Introduction

• The JS7 offers to perform operations by the JS7 - REST Web Service API.
  
  • For detailed information see the Technical Documentation of the REST Web Service API.
  • For available CLI operations see JS7 - Unix Shell Command Line Interface.
• The REST Web Service API can be accessed from Shell utilities such as curl.
• In addition, a PowerShell module is available for simplified access to the REST Web Service API. This is described in the JS7 - PowerShell Module article.

The JOC Cockpit Operation Identity Service Deployment Script offered for Unix Shell can be applied to perform frequently used status operations on JOC Cockpit.

...

operations to manage accounts, roles and JS7 - Identity Services.

Identity Service Deployment Script

The script is offered The script is offered for download and can be applied for frequently used operations:

• The script is available for Linux and MacOS® using bash shell.
• The script terminates with exit code 0 to signal successful execution, with exit code 1 for command line argument errors and with exit code 4 for non-recoverable errors. Exit code 3 signals that no matching objects have been found.
• The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services. Examples make use of JS7 Release 2.7.2, bash 4.2, curl 7.29.0 and jq 1.6.0.
  

Prerequisites

The Script requires the curl utility and the jq utility to be available from the operating system. 

jq ships with the MIT license, see https://opensource.org/licenses/MIT.

Download

Download: JS7 - Download (Section: Unix Shell ClICLI)

Usage

Invoking the script without arguments displays the usage clause:

...

Usage: operatedeploy-identity-jocservice.sh [Command] [Options] [Switches]

  Commands:
    statusget-account             --service [--account] [--enabled] [--controller-iddisabled] [--blocked]
    versionstore-account           --service  --account  [--controller-idrole] [--disabled] [--agentaccount-idpassword] [--listforce-password-change]
    switchrename-overaccount          --controller-id
service    restart-service  --account   --servicenew-typeaccount
    runremove-serviceaccount          --service  --type
account    check-license      [--enabled] [--validity-daysdisabled]
    get-account-settings
permission    store-settings    --service  --settingsaccount
    encrypt set-account-password    --service  --account      --account-inpassword [--infile new--outfile] --cert [--java-home] [--java-lib]account-password
    reset-account-password  --service  --account
    decrypt   enable-account          --inservice  [--infile --outfile] --key [--key-password] [--java-home] [--java-lib]

  Options:
account
    disable-account         --url=<url>service  --account
    block-account           --service  --account [--comment]
    | required: JOC Cockpit URL
unblock-account         --user=<account>service  --account

    get-role             | required: JOC Cockpit user account--service [--role]
    store--password=<password>role              |--service optional: JOC Cockpit password--role [--ordering]
    --ca-cert=<path>rename-role             --service  --role  --new-role
   | optional:remove-role path to CA Certificate used for JOC Cockpit login
    --client-cert=<path>service  --role

    get-permission         | optional:--service path to Client Certificate used for login--role [--controller-id]
    --client-key=<path>set-permission          --service  --role  --permission  | optional: path to Client Key used for login
[--excluded] [--controller-id]
    rename-permission       --timeout=<seconds>service  --role  --permission  --new-permission [--excluded] [--controller-id]
    remove-permission    | optional: timeout for--service request, default: 60
     --role  --permission [--controller-id=<id>]

      get-folder         | optional: Controller ID
  --service  --agent-id=<id[,id]>role [--folder] [--controller-id]
    set-folder           | optional: Agent IDs
--service  --role  --service-type=<identifier> folder  [--recursive] [--controller-id]
    rename-folder   | optional: service for restart such as cluster, history, dailyplan, cleanup, monitor
  --service  --role  --folder   --validitynew-days=<number>  folder [--recursive] [--controller-id]
    remove-folder     | optional: min. number of days for--service which a--role license should--folder be valid, default: 60 [--controller-id]

    get--settings=<json>service            [--service]
    store-service  | optional: settings to be stored from JSON
    --key=<path>    service --service-type [--ordering] [--required] [--disabled]
                   | optional: path to private key file in PEM format [--authentication-scheme] [--second-service]
    --key-password=<password>rename-service          | optional: password for private key file--service --new-service
    remove--cert=<path>service          --service
    get-service-settings    --service --service-type
   | optional: path to certificate file in PEM format store-service-settings  --service --service-type --settings

  Options:
    --inurl=<string><url>                        | optionalrequired: inputJOC string for encryption/decryptionCockpit URL
    --infileuser=<path><account>                    | optionalrequired: inputJOC fileCockpit foruser encryption/decryptionaccount
    --outfilepassword=<path>  <password>                 | optional: outputJOC file for encryption/decryptionCockpit password
    --javaca-home=<directory>cert=<path>                   | optional: path Javato CA HomeCertificate directoryused for encryption/decryption, default: $JAVA_HOMEJOC Cockpit login
    --javaclient-libcert=<directory><path>               | optional: Javapath libraryto directoryClient for encryption/decryption, default: ./libCertificate used for login
    --auditclient-message=<string>key=<path>                | optional: audit log messagepath to Client Key used for login
    --audit-time-spent=<number>timeout=<seconds>                | optional: audittimeout logfor timerequest, spent in minutesdefault: 60
    --auditcontroller-linkid=<url><id>                 | optional: auditController log linkID
    --log-dir=<directory>account=<name[,name]>              | optional: pathlist to directory holding the script's log files

  Switches:
  of accounts
    -h | --helpnew-account=<name[,name]>        | optional: new account names
    --account-password=<password>      | optional: |password displaysfor usageaccount
    -v | --verbose      new-password=<password>               | displaysoptional: verbosenew output,password repeat to increase verbosityfor account
    -p | --passwordservice=<name>                   | |required: asksIdentity forService passwordname
    -k | --key-passwordservice-type=<id>                | asks for key password
    -l | --listoptional: Identity Service type such as JOC, LDAP, LDAP-JOC, OIDC, OIDC-JOC
    --ordering=<number>                | optional: ordering of |Identity listsService versionor informationrole inby JSONascending formatnumber
    --shownew-logsservice=<name>                        | showsoptional: lognew outputIdentity if --log-dir is usedService name
    --makesecond-dirsservice=<name>            | optional: second Identity Service for MFA
    --authentication-scheme=<factor>   | createsoptional: directoriesIdentity ifService theyauthentication do not exist

Commands

...

