Page History

...

By default mutual authentication is in place.
- JOC Cockpit is challenged by the Controller to present its Client Authentication certificate that is verified by the Controller.
  - In addition the distinguished name of the JOC Cockpit Client Authentication certificate is checked and a password is used to identify the JOC Cockpit instance.
  - Consider that any number of clustered JOC Cockpit instances can connect to a Controller.
- If a Controller cluster is used then connections from the partnering Controller instance are authenticated by the distinguished name of the instance's Client Authentication certificate.

The JS7_CONTROLLER_CONFIG_DIR/private/private.conf configuration file should include authentication details like this:

Code Block

title	Example for private.conf file specifying JOC Cockpit authentication

js7 {
    auth {
        users {
            # History account (used for release events)
            History {
                distinguished-names=[
                    "DNQ=SOS CA, CN=apmacwin_joc_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }
            # JOC account (needs UpdateItem permission for deployment)
            JOC {
                distinguished-names=[
                    "DNQ=SOS CA, CN=apmacwin_joc_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
                ]
            }
            # Controller ID for connections by primary/secondary controller instance
            jobscheduler {
                distinguished-names=[
                    "DNQ=SOS CA, CN=apmacwin_secondary_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

Explanation:

The History and JOC user accounts are used by the JS7 - History Service and by the JS7 - REST Web Service API.
- The distinguished-names property offers to add a number of distinguished names available from the subject of the respective Client Authentication certificates.
- The password is not used for authentication but for identification of the of the History and JOC user accounts as both service accounts with the Controller. Both accounts typically are running in the same JOC Cockpit instance and use the same Client Authentication certificate. When used with .
  - If HTTP connections are used then the password is
  used for authentication. The
  - the only means for authentication. If HTTPS connections with mutual authentication are used then the password is not relevant as certificate based authentication is in place.
  - The symmetric password is specified with the section joc of the Settings page of JOC Cockpit and in the private.conf file. A hashed value or a plain text value can be used like this:
    - password="sha512:B793649879D6..."
    - password="plain:JS7-History"
  - If the password is modified in the private.conf file then it has to be modified in the JOC Cockpit settings too to make the passwords match.
  - The password setting cannot be omitted, however, an empty password can be specified, for example with mutual authentication HTTPS connections, like this:
    - password="plain:"
  - By default the clear text for the hashed value is:
    - History: JS7-History
    - JOC: JS7-JOC
The jobscheduler user account is an example for a Controller ID as used by a partnering Controller instance.
- This setting is not required if a standalone Controller is used.
- For a Controller cluster the Controller ID is specified during installation.

...

Space shortcuts

Page tree

Versions Compared

Old Version 29

New Version 30

Key