Page History
...
- By default mutual authentication is in place.
- JOC Cockpit is challenged by the Controller to present its Client Authentication certificate that is verified by the Controller.
- In addition the distinguished name of the JOC Cockpit Client Authentication certificate is checked and a password is used to identify the JOC Cockpit instance.
- Consider that any number of clustered JOC Cockpit instances can connect to a Controller.
- If a Controller cluster is used then connections from the partnering Controller instance are authenticated by the distinguished name of the instance's Client Authentication certificate.
- JOC Cockpit is challenged by the Controller to present its Client Authentication certificate that is verified by the Controller.
The
JS7_CONTROLLER_CONFIG_DIR
/private/private.conf
configuration file should include authentication details like this:Code Block title Example for private.conf file specifying JOC Cockpit authentication js7 { auth { users { # History account (used for release events) History { distinguished-names=[ "DNQ=SOS CA, CN=apmacwin_joc_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08" } # JOC account (needs UpdateItem permission for deployment) JOC { distinguished-names=[ "DNQ=SOS CA, CN=apmacwin_joc_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE" permissions=[ UpdateItem ] } # Controller ID for connections by primary/secondary controller instance jobscheduler { distinguished-names=[ "DNQ=SOS CA, CN=apmacwin_secondary_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } } }
Explanation:- The
History
andJOC
user accounts are used by the JS7 - History Service and by the JS7 - REST Web Service API.- The
distinguished-names
property offers to add a number of distinguished names available from the subject of the respective Client Authentication certificates. - The
password
is not used for authentication but for identification of the of theHistory
andJOC
user accounts as both service accounts with the Controller. Both accounts typically are running in the same JOC Cockpit instance and use the same Client Authentication certificate. When used with .- If HTTP connections are used then the password is
- the only means for authentication. If HTTPS connections with mutual authentication are used then the password is not relevant as certificate based authentication is in place.
- The symmetric password is specified with the section joc of the Settings page of JOC Cockpit and in the
private.conf
file. A hashed value or a plain text value can be used like this:password="sha512:B793649879D6..."
password="plain:JS7-History"
- If the password is modified in the
private.conf
file then it has to be modified in the JOC Cockpit settings too to make the passwords match. - The password setting cannot be omitted, however, an empty password can be specified, for example with mutual authentication HTTPS connections, like this:
password="plain:"
- By default the clear text for the hashed value is:
- History:
JS7-History
- JOC:
JS7-JOC
- History:
- The
- The
jobscheduler
user account is an example for a Controller ID as used by a partnering Controller instance.- This setting is not required if a standalone Controller is used.
- For a Controller cluster the Controller ID is specified during installation.
- The
...
Overview
Content Tools