• Returns version information of JOC Cockpit, Controller and Agents.
  • When used without options, the JOC Cockpit version will be returned.
  • When usiedf with the --controller-id option, the version of the indicated Controller will be returned.
  • When used with the --agent-id option, the version of the indicated Agent will be returned. If a Cluster Agent is specified, then version information for included Director Agents and Subagents will be returned in JSON format.
• When used with the --list switch, then information about included Controllers and/or Agents will be returned in JSON format.

...

• Shifts the active role to the Standby JOC Cockpit instance.

...

• Allows to restart JOC Cockpit background services. One of the following services can be specified using the --service-type option:
  • cluster, history, dailyplan, cleanup, monitor
• JOC Cockpit background services will run based on events (cluster, history, monitor) or based on schedules configurable with JS7 - Settings (dailyplan, cleanup). To force a background service to start immediately the run-service command can be used.

...

• Starts JOC Cockpit background services. One of the following services can be specified using the --service-type option:
  • dailyplan, cleanup
• JOC Cockpit background services will run based on schedules configurable with JS7 - Settings (dailyplan, cleanup). The run-service command will force immediate execution of the service.

...

• Checks which JS7 - License is available with JOC Cockpit and if it is valid for a predetermined period.
  • The Open Source License is valid for any period of time and will not expire.
  • The Commercial License can be perpetual or can be valid for a limited subscription period.
• The --validity-days option specifies the number of days before expiration of the Commercial License. Default: 60 days.
• Exit codes of the license check include: 
  • Exit code 0 signals a valid license for the period specified.
  • Exit code 2 signals an expired license or an inapplicable license check if the Open Source License is used.
  • Exit code 3 signals a valid license that is about to expire within the number of days specified.

...

• Returns JS7 - Settings in JSON format.
• Users can modify settings using the jq utility and can update settings using the store-settings command.

...

• Updates JS7 - Settings in JOC Cockpit. 
• Users can read settings using the get-settings command and can modify settings using the jq utility before updating settings.

...

• Allows to encrypt a value using the --in option. If used to encrypt a file then --infile and --outfile options must be specified.
• The --cert option specifies the path to a file holding the Certificate used for encryption.
• Encryption is performed by Java libraries that are looked up in the ./lib sub-directory of the  JS7 Unix Shell CLI. For details see JS7 - Encryption and Decryption.

...

• Allows to decrypt a value using the --in option. If used to decrypt a file then --infile and --outfile options must be specified.
• The --key option specifies the path to the Private Key used for decryption. If the Private Key is protected by a password, then the --key-password option or switch must be specified.
• Decryption is performed by Java libraries that are looked up in the ./lib sub-directory of the JS7 Unix Shell CLI.

scheme: SINGLE-FACTOR, TWO-FACTOR
    --settings=<json>                  | optional: Identity Service settings in JSON format
    --role=<name[,name]>               | optional: list of roles
    --new-role=<name>                  | optional: new role name
    --permission=<id[,id]>             | optional: list of permission identifiers assigned a role
    --new-permission=<id>              | optional: new permission identifier assigned a role
    --folder=<name[,name]>             | optional: list of folders assigned a role
    --new-folder=<name>                | optional: new folder assigned a role
    --audit-message=<string>           | optional: audit log message
    --audit-time-spent=<number>        | optional: audit log time spent in minutes
    --audit-link=<url>                 | optional: audit log link
    --log-dir=<directory>              | optional: path to directory holding the script's log files

  Switches:
    -h | --help                        | displays usage
    -v | --verbose                     | displays verbose output, repeat to increase verbosity
    -p | --password                    | asks for password
    -a | --account-password            | asks for account password
    -n | --new-password                | asks for new account password
    -f | --force-password-change       | enforces password change on next login
    -e | --enabled                     | filters for enabled accounts
    -d | --disabled                    | filters for disabled accounts or disables Identity Services
    -b | --blocked                     | filters for blocked accounts
    -x | --excluded                    | sets excluded permissions
    -q | --required                    | enforces use of Identity Service
    -r | --recursive                   | applies folder operation to sub-folders
    --show-logs                        | shows log output if --log-dir is used
    --make-dirs                        | creates directories if they do not exist

see https://kb.sos-berlin.com/x/lwTWCQ

Commands

All commands make use of the --service option to specify the Identity Service on which the operation is performed.

Accounts

Operations on accounts are available to Identity Services that hold account information using the JOC, KEYCLOAK-JOC, LDAP-JOC, OIDC-JOC, CERTIFICATE and FIDO service types. For Identity Services that manage accounts on their own such as KEYCLOAK, LDAP, OIDC, the JOC Cockpit does not provide account information. For details see JS7 - Identity Services.

• get-account

  • Returns information about the indicated account or all accounts if the --account option is not specified. 

