JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 20

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 21

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

General Configuration File: agent.conf

Anchor
js7-web-server-auth-public
js7-web-server-auth-public
Enable HTTP Communication

By default the Agent configuration ships with HTTP communication enabled. It is recommended that public/private keys and certificates for secure HTTPS communication are created and that HTTP communication is disabled.

...

Security Configuration File: private.conf

Anchor
js7-configuration-trusted-signature-keys
js7-configuration-trusted-signature-keys
Assign Directory for Trusted Certificates used to verify Signed Workflow Signatures

The Agent requires X.509 certificates and/or PGP public keys to be in place. These are used to verify the signatures of signed workflows. Unsigned workflows are not accepted by an Agent, therefore a minimum of one X.509 certificate file or PGP public key file has to be present in the directories that are specified with the following configuration item:

Code Block
languagetext
titleDefault configuration: assign directories for trusted certificates
linenumberstrue
# Security configuration
js7 {
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

Anchor
js7-job-execution-signed-script-injection-allowed
js7-job-execution-signed-script-injection-allowed
Enable Script Execution from Signed Workflows

The default Agent configuration allows job scripts to be executed from any location. Without this setting scripts are restricted to being executed from the config/executables directory only.

...

It is essential that the connections between Controller and Agents are secured. This includes:

  • using to use HTTPS connections that are secured by private /public key keys and certificates,
  • applying to apply mutual authentication between Controller and Agent.

...

Code Block
languagetext
titleSecure configuration example: private.conf
linenumberstrue
collapsetrue
# Security configuration
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}

Anchor
js7-auth-users-Controller
js7-auth-users-Controller
Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

Explanation:

  • This setting applies to use of an Agent with a solo Controller or with a Controller Cluster.
  • This setting specifies the distinguished name indicated with the Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
    • The Agent configuration specifies the distinguished names of any Controllers that access the Agent by use of a Client Authentication certificate.
    • Consider that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller's host.


Configuration Items

General Configuration File: agent.conf

...