Page History
...
- The JS7 components are easy to install out-of-the-box. However, a number of configuration items have to be considered when operating the JS7 for a secure environment.
- Secure operation is applied at to the following areas:
- Connection Management
- Network Connections
- Database Connections
- Access Management
- Authentication
- Authorization
- Credentials Management
- Database Credentials
- Job Credentials
- Connection Management
- Secure operation includes users configuring JS7 components in a compliance conformant -conform way.
Connection Management
...
- Configure network connections to use HTTPS:
- Use of HTTPS includes to provide providing valid certificates for the hosts that JS7 components are operated for. Use of self-signed certificates is a no-go as they cannot be verified to a trusted source.
- As HTTPS is limited to secure connections, in addition additional authentication is required, for example, when using HTTPS then . In this case, a JS7 Controller instance is configured to authenticate with an Agent in order to guarantee that the Controller instance is, in fact is , what it claims to be and is entitled to access the Agent.
- JS7 - Secure Connections by SSL Certificates explains the use of the built-in certificate authority and use with external certificate authorities.
- For detailed instructions on for the configuration see:
- JS7 - JOC Cockpit Configuration Items explains HTTPS configuration for the JOC Cockpit and connection to the JS7 Controller.
- JS7 - Controller Configuration Items
- JS7 - Agent Configuration Items
- Restrict use of network interfaces
- Consider restricting JS7 components to only listen to specific network interfaces.
- The JS7 Controller can be configured by use of the
--http_port
and--https_port
command line options to specify network interfaces, see JS7 - Controller - Command Line Operation. - The JS7 Agent can be configured to use the
--http-port
and--https-port
options to specify network interfaces, see JS7 - Agent Command Line Operation. - JOC Cockpit has to be configured with respective corresponding port settings:
...
JOC Cockpit is the only JS7 component using that uses a database.
Database connections are based on JDBC. If JDBC type 4 drivers are used then a DBMS client is not required for operation of JOC Cockpit. The Hibernate access layer is used for database access.
...
- JS7 ships with JDBC Drivers that are open source or that are free for distribution with JS7.
- The JOC Cockpit installer allows
- to specify specifcation of alternative JDBC Drivers that can be downloaded from the relevant vendor's web site.
- to specify individual specifcation ofindividual Hibernate configuration files with security related settings.
- For details see JS7 - Database.
...
- Depending on the DBMS version in use it is preferable to download and to apply the DBMS vendor's current JDBC Driver version:
- For use with MySQL® the JDBC Driver is not included with JS7. Instead a MariaDB® driver is provided to access for accessing MySQL® databases.
- For use with SQL Server® the JDBC Driver is not included, instead users have to download a current JDBC Driver from the vendor's site.
- For use with Oracle® newer JDBC Driver versions are available from the vendor's web site.
- Vendor-specific JDBC Drivers include support for specific authentication mechanisms, for example the use of JDBC with Oracle Wallet.
- Consider additional security related settings that apply to your DBMS in the Hibernate configuration file, for the location of this file see JS7 - Database.
...
Default Configuration
- Consider the hints from provided in the JOC Cockpit - Security article
- The JS7 - REST Web Service API ships with a default configuration in
./joc/resources/joc/shiro.ini
that includes- using local use of local authentication with accounts and passwords stored as hash values.
- using use of local role assignment,
- the following default values for accounts, passwords and assigned roles (see JOC Cockpit - Authentication and Authorization for more information):
- Active Accounts:
root=root, all
- Deactivated Accounts (passwords are presented in plain text and are hashed in the
shiro.ini
configuration file:# administrator=secret, administrator
# application_manager=secret, application_manager
# it_operator=secret, it_operator
# incident_manager=secret, incident_manager
# business_user=secret, business_user
# api_user=secret, api_user
- Active Accounts:
- The JS7 Controller is not to be accessed by users directly but exclusively via the JS7 - REST Web Service API. No default Default authentication is not provided.
- JS7 Agents are not to be accessed by users directly but exclusively by a JS7 Controller. No default Default authentication is not provided.
Secure Configuration
- It is not recommended to use Using the default accounts that ship with JOC Cockpit is not recommended. Default The default accounts are intended to enable initial login only.
- A fine-grained set of permissions is available that apply can be applied to any operation in JOC Cockpit and in the REST Web Service. Such permissions can freely be grouped to roles.
- If possible then LDAP Directory Services should be used when ever possible to establish role assignment to for users based on membership in LDAP security groups.
LDAP Directory Service
Default Configuration
- No LDAP Directory Service integration is not in place.