  • Accounts can be filtered:
    • The --enabled switch will filter results to active accounts
    • The --disabled switch will filter results to inactive accounts.
    • The --blocked switch will filter results to accounts that are blocked. The switch cannot be used with the --enabled and --disabled switches.
• store-account
  • Stores an account to the Identity Service. 
    • An existing role can be assigned using the --role option.
    • The password can be specified using the --account-password option. Consider to use secure input from the commandline using the -a switch. If no password is specified then the initial password is assigned. If a password is specified or the initial password is used, then JOC Cockpit will challenge the user to specify a new password on next login.
    • The --force-password-change switch can be used to make JOC Cockpit challenge the user to specify a new password on next login. The operation is available for existing accounts that hold a password. For new accounts and for accounts assigned a new password users are automatically challenged to specify a new password on next login.
    • The --disabled switch can be used to deactivate an account when it is created. For later enabling/disabling of existing accounts see enable-account and disable-account commands.
  • Handling of passwords allows the API user to specify passwords for other accounts. However, for the affected accounts users will have to change the password on next login.
• rename-account
  • Renames the indicated account.
• remove-account
  • Removes the indicated account from the Identity Service.
• get-account-permission
  • Returns the list of permissions per role assigned the given account.
• set-account-password
  • Sets the password for the indicated account. Consider to use secure input from the commandline using the -a switch.
  • The user will be challenged to specify a new password on next login.
• reset-account-password
  • Resets the account's password to the initial password.
  • The user will be challenged to specify a new password on next login.
• enable-account
  • Activates the account which allows login to JOC Cockpit.
• disable-account
  • Deactivates the account which denies login to JOC Cockpit.
• block-account
  • Adds the account to the blocklist. The account will be denied login to JOC Cockpit.
  • A comment can be specified to indicate the reason for blocking the account.
• unblock-account
  • Removes one or more accounts from the blocklist. The accounts will be allowed login to JOC Cockpit if they are activated/enabled.

Roles

• get-role
  • Returns the indicated role if the --role option is used and otherwise returns all roles.
• store-role
  • Stores a role from its name to JOC Cockpit. Default permissions will be applied to new roles.
  • The --ordering option can be used to specify the position of the role in the list of roles available for the given Identity Service.
• rename-role
  • Renames an existing role.
• remove-role
  • Removes the indicated role from the Identity Service.

Permissions

Permissions are applied to limit operations in the JOC Cockpit API and GUI to certain roles.

For default permissions and permission identifiers see JS7 - Default Roles and Permissions.

• get-permission
  • Returns permissions of the indicated role.
• set-permission
  • Assigns a role one or more permissions that are specified from permission identifiers using the --permission option. If more than one permission identifier is used, then they are separated by comma, for example --permission='sos:products:controller:view','sos:products:controller:agents:view'. Use of single quotes or double quotes is recommended.
  • Permissions can be preceeded a minus to indicate that the permission is denied, for example: --permission='-sos:products:controller:view'. This corrresponds to use of the --excluded switch, but allows to allow/deny permissions individually.
  • If the --excluded switch is used, then indicated permissions are denied. This applies to JOC Cockpit and to all Controllers for which the indicated permissions will be denied.
  • The Controller ID can be specified using the --controller-id option to limit permissions to the given Controller.
• rename-permission
  • Switches an existing permission to a different permission.
• remove-permission
  • Removes the indicated permissions from the role. One or more permissions can be specified separated by comma.

Folder Permissions

Folder permissions are used to apply permissions to certain folders in the JOC Cockpit inventory and to limit user access to folders. If no folder permissions are specified, then users have access to all inventory folders.

For default permissions and permission identifiers see JS7 - Default Roles and Permissions.

• get-folder
  • If the --folder option is used, returns the indicated folder and otherwise returns all folders assigned the given role.
• set-folder
  • Assigns the indicated role one or more folders. If more than one folder is specified, then they are separated by comma, for example --folder=/accounting,/reporting.
  • The --recursive switch can be used to specify that sub-folders similarly should be accessible to the given role.
• rename-folder
  • Switches folder assignment to a different folder.
• remove-folder
  • Removes the indicated folder from the role.

Identity Services

• get-service
  • If the --service option is used, returns the indicated Identity Service and otherwise returns the list of Identity Services.
• store-service
  • Stores the indicated Identity Service.
  • The following options and switches can be used: 
    • The --service-type option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
    • The --required switch specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
    • The --disabled switch can be used to deactivate an Identity Serivce which denies login by any accounts using the Identity Service.
    • The --ordering option can be used to specifiy the position of the Identity Service in the list of Identity Services.
    • The --second-service option specifies a second Identity Service for multi-factor authentication. Use of this option implicitly specifies the --authentication-scheme=TWO-FACTOR option.
    • The --authentication-scheme option allows to specify the following values: SINGLE-FACTOR, TWO-FACTOR.
      • Single-factor authentication specifies that the Identity Service is used as a single factor for authentication.
      • Two-factor authentication specifies that a second Identity Service is used and that successful authentication with both Identity Services is required. For example an Identity Serivce using the LDAP service type can use FIDO as a second factor. This implies that secrets are stored on different media: the LDAP password is stored with the user's brain while the FIDO secret is stored on the user's device, for example on a USB key or in an authenticator application on a smartphone. 
• rename-service
  • Renames the indicated Identity Service.
• remove-service
  • Removes the indicated Identity Service and related objects such as roles, permissions, folder permissions and accounts recursively.
  • Users should check that after removal an Identity Service remains that allows to login. To restore access to JOC Cockpit consider JS7 - Rescue in case of lost access to JOC Cockpit.
• get-service-settings
  • Returns settings from an Identity Service. For example, the LDAP, OIDC and FIDO Identity Services hold confiugration items with their service settings.
  • Settings are returned in JSON format and can be stored to environment variables or to files, for example
    • settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
    • ./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP > /tmp/ldap.settings.json
• store-service-settings
  • Stores Identity Service settings that have previously been retrieved using the get-service-settings command.
  • Settings are expected in JSON format from the value of the --settings option. If settings have previously been stored to a file, then they can be assigned like this:
    • settings=$(cat ./examples/ldap-settings.json)
    • ./deploy-identity-service.sh get-service-settings ... --settings="$settings"

