Page History
Table of Contents |
---|
Configuring the Agent
Consider Note that it is not required necessary to configure the Agent - it runs out-of-the-box. The default configuration includes that:
- assumes deployment of objects, e.g. workflows and jobs, is not subject to compliance requirements such as non-repudiation.
- specifies HTTP connections which are used that to expose unencrypted communication between Controller instances and Agent. Authentication is performed by hashed passwords.
Users who intend to operate a compliant and secure job scheduling environment should consider the descriptions below explanations forcovering:
- deployment of objects with digital signatures that can be used to restrict and to verify who deploys a given object such as a workflow.
- HTTPS connections that encrypt communication and that include mutual authentication by certificates without use of passwords.
...
- If X.509 private keys are used for signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective private key has to be in place with the Agent.
- If PGP private keys are used for signing of objects then the public key matching the signing key has to be in place with the Agent.
- The Agent expects certificates/public keys from in the following locations:
- X.509 Certificates
- Location
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-x509-keys
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-x509-keys
- Windows:
- The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension
.pem
. - Consider Note that instead of individual certificates per signing key for each signing ke,y the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
- Location
- PGP Public Keys
- Location
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-pgp-keys
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-pgp-keys
- Windows:
- PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension
.asc
. - Consider Note that for each PGP private key that is used for signing, the corresponding public key has to be available with the Agent.
- Location
- By default the Agent ships with an X.509 certificate of SOS that matches the default signing key available with the JOC Cockpit
root
account.
- X.509 Certificates
- In order to add individual certificates/public keys, add the respective relevant files to the location specified above location corresponding according to the key type. To revoke certificates/public keys accordingly remove the respective the relevant files from the location specified above location matching for the key type.
- The above locations for certificates/public keys specified above can be accessed from the Docker volume specified with the
--mount
option for the Agent's container directory/var/sos-berlin.com/js7/agent/var_4445/config
. The locations for X.509 certificates and PGP public keys are available from sub-directories.
...
- The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usages.
- The Agent is provided with:
- a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
- a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller instance's certificate.
- Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
- Keystore
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-keystore.p12
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/https-keystore.p12
- Windows:
- Truststore
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-truststore.p12
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/https-truststore.p12
- Windows:
- Keystore
...
- The Agent's
private.conf
configuration file has to be added the following configuration items. For details see JS7 - Agent Configuration Items- Mutual Authentication
Code Block language bash title Agent Configuration for Mutual Authentication linenumbers true js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary Controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=js7-controller-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=js7-controller-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } }
- This setting specifies the distinguished names that are available from the subjects of Controller instance certificates. Consider that the common name (CN) attribute specifies the hostname of a Controller instance. The configuration authenticates a given Controller instance as the distinguished name is unique for a server certificate and therefore replaces the use of passwords.
- Keystore and truststore locations:
Code Block language bash title Agent Configuration for Keystore and Truststore Locations linenumbers true js7 { web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password=jobscheduler store-password=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password=jobscheduler } ] } } }
- The above configuration items specify the locations of the keystore and truststore.
- Consider the optional use of a key password and store password for keystores and of a store password for truststores.
- Mutual Authentication
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/sh docker run -dit --rm \ ... --publish=16443:4443 \ --env="RUN_JS_HTTPS_PORT=4443" \ ... |
ExplanationsExplanation:
--publish
The Agent image is prepared to accept HTTPS requests on port4443
. If the Agent is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port4443
. The same port has to be assigned theRUN_JS_HTTPS_PORT
environment variable.--env=RUN_JS_HTTPS_PORT
The port assigned this environment variable is the same as the inside HTTPS port specified with the--publish
option.
...
- When using HTTPS connections then consider to drop dropping access to the Agent's HTTP port of the Agent by omitting the following above settings:
--publish=16445:4445
This mapping should be dropped in order to prevent incoming traffic to the Agent's HTTP port.
...
Overview
Content Tools