JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 5

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languageyml
titleController configuration file: private.conf
linenumberstrue
collapsetrue
js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller account for connections by primary/secondary Controllercontroller instance
            Controller {
            }
    distinguished-names=[
        # History account (used to release events)
      "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS,  History {L=Berlin, ST=Berlin, C=DE"
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
]
            }
            # JOCHistory account (requiresused UpdateRepoto permissionrelease for deploymentevents)
            JOCHistory {
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"distinguished-names=[
                permissions=[
    "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
         UpdateItem
           "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin,  ]ST=Berlin, C=DE"
            }
    ]
    }

        # for each Agent specify Agent ID and plain text password for authentication
 password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }
    agents {
       # JOC account  agent-dev-001="secret"
   (requires UpdateRepo permission for deployment)
        agent-dev-002="secret"
    JOC {
   }
    }

    configuration {
    distinguished-names=[
    # directory for trusted public keys and certificates used with signatures
      "DNQ=SOS  trusted-signature-keys {
    CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
        PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            "DNQ=SOS CA, X509=${js7.config-directory}"/private/trusted-x509-keys"
        }CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
    }

    journal {
       ]
 # allow History account to release unused journals
        users-allowed-to-release-events=[password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
            History
    permissions=[
    ]
    }

    web {
        #UpdateItem
 keystore and truststore location for https connections
        https {]
            keystore {}
        }
    }
    #configuration Default: ${js7.config-directory}"/private/https-keystore.p12"
        # directory for trusted public keys and certificates  file=${js7.config-directory}"/private/https-keystore.p12"used with signatures
                key-password=jobschedulertrusted-signature-keys {
                store-password=jobschedulerPGP=${js7.config-directory}"/private/trusted-pgp-keys"
            }X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    truststores=[}
    journal {
        # allow History account to release unused {journals
        users-allowed-to-release-events=[
            # Default: ${js7.config-directory}"/private/https-truststore.p12"History
        ]
    }
    web {
        # keystore and truststore location for  file=${js7.config-directory}"/private/https-truststore.p12"https connections
        https {
           store-password=jobscheduler
 keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
            ]
        }
file=${js7.config-directory}"/private/https-keystore.p12"
        # disable use of client authentication certificates
  key-password=jobscheduler
       server {
        store-password=jobscheduler
    auth    {
    }
            https-client-authentication=off
truststores=[
                }
{
                }
    # }
}

Explanation:

  • The configuration file is located with the sos-berlin.com/js7/controller/config/private folder.
  • Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
  • Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.

Specify Agent ID and Password

Code Block
languageyml
linenumberstrue
js7 {
    auth {
   Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
           # for each Agent specify Agent ID and plain text password for authenticationstore-password=jobscheduler
        agents {
           agent-dev-001="secret"
}
            agent-dev-002="secret"]
        }
    }
}

Explanation:

  • For each Agent the Agent ID is specified as e.g. with agent-dev-001. An Agent is assigned a unique Agent ID during initial operation with JOC Cockpit that cannot be changed unless an Agent's journal would be reset.
  • The plain text password secret is specified.

...

  • The configuration file is located with the sos-berlin.com/js7/controller/config/private folder.
  • Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
  • Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.

Specify Distinguished Names

Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller account for connections by primary/secondary controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

Explanation:

  • This setting applies if a Controller Cluster is used. In this situation a Primary Controller requires the above setting to allow access from a Secondary Controller and vice versa.
  • This setting specifies the distinguished name indicated with the partner Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
    • A Primary Controller configuration specifies the distinguished name of the Secondary Controller's Client Authentication certificate.
    • A Secondary Controller configuration specifies the distinguished name of the Primary Controller's Client Authentication certificate.

JOC Cockpit Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # History account (used to release events)
            History {
                distinguished-names=[
                    "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }
            # JOC account (requires UpdateRepo permission for deployment)
            JOC {
                distinguished-names=[
                    "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
                ]
            }
        }
    }
}

Explanation:

  • This setting applies to the connection established from one or more JOC Cockpit instances to a Controller. JOC Cockpit can be used with a cluster including two or more instances.
  • This setting specifies the distinguished name indicated with the respective JOC Cockpit's Client Authentication certificate. The certificate acts as a replacement for a password. For each JOC Cockpit instance the distinguished-name is specified that is stated with the JOC Cockpit's certificate.
  • Two entries are available for js7.auth.users.History and js7.auth.users.JOC:
    • History represents the JS7 - History Service that updates state transitions of orders and log output of jobs to the JS7 database.
    • JOC represents the JOC Cockpit Proxy Service that establishes the connection to a Controller and that is used to provide current information about orders to the JOC Cockpit GUI. In addition to e.g. deployment of workflows and submission of orders.
  • In addition permissions are specified for JOC Cockpit instances that indicate with the UpdateItem setting that JOC Cockpit instances are allowed to add/update/delete deployable objects such as workflow.

Specify Keystore and Truststore Locations

Code Block
languageyml
linenumberstrue
js7 {
    web {
        # disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
}

...

  • In this example js7_dev is the Controller ID used by a solo Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during initial operation. The Controller ID cannot be changed unless the Controller's journal is reset.
  • The password for the Controller ID in the Agent configuration is the same as stated with the Controller configuration.
    • The password has to be preceded with "plain:" if a plain text password is used.
    • The password has to be preceded with "sha512" if a password hashed with this algorithm is used
      • There are a number of ways how to create sha512 hash values from passwords.
      • A possible solution includes to use: openssl passwd -6

Disable Client Authentication

Code Block
languageyml
linenumberstrue
js7 {
    web {
        # disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
}

...