Options

• --url
  • Specifies the URL by which JOC Cockpit is accessible using <http|https>://<host>:<port>.
  • Example: http://centostest-primary.sos:4446
  • Example: https://centostest-primary.sos:4443
• --user
  • Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the --client-cert and --client-key options then their common name (CN) attribute has to match the user account.
  • If a user account is specified then a password can be specified using the --password option or interactive keyboard input can be prompted using the -p switch.
• --password
  • Specifies the password used for the account specified with the --user option for login to JOC Cockpit.
  • Password input from the command line is considered insecure. Consider use of the -p switch offering a secure option for interactive keyboard input.
• --ca-cert
  • Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
• --client-cert
  • Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
• --client-key
  • Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
• --timeout
  • Specifies the maximum duration for requests to the JS7 REST Web Service. Default: 60 seconds.
• --controller-id
  • Specifies the identification of the Controller.
• --account
  • When used with commands on accounts, specifies the related account.
  • When used with the remove-account, reset-account-password, enable-account and disable-account commands, one or more accounts can be specified separated by comma, for example:: --account=user1,user2.
• --new-account
  • When used with the rename-account command, specifies the new name of the account.
• --account-password
  • When used with the store-account and set-account-password commands, specifies the account's password.
  • Command line input for passwords is considered insecure. Consider use of the -a switch for secure interactive keyboard input for passwords.
• --new-password
  • When used with the set-account-password command, specifies the account's new password.
  • Command line input for passwords is considered insecure. Consider use of the -n switch for secure interactive keyboard input for passwords.
• --service
  • Specifies the name of the Identity Service.
• --service-type
  
  • The option specifies the capabilities of the Identity Service such as LDAP, OIDC, FIDO. For the full list of service types see JS7 - Identity Services, Matrix.
• --ordering
  • When used with the store-role command, specifies the role's position in the list of roles. If the option is not used, then a newly added role will be appended.
  • When used with the store-service command, specifies the Identity Service's position in the list of Identity Services. The ordering of Identity Services specifies the sequence by which Identity Services will be triggered if more than one Identity Service is used for authentication.
• --new-service
  • When used with the rename-service command, specifies the new name of the Identity Service.
• --second-service
  • When used with the store-service command, specifies the identifier of a second Identity Service that is used for multi-factor authentication (MFA).
  • Use of the option requires to specify the --authentication-scheme option with the value TWO-FACTOR.
• --authentication-scheme
  • When used with the store-service command, specifies single-factor or two-factor authentication using one of the values: SINGLE-FACTOR, TWO-FACTOR.
  • Use of the option value TWO-FACTOR requires to specify the --second-service option.
• --role
  • Specifies the name of a role. for role-based or permission-based commands.
  • If more than one role is specified, then they are separated by comma, for example: --role=administrator,business-user.
• --new-role
  • When used with the rename-role command, specifies the new name of the role.
• --permission
  • When used with the set-permission, rename-permission and remove-permission commands, specifies the permission identifiers to be used. For available permission identifiers see JS7 - Default Roles and Permissions.
  • If more than one permission is used, then permission identifiers are separated by comma, for example: --permission='sos:products:controller:view','sos:products:controller:agents:view'. 
• --new-permission
  • When used with the rename-permission command, specifies the new permission identifier.
• --folder
  • Specifies the folder to which permissions are applied and that limit user access to JOC Cockpit inventory folders.
  • If more than one folder is used, then they are separated by comma, for example --folder=/accounting,/reporting.
• --new-folder
  • When used with the rename-folder command, specifies the new permission identifier.
• --audit-message
  • Specifies a message that is made available to the Audit Log.
  • Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
• --audit-time-spent
  • Specifies the time spent to perform an operation which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --audit-link
  • Specifies a link (URL) which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --log-dir
  • If a log directory is specified then the script will log information about processing steps to a log file in this directory.
  • File names are created according to the pattern: deploy-identity-service.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
  • For example: deploy-identity-service.2024-10-19T20-50-45.log

Switches

• -h | --help
  • Displays usage.
• -v | --verbose
  • Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
  • When used twice as with -v -v then curl verbose output will be displayed.
• -p | --password
  • Asks the user for interactive keyboard input of the password used for the account specified with the --user option..
  • The switch is used for secure interactive input as an alternative to use of the option --password=<password>.
• -a | --account-password
  • When used with the store-account and set-account-password commands, asks the user for interactive keyboard input of the existing password used for the account.
  • The switch is used for secure interactive input as an alternative to use of the --account-password=<password> option.
• -n | --new-password
  • When used with the set-account-password command, asks the user for interactive keyboard input of the new password used for the account.
  • The switch is used for secure interactive input as an alternative to use of the --new-account-password=<password> option.
• -f | --force-password-change
  • When used with the store-account command, specifies that the user will be challenged to type a new password on next login.
  • The switch is used for existing accounts. Use of the switch is not required in the following situations that will automatically challenge the user to specify a new password on next login:
    • For new accounts using the initial password and for accounts assigned a password using the --account-password option or switch.
    • If the account is assigned a password using the set-account-password command.
    • If the account's password is reset to the initial password using the reset-account-password command
• -e | --enabled
  • When  used with the get-account command, filters results to enabled accounts.
  • When used with the remove-account command, limits the operation to enabled accounts.
• -d | --disabled
  • When  used with the get-account command, filters results to disabled accounts.
  • When  used with the store-account command, specifies that the indicated account will be deactivated.
  • When used with the remove-account command, limits the operation to disabled accounts.
  • When  used with the store-service command, specifies that the Identity Service will be deactivated.
• -b | --blocked
  • When used with the get-service command, returns the list of blocked accounts.
  • The result list will be filtered if the --acount option is specified for an account.
• -x | --excluded
  • When used with the set-permission command, specifies that the permission will be denied. This applies to JOC Cockpit permissions and to permissions for all Controllers.
• -q | --required
  • When used with the store-service command, specifies that successful authentication using the Identity Service is required. If the switch is not used, then JOC Cockpit will switch to using the next Identity Service in case of unsuccessful authentication.
• -r | --recursive
  • When used with the set-folder and rename-folder commands, specifies that folder permissions are applied to sub-folders.
• --show-logs
  • Displays the log output created by the script if the --log-dir option is used.
• --make-dirs
  • If directories are missing that are indicated with the --log-dir option then they will be created.

Exit Codes

• 0: operation successful
• 1: argument errors
• 3: no objects found
• 4: JS7 REST Web Service is not reachable or reports errors

Examples

The following examples illustrate typical use cases.

