JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 7

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The configuration file is located with the sos-berlin.com/js7/controller/config/private folder.
  • Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
  • Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.

...

Authentication with paring Controller instances and JOC Cockpit instances

Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller account for connections by primary/secondary controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

...

  • This setting applies if a Controller Cluster is used. In this situation a Primary Controller requires the above setting to allow access from a Secondary Controller and vice versa.
  • This setting specifies the distinguished name -names indicated with the partner Controller's Controllers' Client Authentication certificates. The distinguished name is given with the subject attribute of a Client Authentication certificate. The certificate acts as distinguished name is considered a replacement for a password.
    • A Primary Controller configuration specifies the distinguished name of the Secondary Controller's Client Authentication certificate.
    • A Secondary Controller configuration specifies the distinguished name of the Primary Controller's Client Authentication certificate.

...

  • This setting applies to the connection established from one or more JOC Cockpit instances to a Controller. JOC Cockpit can be used with a cluster including two or more instances.
  • This setting specifies the distinguished name -names indicated with the respective JOC Cockpit's Client Authentication certificate. The certificate acts as is considered a replacement for a password. For each JOC Cockpit instance the distinguished - name is specified that is stated with the JOC Cockpit's certificate.
  • Two entries are available for js7.auth.users.History and js7.auth.users.JOC:
    • History represents the JS7 - History Service that updates state transitions of receives state transition events for orders and log output of jobs and adds them to the JS7 database.
    • JOC represents the JOC Cockpit Proxy Service that establishes the connection to a Controller and that is used to provide current information about orders to the JOC Cockpit GUI. In addition to e.g. deployment of workflows and submission of orders.
    • For both History and JOC services a hashed password is specified by JOC Cockpit. The password has no relevance for the security of the connection, instead it is used to distinguish the services that both are running with the same JOC Cockpit instance and therefore use the same Client Authentication certificate.
  • In addition permissions are specified for JOC Cockpit services In addition permissions are specified for JOC Cockpit instances that indicate with the UpdateItem setting that the JOC Cockpit instances are service is allowed to add/update/delete deployable objects such as workflow.

...

  • as workflows.

Locations of Public Keys and Certificates for Signature Verification

Code Block
languageyml
linenumberstrue
js7 {
    configuration {
        # directory for trusted public keys and certificates used with signatures
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
}

Explanation:

  • The Controller verifies the signature of deployable objects such as workflows. This can be performed for PGP signatures and X.509 signatures. 
  • The trusted-signature-keys setting specifies the location for PGP public keys and for X.509 certificates.
  • If no PGP public keys are used or if no X.509 certificates are used then the respective setting should not be used as it expects the indicated directory to be populated with public keys or certificates respectively.

Services entitled to release the Controller Journal

Code Block
languageyml
linenumberstrue
js7 {
    journal {
        # allow History account to release unused journals
        users-allowed-to-release-events=[
            History
        ]
    }
}

Explanation:

  • The journal holds e.g. information about order state transitions. This information is consumed by the JS7 - History Service that updates the JS7 database from this information.
  • The Controller's journal would grow if entries that have been consumed by the History Service could not be released. The users-allowed-to-release-events setting specifies the names, e.g. History, of the accounts for which authentication settings are indicated from the js7.auth.users section.
  • For use with any number of JOC Cockpit instances a single account History is used. Should more than one consumer account be specified then all consumers would have to confirm having received order transition events before such events could be removed from the journal.

HTTPS Keystore and Truststore Locations

Code Block
languageyml
linenumberstrue
js7 {
    web {
        # keystore and truststore location for https connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}

...

  • HTTPS keystore and truststore are used to hold private keys and certificates
    • The keystore holds the Controller instance's private key and certificate. This information is used for
      • Server Authentication with JOC Cockpit and for
      • Client Authentication with Agents.
    • The truststore holds the certificate(s) used to verify
      • Client Authentication certificates presented by JOC Cockpit and
      • Server Authentication certificates presented by Agents.
  • Keystore and Truststore locations are specified. In addition for
    • the keystore a password for the private keys included and a password for access to the keystore can be specified
    • the truststore a password for access to the truststore can be specified.
  • Passwords for keystores and truststores have no tendency to improve security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Controller. This mechanism is not too different from hiding the key under your doormat. In fact limiting ownership and access permissions for keystores keystore and truststores truststore files to the JS7 Controller's run-time account are more important than using a password.
    • The key-password is used for access to a private key in keystore.
    • The store-password setting is used for access to a keystore or to a truststore.
    • For PKCS12 (*.p12) keystores both settings have to use the same value. The settings can be omitted if no passwords are used.

Agent Configuration

Configuration File: private.conf

...

  • The configuration file is located with the sos-berlin.com/js7/agent/config_<port>/private folder.
  • Consider that the above configuration has to be deployed to any Agent instances.
  • Find below explanations about above configuration items relevant to Server Authentication with passwords.

Specify Distinguished Names

Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

...