...
- using HTTPS connections which are secured by private keys and certificates,
- applying mutual authentication between Controller and Agent.,
- applying mutual authentication between Director Agent and Subagent in an Agent Cluster.
- applying password authentication between components should mutual authentication not be in placereferring to the detailed explanations in the following sections.
Code Block |
---|
language | text |
---|
title | Secure configuration example: private.conf |
---|
linenumbers | true |
---|
collapse | true |
---|
|
# Security configuration
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
configuration {
# Locations of certificates and public keys used for signature verification
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
job {
# Enable script execution from signed workflows
execution {
signed-script-injection-allowed = yes
}
}
web {
# Locations of keystore and truststore files for HTTPS connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler
store-password=jobscheduler
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password=jobscheduler
}
]
}
}
}
|
Client Authentication with Controller
Anchor |
---|
| js7-auth-users-Controller |
---|
| js7-auth-users-Controller |
---|
|
Controller Connections
...
- This setting applies to the use of an Agent with a solo Standalone Controller or with a Controller Cluster.
- Note that the
Controller
element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances. - This setting specifies the distinguished name indicated with the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.
- The Agent configuration specifies the distinguished names of any Controllers the Controller instances that access the Agent by use of a Client Authentication certificate.
- Note that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.
Client Authentication with Director Agent
Anchor |
---|
| js7-auth-users-Director |
---|
| js7-auth-users-Director |
---|
|
Director Agent Connections Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for https connections
users {
# Director Agent ID for connections by primary/secondary Director Agent
Director {
distinguished-names=[
"DNQ=SOS CA, CN=director-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
Explanation:
- This setting applies to the use of a Subagent with a Director Agent in an JS7 - Agent Cluster.
- Similar to a Controller that orchestrates Standalone Agents the Director Agent orchestrates Subagents.
- Subagents do not know of a Controller, they know of a Director Agent.
- Note that the
Director
element name is an example that has to be replaced by the Director Agent ID which is specified with the same value during installation of the Primary and Secondary Director Agent instances. - This setting specifies the distinguished name indicated with the Director Agent's Client Authentication certificate. The certificate acts as a replacement for a password.
- The Agent configuration specifies the distinguished names of any Director Agent instances that access the Subagent by use of a Client Authentication certificate.
- Note that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.
Password Authentication with Controller
Anchor |
---|
| js7-auth-users-password-Controller |
---|
| js7-auth-users-password-Controller |
---|
|
Controller Connections Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
password="plain:secret"
}
}
}
} |
Explanation:
- This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller
element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances. - This setting specifies the password indicated with the Controller instance's
js7.auth.agents
configuration item. - The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.
Password Authentication with Director Agent
Anchor |
---|
| js7-auth-users-password-Director |
---|
| js7-auth-users-password-Director |
---|
|
Director Agent Connections Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
|
js7 {
auth {
# User accounts for https connections
users {
# Director Agent ID for connections by primary/secondary Director Agent
Director {
password="plain:secret"
}
}
}
} |
Explanation:
- This setting applies to the use of a Subagent with a Director Agent in an JS7 - Agent Cluster.
- Note that the
Director
element name is an example that has to be replaced by the Director Agent ID which is specified with the same value during installation of the Primary and Secondary Director Agent instances. - This setting specifies the distinguished name indicated with the Director Agent's Client Authentication certificate. The certificate acts as a replacement for a password.
- This setting specifies the password indicated with the Director Agent instance's
js7.auth.subagents
configuration item. - The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.
Server Authentication
Anchor |
---|
| js7-web-https-keystore |
---|
| js7-web-https-keystore |
---|
|
HTTPS Keystore and Truststore Locations
...