Identity Services

Getting Identity Services

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get list of Identity Services
./deploy-identity-service.sh get-service "${request_options[@]}"

# get Identity Service
./deploy-identity-service.sh get-service "${request_options[@]}" --service=JOC-INITIAL

Creating and Updating Identity Services

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# store Identity Service
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=OIDC

# store Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=New-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR

# store Identity Service using two-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=FIDO-Service --service-type=FIDO
./deploy-identity-service.sh store-service "${request_options[@]}" --service=LDAP-Service --service-type=LDAP \
                                           --authentication-scheme=TWO-FACTOR

Renaming and Removing Identity Services

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# rename Identity Service
./deploy-identity-service.sh rename-service "${request_options[@]}" --service=Old-Service --new-service=New-Service

# remove Identity Service
./deploy-identity-service.sh remove-service "${request_options[@]}" --service=New-Service

Roles

Creating and Updating Roles

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get list of roles
./deploy-identity-service.sh get-role   "${request_options[@]}" --service=JOC-INITIAL

# get role
./deploy-identity-service.sh get-role   "${request_options[@]}" --service=JOC-INITIAL --role=administrator

# store role
./deploy-identity-service.sh store-role "${request_options[@]}" --service=JOC-INITIAL --role=backoffice-user

Renaming and Removing Roles

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# rename role
./deploy-identity-service.sh rename-role "${request_options[@]}" --service=JOC-INITIAL --role=backoffice-user --new-role=business-user

# remove role
./deploy-identity-service.sh remove-role "${request_options[@]}" --service=JOC-INITIAL --role=business-user

# remove roles
./deploy-identity-service.sh remove-role "${request_options[@]}" --service=JOC-INITIAL --role=business-user,incident-manager

Permissions

Creating and Updating Permissions

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get permissions for role
./deploy-identity-service.sh get-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user

# assign permissions to role
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                            --permission='sos:products:controller:view','sos:products:controller:agents:view'

Renaming and Removing Permissions

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# rename permission
./deploy-identity-service.sh rename-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                               --permission='sos:products:controller:deployment:manage' \
                                               --new-permission='sos:products:controller:deployment:view' --excluded

# remove permission
./deploy-identity-service.sh remove-permission

Options

• --url
  • Specifies the URL by which JOC Cockpit is accessible using <http|https>://<host>:<port>.
  • Example: http://centostest-primary.sos:4446
  • Example: https://centostest-primary.sos:4443
• --user
  • Specifies the user account for login to JOC Cockpit. If JS7 - Identity Services are available for Client authentication certificates that are specified with the --client-cert and --client-key options then their common name (CN) attribute has to match the user account.
  • If a user account is specified then a password can be specified using the --password option or interactive keyboard input can be prompted using the -p switch.
• --password
  • Specifies the password used for the account specified with the --user option for login to JOC Cockpit.
  • Password input from the command line is considered insecure.
    • Consider use of the -p switch offering a secure option for interactive keyboard input.
    • Consider use of the encrypt command to encrypt a password: ./operate-joc.sh encrypt --in=root --cert=encrypt.crt.
      • The encryption result will include the prefix enc: followed by the encrypted symmetric key, initialization vector and encrypted secret separated by space.
      • If an encrypted password is specified, then it will be decrypted using the Private Key file: ./operate-joc.sh <command> --password="enc:BF8J8KP7TPlxy..." --key=encrypt.key.
• --ca-cert
  • Specifies the path to a file in PEM format that holds the Root CA Certificate and optionally Intermediate CA Certificates to verify HTTPS connections to JOC Cockpit.
• --client-cert
  • Specifies the path to a file in PEM format that holds the Client Certificate if HTTPS mutual authentication is used..
• --client-key
  • Specifies the path to a file in PEM format that holds the Client Private Key if HTTPS mutual authentication is used..
• --timeout
  • Specifies the maximum duration for requests to the JS7 REST Web Service. Default: 60 seconds.
• --controller-id
  • Specifies the identification of the Controller.
• --agent-id
  • The Agent ID specifies a unique identifier for a Standalone Agent or Agent Cluster that cannot be changed later on.
  • Agents are identified from their Agent ID.
• --service-type
  • When used with the restart-service command, specifies the service that should be restarted.
  • One of the following services can be specified: cluster, history, dailyplan, cleanup, monitor
• --validity-days
  • When used with the checck-license command, specifies the number of days before expiration of a JS7 license.
    • Exit code 2 signals an expired license or an inapplicable license check if the Open Source License is used.
    • Exit code 3 signals a valid license that is about to expire within the number of days specified.
• --settings
  • When used with the store-settings command, specifies settings from their JSON format.
• --key
  • When used with the decrypt command, specifies the path to a file that holds the Private Key in PEM format used for decryption.
• --cert
  
  • When used with the encrypt command, specifies the path to a file that holds the CA-signed or self-signed X.509 Certificate. Alternatively, the path to a file holding the Public Key can be specified. The Certificate/Public Key is expected in PEM format.
  • For encryption the Certificate/Public Key must match the Private Key used for later decryption specified with the --key option.
• --key-password
  • When used with the decrypt command, specifies the password for access to the key file using the --key option.
  • Password input from the command line is considered insecure.
    • Consider use of the -k switch or more elaborate mechanisms, for example by temporarily populating the system keystore form a security key such as a YubiKey® or similar.
    • Consider use of encrypted passwords as explained with the --password option.
• --in
  • When used with the encrypt and decrypt commands, specifies the input value that should be encrypted or decrypted.,
  • One of the options --in or --infile can be specified.
• --infile
  • When used with the encrypt and decrypt commands, specifies the path to the input file that should be encrypted/decrypted.
  • One of the options --in or --infile can be specified. This option requires use of the --outfile option.
• --outfile
  • When used with the encrypt command, specifies the path to the output file that will be created holding the encrypted content of the input file.
  • When used with the decrypt command, specifies the path to the output file that will be created holding the decrypted content of the input file.
  • The option is required if the --infile option is specified
• --java-home
  • When used with the encrypt and decrypt commands or with encrypted passwords, specifies the Java home directory. By default the JAVA_HOME environment variable is used to determine the location of Java.
  • The Java home directory is the top-level directory of a Java installation. The directory includes the bin sub-directory and java executable.
• --java-lib
  • When used with the encrypt and decrypt commands or with encrypted passwords, a number of Java libraries are required to perform encryption/decryption.
  • The Java libraries are expected in the lib sub-directory of the JS7 Unix Shell CLI. Default: ./lib.
• --audit-message
  • Specifies a message that is made available to the Audit Log.
  • Specification of Audit Log messages can be enforced on a per user basis and for a JS7 environment.
• --audit-time-spent
  • Specifies the time spent to perform an operation which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --audit-link
  • Specifies a link (URL) which is added to the Audit Log.
  • The option can be specified if the --audit-message option is used.
• --log-dir
  • If a log directory is specified then the script will log information about processing steps to a log file in this directory.
  • File names are created according to the pattern: operate-joc.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
  • For example: operate-joc.2022-03-19T20-50-45.log

