JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 10

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagetext
titleDefault configuration file example: agent.conf
linenumberstrue
: assign directories for trusted certificates
linenumberscollapsetrue
# Security configuration
js7 {
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

...

Code Block
languagetext
titleDefault configuration: enable script execution from signed workflows
linenumberstrue
# Allow http connections without authentication
js7.job.execution.signed-script-injection-allowed = yes

Secure Configuration

File: private.conf

...

It is essential to secure the connections between Controller and Agents. This includes

  • to use HTTPS connections that are secured by private/public key and certificates
  • to apply mutual authentication between Controller and Agent.


Code Block
languagetext
titleSecurity configuration file example: private.confExample configuration for HTTPS communication and authentication
linenumberstrue
collapsetrue
# Security configuration
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}

Configuration Items

General Configuration File: agent.conf

js7.web.server: Authentication Settings

js7webserver





authpublic<true>|<false>
  • This setting specifies public access to an Agent should insecure incoming HTTP connections be used. If used with a value true then no authentication applies.
  • Default: false

...

js7.job.execution: Script Execution Permissions

js7jobexecution




signed-script-injection-allowed<yes>|<no>
  • By default the Agent prevents any commands and scripts to be executed except for scripts located in specific directories. This setting allows to execute any commands and scripts provided that the workflow is signed and the signature is verified for.

...