- It is not recommended to use Using the default configuration with local authentication for access to JOC Cockpit is not recommended.
Secure Configuration
- LDAP Directory Services can be accessed for authentication and authorization:
- users can connect by specifying their domain account.
- optionally membership in security groups can be optionally mapped to roles.
- Using The use of LDAP allows to operate operation of a JOC Cockpit configuration that contains no neither account data, no passwords and no nor user role assignments to users.
- This applies to any LDAP compliant product such as Microsoft Active Directory®, OpenLDAP etc.
- For details about of LDAP configuration see LDAP Configuration.
...
- Database credentials are specified during installation and are added to the following Hibernate configuration files:
- JOC Cockpit: for access to the reporting database:
./resources/joc/reporting.hibernate.cfg.xml
- For details see JS7 - Database.
- JOC Cockpit: for access to the reporting database:
- No default Default values are not provided by the installer.
...
- Do not use passwords.
- Users frequently ask if JS7 can encrypt credentials. The answer is "no" as it makes no sense to handle a symmetric key that is in reach of the component that makes use of it. Encrypted passwords correspond to the "key under the mat", they do not provide additional security, however, they contribute perfectly contribute to obfuscation.
- There is one way only how to handle passwords: not to use them.
- Use Integrated Security
- This authentication scheme starts from is based on the fact that the account that which a component is operated for is already authenticated and therefore can access a database without specifying user/password credentials.
- This feature is available for a number of DBMS such as
- Microsoft SQL Server®, see the How to connect to an SQL Server with a domain account article.
- Oracle® that includes support for Oracle® Wallet, see How to connect to an Oracle database without using passwords
...
- The Windows Service for the JS7 Controller and Agent runs in the system account.
- The installer allows to specify specification of a different account and to add the addition of credentials for that account.
- By default jobs are executed in the context of the account that the JS7 Controller or JS7 Agent are operated forwith.
Secure Configuration
- It is a bad idea to run a JS7 Controller or Agent using a Unix root account or Windows Administrator account.
- Certainly this makes life easy when it comes to switching to other user accounts or for accessing files.
- However, you should not grant more permissions to a process than required.
- Use specific user accounts to run JS7 Controllers and Agents:
- Do not use the system account (Windows) or root (Unix).
- Create specific service accounts that are limited to the privileges that are required to execute jobs.
- Do not specify credentials for Windows Service accounts during installation:
- The installer does not store such credentials but forwards them to the Windows Service interface, however, there is no guarantee that such credentials will be logged by some Windows mechanism.
- Instead, use the Windows Service Panel to manually specify credentials for the service account.
- There are a number of options when it comes to running jobs for different user accounts:
- For In Unix environments
- Your job scripts can switch to a different user context by use of
sudo
orsu
commands.sudo
is the preferred option as this the standard Unix tool that allows secure configuration of the users that are allowed to execute certain commands (sudoers file). In additionsudo
provides reporting capabilities about (ab)use of commands.
- Your job scripts can switch to a different user context by use of
- For In Windows environments
- You can use the Windows Credential Manager to safely store credentials of the user account that a job should be executed for. The JobScheduler will then read the credentials and create a new process to run a job in the target user context. This is the preferred solution as it does not store credentials with in the JobScheduler configuration.
- Find You will find detailed information from in the JobScheduler Universal Agent - Running jobs as a different user article.
- For all environments
- You can run a number of Agents in parallel for using different user accounts.
- For details see the JS7 Installation: How to install the JS7 - Agent on - premises using the Windows Graphical Installer article.
- For In Unix environments
- For A credential store can be used for jobs that require credentials, e.g. to access a database, a credential store can be used, : see the Using a Credential Store for Jobs article for more information.
- Credentials are not provided from parameters (that could be logged in clear text), instead an interface is provided that allows on demand access to the credential store.
- This feature is available for Shell jobs and for JVM jobs.
File Transfer Credentials
Such credentials apply to use of are intended for use with the YADE file transfer utility that , which is available from built-in job templates.
...
- By default any accounts/passwords that are used for source connections, target connections and proxy connections are stored in clear text.
- Find See the YADE - Reference Documentation - Parameter Reference for more information.
Secure Configuration
- Use the YADE Credential Store to manage credentials centrally in a store that which is referenced by YADE configuration items, see . See the How to set-up the Credential Store and YADE Parameter Reference - CredentialStoreFragment articles articles for more information.
- Should you use FTP connections then consider to switch to use of SFTP.
- SFTP connections can be used with private/public key files , - there is no need to use passwords for such connections.
...