Switches

• -h | --help
  • Displays usage.
• -v | --verbose
  • Displays verbose log output that includes requests and responses with the JS7 REST Web Service.
  • When used twice as with -v -v then curl verbose output will be displayed.
• -p | --password
  • Asks the user for interactive keyboard input of the password used for the account specified with the --user option..
  • The switch is used for secure interactive input as an alternative to use of the option --password=<password>.
• -k | --key-password
  • Asks the user for interactive keyboard input of the password used for access to a keystore or key file specified with the --keystore or --key options.
  • The switch is used for secure interactive input as an alternative to use of the --key-password=<password> option.
• -l | --list
  • Lists version information in JSON format when used with the version command.
• --show-logs
  • Displays the log output created by the script if the --log-dir option is used.
• --make-dirs
  • If directories are missing that are indicated with the --log-dir option then they will be created.

Exit Codes

• 0: operation successful
• 1: argument errors
• 3: no objects found
• 4: JS7 REST Web Service is not reachable or reports errors

Examples

The following examples illustrate typical use cases.

Getting Status Information

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root --controller-id=controller)

# get status information for Standalone JOC Cockpit
response=$(./operate-joc.sh status "${request_options[@]}")
# returns response
{"clusterState":{"_text":"ClusterUnknown","severity":2},"controllers":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller","host":"localhost","id":20,"isCoupled":false,"javaVersion":"21+35-2513","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"STANDALONE","securityLevel":"HIGH","startedAt":"2024-09-03T09:52:38.918Z","surveyDate":"2024-09-23T10:10:01.496Z","title":"Standalone Controller","url":"http://localhost:4444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"H2","version":"1.4.200 (2019-10-14)"},"deliveryDate":"2024-09-23T10:10:01.499Z","jocs":[{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"STANDALONE","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":1,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:09:43.682Z","memberId":"localhost:1ce420678f21a574e6adeb2f218f5bd40ed1b1bf9005414bcf060fba2e4c5a67","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"securityLevel":"HIGH","startedAt":"2024-09-19T20:55:34.522Z","title":"My JOC Cockpit","url":"http://localhost:4446","version":"2.7.2"}]}
# get severity from status information
echo "$response" | jq -r '.jocs[0].componentState.severity // empty'
echo "$response" | jq -r '.jocs[0].connectionState.severity // empty'
echo "$response" | jq -r '.jocs[0].controllerConnectionStates[0].state.severity // empty'
echo "$response" | jq -r '.jocs[0].version // empty'
echo "$response" | jq -r '.database.componentState.severity // empty'
echo "$response" | jq -r '.database.connectionState.severity // empty'

# get status information for JOC Cockpit Cluster
response=$(./operate-joc.sh status --service=JOC-INITIAL --role=business-user \
                                               --permission='sos:products:controller:deployment:view'

# remove permissions
./deploy-identity-service.sh remove-permission "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                               --permission='sos:products:controller:deployment','sos:products:controller:agents:view'

Folder Permissions

Creating and Updating Folder Permissions

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get folder permissions for all folders assigned the indicated role
./deploy-identity-service.sh get-folder "${request_options[@]}" --service=JOC-INITIAL --role=business-user

# get folder permissions for the indicated role and folder
./deploy-identity-service.sh get-folder "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                        --folder=/accounting

# set folder permissions recursively for a number of folders
./deploy-identity-service.sh set-folder "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                        --folder=/accounting,/reporting --recursive

Renaming and Removing Folder Permissions

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# rename folder permissions
./deploy-identity-service.sh rename-folder "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                           --folder=/accounting --new-folder=/reporting --recursive

# remove folder permissions
./deploy-identity-service.sh remove-folder "${request_options[@]}" --service=JOC-INITIAL --role=business-user \
                                           --folder=/reporting

Accounts

Creating and Updating Accounts

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get list of accounts
./deploy-identity-service.sh get-account   "${request_options[@]}" --service=JOC-INITIAL

# get account
./deploy-identity-service.sh get-account   "${request_options[@]}" --service=JOC-INITIAL --account=test-account

