Page History
Table of Contents |
---|
Introduction
- HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without use of passwords.
- The purpose of Server Authentication is to secure the identity of an http server and to encrypt the communication between client and server.
- The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any http client could perform a man-in-the-middle attack e.g. by pretending to be a Controller that connects to an Agent.
- Consider the communication scheme between JS7 components as explained from the JS7 - System Architecture:
- User browsers acting as http clients establish connections to JOC Cockpit as an http server.
- JOC Cockpit acting as an http client establishes connections to Controllers acting as http servers.
- Controllers acting as http clients establish connections to Agents acting as http servers.
- We recommend to apply mutual authentication, however, there might be reasons why use of Client Authentication is not an immediate option, e.g.:
- Use of a wildcard certificate for Server Authentication leverages the effort for certificate management. At the same time such certificates cannot be used for Client Authentication.
- Should mutual authentication not be an immediate option then the recommendations from this article for the handling of passwords apply.
Controller Configuration
Download: private.conf
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
js7 {
auth {
# User accounts for HTTPS connections
users {
# Controller account for connections by primary/secondary Controller instance
Controller {
}
# History account (used to release events)
History {
password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
}
# JOC account (requires UpdateRepo permission for deployment)
JOC {
password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
permissions=[
UpdateItem
]
}
}
# for each Agent specify Agent ID and plain text password for authentication
agents {
agent-dev-001="secret"
agent-dev-002="secret"
}
}
configuration {
# directory for trusted public keys and certificates used with signatures
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
journal {
# allow History account to release unused journals
users-allowed-to-release-events=[
History
]
}
web {
# keystore and truststore location for https connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler
store-password=jobscheduler
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password=jobscheduler
}
]
}
# disable use of client authentication certificates
server {
auth {
https-client-authentication=off
}
}
}
} |
Explanation:
- Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
- Find below explanations about configuration items relevant to both Client and Server.
Specify Agent ID and Password
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
js7 {
auth {
# for each Agent specify Agent ID and plain text password for authentication
agents {
agent-dev-001="secret"
agent-dev-002="secret"
}
}
} |
Explanation:
- For each Agent the Agent ID is specified. An Agent is assigned a unique Agent ID during initial operation that cannot be changed.
Disable Client Authentication
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
js7 {
web {
# disable use of client authentication certificates
server {
auth {
https-client-authentication=off
}
}
} |
Explanation:
- By default Client Authentication is required if Server Authentication is in place.
- The above setting disables Client Authentication.
Agent Configuration
Download: private.conf
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
# Security configuration
js7 {
auth {
# User accounts for https connections
users {
# Controller account for connections by primary/secondary Controller instance
js7_dev {
password="plain:secret"
}
}
}
configuration {
# Locations of certificates and public keys used for signature verification
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
job {
# Enable script execution from signed workflows
execution {
signed-script-injection-allowed = yes
}
}
web {
# Locations of keystore and truststore files for HTTPS connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler
store-password=jobscheduler
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password=jobscheduler
}
]
}
# disable use of client authentication certificates
server {
auth {
https-client-authentication=off
}
}
}
} |
x
Overview
Content Tools