Page History
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
js7 { auth { # User accounts for HTTPS connections users { # Controller account for connections by primary/secondary Controllercontroller instance Controller { } distinguished-names=[ # History account (used to release events) "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, History {L=Berlin, ST=Berlin, C=DE" password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08" ] } # JOCHistory account (requiresused UpdateRepoto permissionrelease for deploymentevents) JOCHistory { password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"distinguished-names=[ permissions=[ "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", UpdateItem "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ]ST=Berlin, C=DE" } ] } # for each Agent specify Agent ID and plain text password for authentication password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08" } agents { # JOC account agent-dev-001="secret" (requires UpdateRepo permission for deployment) agent-dev-002="secret" JOC { } } configuration { distinguished-names=[ # directory for trusted public keys and certificates used with signatures "DNQ=SOS trusted-signature-keys { CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", PGP=${js7.config-directory}"/private/trusted-pgp-keys" "DNQ=SOS CA, X509=${js7.config-directory}"/private/trusted-x509-keys" }CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" } journal { ] # allow History account to release unused journals users-allowed-to-release-events=[password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE" History permissions=[ ] } web { #UpdateItem keystore and truststore location for https connections https {] keystore {} } } #configuration Default: ${js7.config-directory}"/private/https-keystore.p12" # directory for trusted public keys and certificates file=${js7.config-directory}"/private/https-keystore.p12"used with signatures key-password=jobschedulertrusted-signature-keys { store-password=jobschedulerPGP=${js7.config-directory}"/private/trusted-pgp-keys" }X509=${js7.config-directory}"/private/trusted-x509-keys" } truststores=[} journal { # allow History account to release unused {journals users-allowed-to-release-events=[ # Default: ${js7.config-directory}"/private/https-truststore.p12"History ] } web { # keystore and truststore location for file=${js7.config-directory}"/private/https-truststore.p12"https connections https { store-password=jobscheduler keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" ] } file=${js7.config-directory}"/private/https-keystore.p12" # disable use of client authentication certificates key-password=jobscheduler server { store-password=jobscheduler auth { } https-client-authentication=off truststores=[ } { } # } } |
Explanation:
- The configuration file is located with the
sos-berlin.com/js7/controller/config/private
folder. - Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
- Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.
Specify Agent ID and Password
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" # for each Agent specify Agent ID and plain text password for authenticationstore-password=jobscheduler agents { agent-dev-001="secret" } agent-dev-002="secret"] } } } |
Explanation:
- For each Agent the Agent ID is specified as e.g. with
agent-dev-001
. An Agent is assigned a unique Agent ID during initial operation with JOC Cockpit that cannot be changed unless an Agent's journal would be reset. - The plain text password
secret
is specified.
...
- The configuration file is located with the
sos-berlin.com/js7/controller/config/private
folder. - Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
- Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.
Specify Distinguished Names
Controller Connections
Code Block | ||||
---|---|---|---|---|
| ||||
js7 {
auth {
# User accounts for HTTPS connections
users {
# Controller account for connections by primary/secondary controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
Explanation:
- This setting applies if a Controller Cluster is used. In this situation a Primary Controller requires the above setting to allow access from a Secondary Controller and vice versa.
- This setting specifies the distinguished name indicated with the partner Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
- A Primary Controller configuration specifies the distinguished name of the Secondary Controller's Client Authentication certificate.
- A Secondary Controller configuration specifies the distinguished name of the Primary Controller's Client Authentication certificate.
JOC Cockpit Connections
Code Block | ||||
---|---|---|---|---|
| ||||
js7 {
auth {
# User accounts for HTTPS connections
users {
# History account (used to release events)
History {
distinguished-names=[
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
}
# JOC account (requires UpdateRepo permission for deployment)
JOC {
distinguished-names=[
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
permissions=[
UpdateItem
]
}
}
}
} |
Explanation:
- This setting applies to the connection established from one or more JOC Cockpit instances to a Controller. JOC Cockpit can be used with a cluster including two or more instances.
- This setting specifies the distinguished name indicated with the respective JOC Cockpit's Client Authentication certificate. The certificate acts as a replacement for a password. For each JOC Cockpit instance the
distinguished-name
is specified that is stated with the JOC Cockpit's certificate. - Two entries are available for
js7.auth.users.History
andjs7.auth.users.JOC
:History
represents the JS7 - History Service that updates state transitions of orders and log output of jobs to the JS7 database.JOC
represents the JOC Cockpit Proxy Service that establishes the connection to a Controller and that is used to provide current information about orders to the JOC Cockpit GUI. In addition to e.g. deployment of workflows and submission of orders.
- In addition permissions are specified for JOC Cockpit instances that indicate with the
UpdateItem
setting that JOC Cockpit instances are allowed to add/update/delete deployable objects such as workflow.
Specify Keystore and Truststore Locations
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { web { # disable use of client authentication certificates server { auth { https-client-authentication=off } } } |
...
- In this example
js7_dev
is the Controller ID used by a solo Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during initial operation. The Controller ID cannot be changed unless the Controller's journal is reset. - The
password
for the Controller ID in the Agent configuration is the same as stated with the Controller configuration.- The password has to be preceded with "plain:" if a plain text password is used.
- The password has to be preceded with "sha512" if a password hashed with this algorithm is used
- There are a number of ways how to create sha512 hash values from passwords.
- A possible solution includes to use:
openssl passwd -6
Disable Client Authentication
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { web { # disable use of client authentication certificates server { auth { https-client-authentication=off } } } |
...
Overview
Content Tools