS7 Controller to Agents
• Port Usage
  • The JOC Cockpit can be accessed at port 4446
  • The JOC Cockpit REST Web Service can be accessed at port 4446
  • The JS7 Controller uses the following ports:
    • Access to the JS7 Controller Web Service at port 40444
    • Access to the JS7 Controller via TCP at port 4444 

      Display feature availability
      EndingWithRelease 1.12

    • Access to the JS7 Controller via UDP at port 4444 

      Display feature availability
      EndingWithRelease 1.12

    • The TCP port 4444 and HTTP port 40444 enable access to the "classic" JOC GUI. 

      Jira
      server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-304

  • The JobScheduler Agent listens to port 4445
• Network Interface Usage
  • By default JobScheduler components will listen to the above mentioned ports on all available network interfaces.
• Firewall Settings
  • Open ports in your firewall exclusively for the hosts, protocols and ports as specified above. Consider allowing connections only for the directions indicated in the diagram above.

Secure Configuration

The following recommendations should be applied to ensure secure network connections.

• Configure network connections to use HTTPS
  • The use of HTTPS includes users providing valid certificates for the hosts that JS7 components are operated for. The use of self-signed certificates is a no-go.
  • As HTTPS is restricted to secure the connection, in addition authentication is added to the configuration, e.g. when using HTTPS then a JS7 Controller is configured to authenticate with an Agent in order to guarantee that the Controller is what it claims to be and is entitled to access an Agent.
  • For detailed instructions on the configuration see:
    • JOC Cockpit - HTTPS Authentication explains HTTPS configuration for the JOC Cockpit and connection to the JS7 Controller.
    • JobScheduler Universal Agent - HTTPS Agent and Master Authentication
• Drop the JS7 Controller TCP / UDP port:
  • This port is not required for standard operation with releases starting from 1.11. 
  • This port is required for previous releases that include the "classic" JOC GUI running in the JS7 Controller.
    • Access to this port can be restricted with the <allowed_host> setting in ./config/scheduler.xml

  • This port is required for all releases if a JobScheduler Supervisor is used.
• Restrict use of network interfaces
  • Consider restricting JS7 components to only listen to specific network interfaces.
  • The JS7 Controller can be configured by use of the http_port and https_port attributes in the ./config/scheduler.xml configuration file.
    • For details see How to restrict the JobScheduler Master to listen to specific network interfaces when using HTTP or HTTPS.
  • Configure the JS7 Universal Agent to use the SCHEDULER_HTTP_PORT and SCHEDULER_HTTPS_PORT environment variables in the JS7 Agent instance script.
    • For details see How to restrict the JobScheduler Agent to listen to specific network interfaces when using HTTP and HTTPS.
• Drop the "classic" JOC GUI
  • The "classic" JOC GUI ships without authentication and authorization. It is included with release 1.11 for users who stick to this interface. It is available from the above TCP port and HTTP port. 

    Display feature availability
    EndingWithRelease 1.12

  • To drop the "classic" JOC GUI remove the SCHEDULER_HOME/operations_gui folder.

Database Connections

All database connections are based on JDBC. If JDBC type 4 drivers are used then a DBMS client is not required for operation of JobScheduler components. JobScheduler components use Hibernate as their database access layer.

Default Configuration

• JobScheduler ships with JDBC Drivers that are open source or that are free for bundling with our software.
• The installer allows
  
  • to specify alternative JDBC Drivers that can be downloaded from the relevant vendor's web site.
  • to specify individual Hibernate configuration files with security related settings.
• For details see Which Database Management Systems are supported by JobScheduler?

Secure Configuration

• Depending on the DBMS in use it may be preferable to download and to apply the DBMS vendor's current JDBC Driver version:
  • For use with MySQL the JDBC Driver is not included with JobScheduler. Instead a MariaDB driver is provided.
  • For use with Microsoft SQL Server the JDBC Driver is not included, instead the jTDS Driver is provided. In order to apply integrated security (see below chapter Credentials Management) it is recommended that a current Microsoft JDBC Driver is applied.
  • For use with Oracle newer JDBC Driver versions are available from the vendor's web site.
• Vendor-specific JDBC Drivers include support for specific authentication mechanisms, e.g. use of JDBC with Oracle Wallet.
• Consider additional security related settings that apply to your DBMS in the Hibernate configuration files:
  • Controller
    • for access to the reporting database: ./config/reporting.hibernate.cfg.xml
    • for access to the JobScheduler database: ./config/hibernate.cfg.xml
  • JOC Cockpit
    • for access to the reporting database: ./resources/joc/reporting.hibernate.cfg.xml
    • for access to the JobScheduler database: ./resources/joc/jobscheduler.hibernate.cfg.xml
    • optionally different locations of Hibernate configuration files can be set in ./resources/joc/job.properties for access to additional JobScheduler databases

Access Management

• • port 40444
  • The JS7 Agent listens to port 4445
• Network Interface Usage
  • By default JS7 components will listen to the above mentioned ports on all available network interfaces.
• Firewall Settings
  • Open ports in your firewall exclusively for the hosts, protocols and ports as specified above. Consider allowing connections only for the directions indicated in the diagram above.

