Page History
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
# Security configuration js7 { auth { # User accounts for HTTPS connections users { # Controller accountID for connections by primary/secondary controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } # History account (used for release events) History { distinguished-names=[ "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08" } # JOC account (reqires UpdateRepo permission for deployment) JOC { distinguished-names=[ "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE" permissions=[ UpdateRepo ] } } } configuration { # directory for trusted public keys and certificates used with signatures trusted-signature-keys { PGP=${js7.config-directory}"/private/trusted-pgp-keys" X509=${js7.config-directory}"/private/trusted-x509-keys" } } journal { # allow History account to release events to free space claimed by journals users-allowed-to-release-events=[ History ] } web { # keystore and truststore location for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password=jobscheduler store-password=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password=jobscheduler } ] } } } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # User accounts for https connections users { # Controller accountID for connections by primary/secondary Controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } } } |
...
- This setting applies to use of a Controller Cluster.
- Consider that the element name
Controller
is an example that has to be replaced by the Controller ID that is specified with the same value during installation of both Controller instances in a cluster. - This setting specifies the distinguished name indicated with the pairing Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
- The Controller configuration specifies the distinguished name of a pairing Controller that would access this Controller by use of a Client Authentication certificate.
- Consider that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller's host.
...
js7.auth.users: HTTPS Authentication and Authorization
js7 | auth | users | |||
---|---|---|---|---|---|
Controller <controller-id> | |||||
distinguished-names | <distinguished-name>[,<distinguished-name] | ||||
History | |||||
distinguished-names | <distinguished-name>[,<distinguished-name] | ||||
password | plain:<text>|sha512:<hashed-password> | ||||
JOC | |||||
distinguished-names | <distinguished-name>[,<distinguished-name] | ||||
password | plain:<text>|sha512:<hashed-password> | ||||
permissions | UpdateRepo |
- An additional authentication mechanism is applied when using HTTPS Server Authentication certificates or public keys for incoming connections, see below: the client of the incoming connection, e.g. JOC Cockpit, is required to provide a Client Authentication certificate and a password. This includes two certificates that are in place for a secure HTTPS connection: the given Controller's Server Authentication certificate and the JOC Cockpit's Client Authentication certificate.
- The fact that a given certificate is to be used for Server Authentication and/or Client Authentication is specified with the key usage when the certificate is being created and signed.
- The distinguished name that is specified with the Controller's configuration has to match the Client Authentication Certificate's or Client public key's subject attribute. This attribute specifies the hostname and additional information that is created when the certificate or public key is generated.
<controller-id>
- This element holds the Controller ID that is specified with the same value during installation of both Controller instances in a cluster.
- Settings in this section are used for connections from a pairing Controller instance, e.g. for a Secondary Controller instance if the given configuration is used for the Primary Controller instance and vice versa.
distinguished-names
:- Specifies the distinguished name as given with the subject of the Client Authentication Certificate for incoming HTTPS connections of a pairing Controller instance.
- Any number of distinguished names can be specified allowing a number of incoming HTTPS connections from different Controller instances. At a given point in time only one pairing Controller instance can connect to the given Controller.
History
- Settings in this section are used for the History Service of JOC Cockpit instances that access the given Controller.
distinguished-names
: the same as for theController
setting.password
: a password has to be used in addition to use of a certificate or public key. In addition the password is used if incoming HTTP connections are allowed.
JOC
- Settings in this section are used for JOC Cockpit instances that access the given Controller.
distinguished-names
: the same as for theController
setting.password
: a password has to be used in addition to use of a certificate or public key. In addition the password is used if incoming HTTP connections are allowed.permissions
: JOC Cockpit requires theUpdateRepo
permission to enable users to deploy objects such as workflows.
...
Overview
Content Tools