# store account using initial password
./deploy-identity-service.sh store-account "${request_options[@]}")
# returns response
{"clusterState":{"_text":"ClusterCoupled","severity":0},"controllers":[{"clusterNodeState":{"_text":"inactive","severity":1},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":2,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"PRIMARY","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.271Z","surveyDate":"2024-09-23T10:07:16.768Z","title":"PRIMARY CONTROLLER","url":"http://localhost:4444","version":"2.7.2"},{"clusterNodeState":{"_text":"active","severity":0},"clusterUrl":"http://localhost:4444","componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerId":"controller_cluster","host":"localhost","id":3,"isCoupled":true,"javaVersion":"17.0.12+7-alpine-r0","os":{"architecture":"amd64","distribution":"3.10.0-1160.92.1.el7.x86_64","name":"Linux"},"role":"BACKUP","securityLevel":"MEDIUM","startedAt":"2024-09-18T20:29:33.972Z","surveyDate":"2024-09-23T10:07:16.737Z","title":"SECONDARY CONTROLLER","url":"http://localhost:44444","version":"2.7.2"}],"database":{"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"dbms":"MySQL","version":"5.7.33"},"deliveryDate":"2024-09-23T10:07:16.773Z","jocs":[{"clusterNodeState":{"_text":"active","severity":0},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":true,"host":"localhost","id":3,"instanceId":"joc#0","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:13Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:41Z","title":"PRIMARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"},{"clusterNodeState":{"_text":"inactive","severity":1},"componentState":{"_text":"operational","severity":0},"connectionState":{"_text":"established","severity":0},"controllerConnectionStates":[{"role":"PRIMARY","state":{"_text":"established","severity":0}},{"role":"BACKUP","state":{"_text":"established","severity":0}}],"current":false,"host":"localhost","id":1,"instanceId":"joc#1","isApiServer":false,"lastHeartbeat":"2024-09-23T10:07:12Z","memberId":"localhost:97c88ccc3975703ebd0b7277d394ec8768f88b31775e8df038572d2547c240a0","os":{"architecture":"amd64","distribution":"3.10.0-957.1.3.el7.x86_64","name":"Linux"},"securityLevel":"MEDIUM","startedAt":"2024-09-20T15:50:40Z","title":"SECONDARY JOC COCKPIT","url":"http://localhost:4446","version":"2.7.2"}]}
# get severity from status information
echo "$response" | jq -r '.clusterState.severity // empty'
echo "$response" | jq -r '.controllers[0].componentState.severity // empty'
echo "$response" | jq -r '.controllers[0].connectionState.severity // empty'
echo "$response" | jq -r '.controllers[1].componentState.severity // empty'
echo "$response" | jq -r '.controllers[1].connectionState.severity // empty'
echo "$response" | jq -r '.jocs[0].componentState.severity // empty'
echo "$response" | jq -r '.jocs[0].connectionState.severity // empty'
echo "$response" | jq -r '.jocs[0].version // empty'
echo "$response" | jq -r '.database.componentState.severity // empty'
echo "$response" | jq -r '.database.connectionState.severity // empty'

Getting Version Information

 --service=JOC-INITIAL --account=test-account

Setting Account Password

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# store account with specific password
./deploy-identity-service.sh store-account          "${request_options[@]}" --service=JOC-INITIAL --account=test-account \
                                                    --account-password=secret

# trigger password change for account on next login
./deploy-identity-service.sh store-account          "${request_options[@]}" --service=JOC-INITIAL --account=test-account \
                                                    --force-password-change

# set account password
./deploy-identity-service.sh set-account-password   "${request_options[@]}" --service=JOC-INITIAL --account=test-account \
                                                    --account-password=secret --new-password=very-secret

# reset account to use initial password
./deploy-identity-service.sh reset-account-password "${request_options[@]}" --service=JOC-INITIAL --account=test-account

Enabling and Disabling Accounts

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# enable account
./deploy-identity-service.sh enable-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account

# disable account
./deploy-identity-service.sh disable-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account

Blocking and Unblocking Accounts

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# block account
./deploy-identity-service.sh block-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account

# get blocked account
./deploy-identity-service.sh get-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account --blocked

# unblock account
./deploy-identity-service.sh unblock-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account

# get list of blocked accounts
./deploy-identity-service.sh get-account "${request_options[@]}" --service=JOC-INITIAL --blocked

Renaming and Removing Accounts

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root) 

# rename account
./deploy-identity-service.sh rename-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account --new-account=test-account2                   

# remove account
./deploy-identity-service.sh remove-account "${request_options[@]}" --service=JOC-INITIAL --account=test-account2                                               -

# remove accounts
./deploy-identity-service.sh remove-account "${request_options[@]}"  --service=JOC-INITIAL --account=test-account1,test-account2

Setting up Identity Management

Setting up JOC Identity Service, Roles, Permissions and Accounts

The example is used to set up a JOC Identity Service from scratch:

• The Identity Service is created
• Roles for developers and operators are created.
• Roles are assigned frequently used permissions. For permission identifiers see JS7 - Default Roles and Permissions.
• Accounts are created that are assigned the initial password. On next login users are challenged to change password.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# create Identity Service using password for single-factor authentication
./deploy-identity-service.sh store-service "${request_options[@]}" --service=My-Service --service-type=JOC \
                                           --authentication-scheme=SINGLE-FACTOR

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get JOC Cockpit version
./operate-joc.sh version "${request_options[@]}"
# returns
2.7.2

# get Controller version
./operate-joc.sh version "${request_options[@]}" ---controller-id=controller
# returns
2.7.2

# get Standalone Agent version
./operate-joc.sh version "${request_options[@]}" --agent-id=StandaloneAgent
# returns
2.7.2

# get Agent Cluster version
./operate-joc.sh version "${request_options[@]}" --agent-id=AgentCluster
# returns
2.7.2

# get version of specific Controller and of all Agents in Agent Cluster
response=$(./operate-joc.sh versionservice=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

# create accounts and assign roles 
./deploy-identity-service.sh store-account  "${request_options[@]}" --controller-id=controllerservice=My-Service --agent-idaccount=AgentClusterdev --list)
# returns response
{
  "agentVersions":[
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","uri":"https://diragent-2-0-primary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"director_primary_001","uri":"https://diragent-2-0-primary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"director_secondary_001","uri":"https://diragent-2-0-secondary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"subagent_primary_001","uri":"https://subagent-2-0-primary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"subagent_secondary_001","uri":"https://subagent-2-0-secondary:4443","version":"2.7.2"},
    {"agentId":"AgentCluster","compatibility":"COMPATIBLE","subagentId":"subagent_third_001","uri":"https://subagent-2-0-third:4443","version":"2.7.2"}
  ],
  "controllerVersions":[
    {"compatibility":"COMPATIBLE","controllerId":"controller","uri":"https://controller-2-0-standalone:4443","version":"2.7.2"}
  ],
  "jocVersion":"2.7.2"
}
# get version of specifc Agent
echo "$response" | jq -r '.agentVersions[] | select(.subagentId == "director_primary_001") | .version // empty'

