Page History
...
|
Anchor | ||||
---|---|---|---|---|
|
Network Connections
- Network connections between components use the HTTPS protocol.
- Such connections are secured by x509 certificates, optionally using mutual client and server authentication.
- Connections are established in one direction only.
...
- Certificates are created:
- either from a CA independently from JS7,
- This applies to users of JS7 who require high security levels the "high" Security Level and therefore operate a CA on their own.
- or directly from the JS7 JOC Cockpit.
- This applies to users of JS7 who prefer a modest security level Security Level "low" or "medium" without the effort of maintaining a CA.
- The JOC Cockpit implements:
- a Root CA and Intermediate CA to create certificates for JS7 components.
- deployment capabilities to prepare the security configuration for JS7 components, i.e. to generate keystores and truststores which the relevant certificates are added to.
- either from a CA independently from JS7,
- Certificates can be maintained with JOC Cockpit if an individual CA is not in place.
- Private Keys and Certificates are stored with the JS7 database.
- A user interface is available for operations on certificates, such as creating, updating and deleting certificates.
- Certificates are prepared for deployment:
- A keystore and truststore to hold the required certificates is created for all individual JS7 components such as Controllers or Agents.
- Keystores and truststores can be forwarded to Controllers and Agents by any suitable means, e.g. for example by file transfer, SSH, transportable disks etc.
- Keystores and truststores can be imported to Controllers and Agents using a shell script.
...
- Certificates are revoked by deploying updated certificates.
- Support for Certificate Revocation Lists (CRL) can be added at a later point in time if requiredis not in place.
- The Java architecture and certificate types allow implementation of a CRL.
Anchor | ||||
---|---|---|---|---|
|
- Configurations include all deployable scheduling objects that are used for job execution with Agents, such as workflows, jobs etc.
- The deployment of jobs deployed to Agents can include calls to OS commands, scripts and binaries. Such deployments should be considered as a code injection to a remote machine requiring authentication and authorization.
- Therefore a configuration is scheduling objects are required to be signed by a responsible person:
- this This guarantees that workflows, jobs etc. are authorized for deployment by individuals who are in charge of this task.
- this This guarantees non-repudiability of deployments.
- JOC Cockpit offers different security levels Security Levels for deployment tasksof scheduling objects.
Secure Deployment
- To deploy configuration scheduling objects to a Controller in a given environment includes transferring objects such as workflows and jobs.
- This step can be simplified for, for example, development environments, when frequent changes occur to configuration scheduling objects and deployments are performed with a single mouse click.
- This step can be more complex if sharing of responsibilities is included, for example, when rolling-out configuration scheduling objects from a development environment to a test or production environment. This situation is called a roll-out and is explained in the subsequent chapter.
- A secure deployment matches the security requirements in a given environment. Therefore the JOC Cockpit can be operated with different Security Levels.
- "Low" and "medium" Security Levels allow simplified deployment and are suitable for environments with modest security requirements.
- The "high" Security Level takes more effort and is targeted towards organizations with more elaborate security requirements.
- Security Levels are put in place during the installation of the JOC Cockpit. Each instance of the JOC Cockpit can be only operated at a single Security Level. There is no fallback from a Security Level "high" to a "medium" or "low" security level. Changing the Security Level requires reinstalling JOC Cockpit.
...
Overview
Content Tools