...
General Configuration File: agent.conf
Anchor |
---|
| js7-web-server-auth-public |
---|
| js7-web-server-auth-public |
---|
|
Enable HTTP CommunicationBy default the Agent configuration ships with HTTP communication enabled. It is recommended that public/private keys and certificates for secure HTTPS communication are created and that HTTP communication is disabled.
...
Security Configuration File: private.conf
Anchor |
---|
| js7-configuration-trusted-signature-keys |
---|
| js7-configuration-trusted-signature-keys |
---|
|
Assign Directory for Trusted Certificates used to verify Signed Workflow SignaturesThe Agent requires X.509 certificates and/or PGP public keys to be in place. These are used to verify the signatures of signed workflows. Unsigned workflows are not accepted by an Agent, therefore a minimum of one X.509 certificate file or PGP public key file has to be present in the directories that are specified with the following configuration item:
Code Block |
---|
language | text |
---|
title | Default configuration: assign directories for trusted certificates |
---|
linenumbers | true |
---|
|
# Security configuration
js7 {
configuration {
# Locations of certificates and public keys used for signature verification
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
|
Anchor |
---|
| js7-job-execution-signed-script-injection-allowed |
---|
| js7-job-execution-signed-script-injection-allowed |
---|
|
Enable Script Execution from Signed WorkflowsThe default Agent configuration allows job scripts to be executed from any location. Without this setting scripts are restricted to being executed from the config/executables
directory only.
...
It is essential that the connections between Controller and Agents are secured. This includes:
- using to use HTTPS connections that are secured by private /public key keys and certificates,
- applying to apply mutual authentication between Controller and Agent.
...
Code Block |
---|
language | text |
---|
title | Secure configuration example: private.conf |
---|
linenumbers | true |
---|
collapse | true |
---|
|
# Security configuration
js7 {
auth {
# User accounts for https connections
users {
# Controller account for connections by primary/secondary Controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
configuration {
# Locations of certificates and public keys used for signature verification
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
job {
# Enable script execution from signed workflows
execution {
signed-script-injection-allowed = yes
}
}
web {
# Locations of keystore and truststore files for HTTPS connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler
store-password=jobscheduler
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password=jobscheduler
}
]
}
}
}
|
Anchor |
---|
| js7-auth-users-Controller |
---|
| js7-auth-users-Controller |
---|
|
Controller Connections Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for https connections
users {
# Controller account for connections by primary/secondary Controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
Explanation:
- This setting applies to use of an Agent with a solo Controller or with a Controller Cluster.
- This setting specifies the distinguished name indicated with the Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
- The Agent configuration specifies the distinguished names of any Controllers that access the Agent by use of a Client Authentication certificate.
- Consider that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller's host.
Configuration Items
General Configuration File: agent.conf
...