JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 6

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • This setting applies to the connection established from one or more JOC Cockpit instances to a Controller. JOC Cockpit can be used with a cluster including two or more instances.
  • This setting specifies the distinguished name indicated with the respective JOC Cockpit's Client Authentication certificate. The certificate acts as a replacement for a password. For each JOC Cockpit instance the distinguished-name is specified that is stated with the JOC Cockpit's certificate.
  • Two entries are available for js7.auth.users.History and js7.auth.users.JOC:
    • History represents the JS7 - History Service that updates state transitions of orders and log output of jobs to the JS7 database.
    • JOC represents the JOC Cockpit Proxy Service that establishes the connection to a Controller and that is used to provide current information about orders to the JOC Cockpit GUI. In addition to e.g. deployment of workflows and submission of orders.
  • In addition permissions are specified for JOC Cockpit instances that indicate with the UpdateItem setting that JOC Cockpit instances are allowed to add/update/delete deployable objects such as workflow.

Specify HTTPS Keystore and Truststore Locations

Code Block
languageyml
linenumberstrue
js7 {
    web {
        # disablekeystore and usetruststore oflocation clientfor authenticationhttps certificatesconnections
        serverhttps {
            authkeystore {
                https-client-authentication=off
# Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
        }
}

Explanation:

  • By default Client Authentication is required if Server Authentication is in place.
  • The above setting disables Client Authentication.

Agent Configuration

Configuration File: private.conf

Download: private.conf

Code Block
languageyml
titleAgent configuration file: private.conf
linenumberstrue
collapsetrue
js7 {        key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
    auth {
        # User accounts for https connections{
        users {
           # # Controller account for connections by primary/secondary Controller instance
Default: ${js7.config-directory}"/private/https-truststore.p12"
                   js7_dev file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password="plain:secret"jobscheduler
               # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/" }
            }]
        }
    }
}

Explanation:

  • HTTPS keystore and truststore are used to hold private keys and certificates
    • The keystore holds the Controller instance's private key and certificate. This information is used for
      • Server Authentication with JOC Cockpit and for
      • Client Authentication with Agents.
    • The truststore holds the certificate(s) used to verify
      • Client Authentication certificates presented by JOC Cockpit and
      • Server Authentication certificates presented by Agents.
  • Keystore and Truststore locations are specified. In addition for
    • the keystore a password for the private keys included and a password for access to the keystore can be specified
    • the truststore a password for access to the truststore can be specified.
  • Passwords for keystores and truststores have no tendency to improve security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Controller. This mechanism is not too different from hiding the key under your doormat. In fact limiting ownership and access permissions for keystores and truststores to the JS7 Controller's run-time account are more important than using a password.

Agent Configuration

Configuration File: private.conf

Download: private.conf

Code Block
languageyml
titleAgent configuration file: private.conf
linenumberstrue
collapsetrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance    
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }
    
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystoreController {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
distinguished-names=[
                    file=${js7.config-directory}"/private/https-keystore.p12"
     "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
           key-password=jobscheduler
         "DNQ=SOS       store-password=jobscheduler
CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
              }  ]
            truststores=[}
        }
    }
    configuration {
        # Locations of certificates and public keys used for signature verification
    # Default: ${   trusted-signature-keys {
            PGP=${js7.config-directory}"/private/https-truststore.p12trusted-pgp-keys"
                    fileX509=${js7.config-directory}"/private/https-truststore.p12trusted-x509-keys"
        }
    }
    job {
   store-password=jobscheduler
     # Enable script execution from       }signed workflows
        execution    ]{
        }

    signed-script-injection-allowed = yes
  # Disable use of client authentication certificates}
    }
    serverweb {
        # API Server  auth {URL
        api-server { url =     https-client-authentication=off"https://joc-2-0-secondary:4443" }
        # Locations of keystore and truststore files for HTTPS }connections
        }
https {
          }
}

Explanation:

  • The configuration file is located with the sos-berlin.com/js7/agent/config_<port>/private folder.
  • Consider that the above configuration has to be deployed to any Agent instances.
  • Find below explanations about above configuration items relevant to Server Authentication with passwords.

Specify Controller ID and Password

Code Block
languageyml
linenumberstrue
js7 {
    auth {
  keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
               # User accounts for https connections key-password=jobscheduler
        users {
       store-password=jobscheduler
     #   Controller account for connections by}
 primary/secondary Controller instance
         truststores=[
   js7_dev {
            {
     password="plain:secret"
               # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/Default: ${js7.config-directory}"/private/https-truststore.p12"
            }
        file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
            }

Explanation:

  • In this example js7_dev is the Controller ID used by a solo Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during initial operation. The Controller ID cannot be changed unless the Controller's journal is reset.
  • The password for the Controller ID in the Agent configuration is the same as stated with the Controller configuration.
    • The password has to be preceded with "plain:" if a plain text password is used.
    • The password has to be preceded with "sha512" if a password hashed with this algorithm is used
      • There are a number of ways how to create sha512 hash values from passwords.
      • A possible solution includes to use: openssl passwd -6

...

    }
            ]
        }
    }
}

Explanation:

  • The configuration file is located with the sos-berlin.com/js7/agent/config_<port>/private folder.
  • Consider that the above configuration has to be deployed to any Agent instances.
  • Find below explanations about above configuration items relevant to Server Authentication with passwords.

Specify Distinguished Names

Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
    web {js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
        # disable use of client authentication certificates
      "DNQ=SOS  server {
     CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
       auth {
        ]
        https-client-authentication=off
    }
        }
        }
}

Explanation:

  • This setting applies to use of an Agent with a solo Controller or with a Controller Cluster.
  • This setting specifies the distinguished name indicated with the partner Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
    • The Agent configuration specifies the distinguished names of any Controllers specified by Client Authentication certificate
  • By default Client Authentication is required if Server Authentication is in place.
  • The above setting disables Client Authentication
    • .