Secure Configuration

The following recommendations should be applied to ensure secure network connections.

• Configure network connections to use HTTPS
  • The use of HTTPS includes users providing valid certificates for the hosts that JS7 components are operated for. The use of self-signed certificates is a no-go.
  • As HTTPS is restricted to secure the connection, in addition authentication is added to the configuration, e.g. when using HTTPS then a JS7 Controller is configured to authenticate with an Agent in order to guarantee that the Controller is what it claims to be and is entitled to access an Agent.
  • For detailed instructions on the configuration see:
    • JOC Cockpit - HTTPS Authentication explains HTTPS configuration for the JOC Cockpit and connection to the JS7 Controller.
    • JobScheduler Universal Agent - HTTPS Agent and Master Authentication
• Restrict use of network interfaces
  • Consider restricting JS7 components to only listen to specific network interfaces.
  • The JS7 Controller can be configured by use of the http_port and https_port attributes in the ./config/scheduler.xml configuration file.
    • For details see How to restrict the JobScheduler Master to listen to specific network interfaces when using HTTP or HTTPS.
  • Configure the JS7 Agent to use the SCHEDULER_HTTP_PORT and SCHEDULER_HTTPS_PORT environment variables in the JS7 Agent instance script.
    • For details see How to restrict the JobScheduler Agent to listen to specific network interfaces when using HTTP and HTTPS.

Database Connections

All database connections are based on JDBC. If JDBC type 4 drivers are used then a DBMS client is not required for operation of JS7 components. JS7 components use Hibernate as their database access layer.

Default Configuration

• JS7 ships with JDBC Drivers that are open source or that are free for bundling with our software.
• The installer allows
  
  • to specify alternative JDBC Drivers that can be downloaded from the relevant vendor's web site.
  • to specify individual Hibernate configuration files with security related settings.
• For details see Which Database Management Systems are supported by JobScheduler?

Secure Configuration

• Depending on the DBMS in use it may be preferable to download and to apply the DBMS vendor's current JDBC Driver version:
  • For use with MySQL the JDBC Driver is not included with JS7. Instead a MariaDB driver is provided.
  • For use with Microsoft SQL Server the JDBC Driver is not included, instead the jTDS Driver is provided. In order to apply integrated security (see below chapter Credentials Management) it is recommended that a current Microsoft JDBC Driver is applied.
  • For use with Oracle newer JDBC Driver versions are available from the vendor's web site.
• Vendor-specific JDBC Drivers include support for specific authentication mechanisms, e.g. use of JDBC with Oracle Wallet.
• Consider additional security related settings that apply to your DBMS in the Hibernate configuration files: for access to the reporting database: ./resources/joc/reporting.hibernate.cfg.xml

Access Management

Access to JS7 components is centrally secured by the JS7 Access to JobScheduler components is centrally secured by the JOC Cockpit REST Web Service.

Default Configuration

• Consider the hints from the JOC Cockpit - Security article
• The JOC Cockpit REST Web Service ships with a default configuration in ./joc/resources/joc/shiro.ini that includesusing local authentication with accounts and passwords stored in clear text.  Display feature availabilityEndingWithReleasewith a default configuration in ./joc/resources/joc/shiro.ini that includes1.11.4
  
  • using local authentication with accounts and passwords stored as hash values. 

    Display feature availability
    StartingFromRelease 1.11.5

  • using local role assignment
  • the following default values for accounts, passwords and assigned roles (see JOC Cockpit - Authentication and Authorization for more informatio):

    • administrator=secret, administrator
application_manager=secret, application_manager
it_operator=secret, it_operator
incident_manager=secret, incident_manager
business_user=secret, business_user
api_user=secret, api_user
root=root, all

• The JS7 Controller is assumed not to be accessed by users directly but exclusively via the JOC Cockpit JS7 REST Web Service. No default authentication is provided.
• JS7 Universal Agents are assumed not to be accessed by users directly but exclusively by a JS7 Controller. No default authentication is provided.

...

• Do not use the default configuration with local authentication for the JOC Cockpit JS7 REST Web Service.
  • Instead use LDAP authentication as explained with the JOC Cockpit - Authentication and Authorization section.
• Do not allow any network connections to the JS7 Controller and Agents except as stated above.

...

• Database credentials are specified during installation and are added to the following Hibernate configuration files:Controller
• for access to the reporting database: ./config/reporting.hibernate.cfg.xml
for access to the JobScheduler database:
./config/hibernate.cfg.xml
• JOC Cockpit: for access to the reporting database: ./resources/joc/reporting.hibernate.cfg.xml
• for access to the JobScheduler database: ./resources/joc/jobscheduler.hibernate.cfg.xml
optionally different locations of Hibernate configuration files can be set in ./resources/joc/job.properties for access to additional JobScheduler databases
• No default values are provided by the installer.

...