...

• HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without use of passwords.
  • The purpose of Server Authentication is to secure the identity of an http HTTP server and to encrypt the communication between client and server.
  • The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any http client could perform a man-in-the-middle attack e.g. by pretending to be a Controller that connects to an Agent.
• Consider the communication scheme between JS7 components as explained from the JS7 - System Architecture:
  • User browsers acting as http HTTP clients establish connections to JOC Cockpit as an http HTTP server.
  • JOC Cockpit acting as an http HTTP client establishes connections to Controllers acting as http HTTP servers.
  • Controllers acting as http HTTP clients establish connections to Agents acting as http HTTP servers.

Controller Configuration

...

• The configuration file is located with the sos-berlin.com/js7/controller/config/private folder.
• Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
• Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.

Authentication with

...

pairing Controller instances and JOC Cockpit instances

Controller Connections

js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller account for connections by primary/secondary controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

...

• The journal holds e.g. information about order state transitions. This information is consumed by the JS7 - History Service that updates the JS7 database from this information.
• The Controller's journal would grow if entries that have been consumed by the History Service could not be released. The users-allowed-to-release-events setting specifies the names, e.g. History, of the accounts for which authentication settings are indicated from the js7.auth.users section.
• For use with any number of JOC Cockpit instances a single account History is used. Should more than one consumer account be specified then all consumers would have to confirm having received order transition events before such events could can be removed from the journal.

...

• HTTPS keystore and truststore are used to hold private keys and certificates
  • The keystore holds the Controller instance's private key and certificate. This information is used for
    • Server Authentication with JOC Cockpit and for
    • Client Authentication with Agents.
  • The truststore holds the certificate(s) used to verify
    • Client Authentication certificates presented by JOC Cockpit and
    • Server Authentication certificates presented by Agents.
• Keystore and Truststore locations are specified. In addition for
  • the keystore a password for the private keys included and a password for access to the keystore can be specified,
  • the truststore a password for access to the truststore can be specified.
• Passwords for keystores and truststores have no tendency to improve security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Controller. This mechanism is not too different from hiding the key under your doormat. In fact limiting ownership and access permissions for keystore and truststore files to the JS7 Controller's run-time account are more important than using a password.
  • The key-password is  setting is used for access to a private key in a keystore.
  • The store-password setting is used for access to a keystore or to a truststore.
  • For PKCS12 (*.p12) keystores both settings have to use the same value. The settings can be omitted if no passwords are used.

...