Switching-over for JOC Cockpit Cluster

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# switch-over active role
./operate-joc.sh switch-over "${request_options[@]}" --controller-id=controller

Restarting and Running Services

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# restart service: cluster, history, dailyplan, cleanup, monitor
./operate-joc.sh restart-service "${request_options[@]}" --service-type=history

# run service: dailyplan, cleanup
./operate-joc.sh run-service "${request_options[@]}" --service-type=cleanup

...

role=developer
./deploy-identity-service.sh store-account  "${request_options[@]}" --service=My-Service --account=ops --role=operator

Setting up LDAP Identity Service, Roles, Permissions and Accounts

The example is used to set up an Identity Service from scratch:

• The Identity Service is created. For use with Identity Services such as LDAP, OIDC, FIDO the related service settings have to be provided from .json files. Such files can be created by reading Identity Service settings.

  Code Block
  language yml title Example for LDAP settings in JSON Format linenumbers true collapse true
  { "simple": { "iamLdapHost": "openldap-2-4", "iamLdapHostNameVerification": null, "iamLdapPort": 636, "iamLdapProtocol": "SSL" }, "expert": { "iamLdapGroupNameAttribute": "cn", "iamLdapGroupRolesMap": { "items": [ { "ldapGroupDn": "js7dev", "roles": [ "developer" ] }, { "ldapGroupDn": "js7ops", "roles": [ "operator" ] } ] }, "iamLdapGroupSearchBase": "dc=sos-berlin,dc=com", "iamLdapGroupSearchFilter": "(memberUid=%s)", "iamLdapSearchBase": "", "iamLdapServerUrl": "ldaps://openldap-2-4:636", "iamLdapUseStartTls": false, "iamLdapUserDnTemplate": "uid={0},ou=users,ou=sales,o=sos,dc=sos-berlin,dc=com", "iamLdapUserNameAttribute": "", "iamLdapUserSearchFilter": "" } }

• Roles for developers and operators are created.
• Roles are assigned frequently used permissions. For permission identifiers see JS7 - Default Roles and Permissions.
• Accounts are created that are assigned the initial password. On next login users are challenged to change password.
  
  

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# check license create Identity Service using password for single-factor authentication
./operatedeploy-identity-jocservice.sh checkstore-licenseservice "${request_options[@]}"
# returns response
.... License type: COMMERCIAL_VALID
.... License valid: true
.... License valid from: 2021-05-05T12:22:41Z
.... License valid until: 2026-05-04T12:22:41Z

Getting and Storing Settings

# common options for connection to JS7 REST API
request_options=(--url=http://localhost:4446 --user=root --password=root)

# get settings
settings=$(./operate-joc.sh get- --service=My-Service --service-type=LDAP \
                                           --authentication-scheme=SINGLE-FACTOR

# get settings from an existing Identity Service
#     store settings to an environment variable
# settings=$(./deploy-identity-service.sh get-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP)
#     store settings to a file
# ./deploy-identity-service.sh get-service-settings "${request_options[@]}")

# update settings
settings=$(echo "${settings}" | jq '.dailyplan.days_ahead_submit.value = "4"')
settings=$(echo "${settings}" | jq '.dailyplan.days_ahead_plan.value = "6"')

# store settings
./operate-joc.sh store- --service=My-Service --service-type=LDAP > ./examples/ldap-settings.json
#     read settings from a file
# settings=$(cat ./examples/ldap-settings.json)
 
# store Identity Service settings
./deploy-identity-service.sh store-service-settings "${request_options[@]}" --service=My-Service --service-type=LDAP --settings="${settings}"

Encrypting and Decrypting

...

# create Private Key
openssl ecparam -name secp384r1 -genkey -noout -out encrypt.key

# create Certificate Signing Request
openssl req -new -sha512 -nodes -key encrypt.key -out encrypt.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=Encrypt"

# create Certificate
openssl x509 -req -sha512 -days 1825 -signkey encrypt.key -in encrypt.csr -out encrypt.crt -extfile <(printf "keyUsage=critical,keyEncipherment,keyAgreement\n")


# encrypt a secret such as a password using the Certificate, the encryption result will be returned and will look like: enc:BEXbHYa...
./operate-joc.sh encrypt --in="root" --cert=encrypt.crt

# options for connection to the JS7 REST API can specify the encryption result as password and the Private Key for decryption
request_options=(--url=http://localhost:4446 --user=root --password="enc:BEXbHYa..." --key=encrypt.key --controller-id=controller)

# for example, when getting version information, the Private Key is used to decrypt the password for access to the REST API on-the-fly
./operate-joc.sh version "${request_options[@]}"

# decrypt an encrypted secret using the Private Key
./operate-joc.sh decrypt --in="enc:BEXbHYa..." --key=encrypt.key$settings"

# create roles
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=developer
./deploy-identity-service.sh store-role     "${request_options[@]}" --service=My-Service --role=operator

# assign permissions to roles
./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=developer \
                                            --permission='sos:products:joc:administration:view','sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster','sos:products:joc:inventory','sos:products:controller:view','sos:products:controller:agents:view'

./deploy-identity-service.sh set-permission "${request_options[@]}" --service=My-Service --role=operator \
                                            --permission='sos:products:joc:auditlog:view','sos:products:joc:calendars:view','sos:products:joc:cluster:view','sos:products:controller:view','sos:products:controller:agents:view'

Resources

• API
  • JS7 - REST Web Service API
  • JS7 - PowerShell Module
• Workflow Deployment Operations
  • JS7 - Unix Shell CLI for Workflow Deployment
• Workflow Status Operations
  • JS7 - Unix Shell CLI for Workflow Status Operations 
• Controller Deployment Operations
  • JS7 - Unix Shell CLI for Controller Deployment
• Controller Status Operations
  • JS7 - Unix Shell CLI for Controller Status Operations
• JOC Cockpit Status Operations
  • JS7 - Unix Shell CLI for JOC Cockpit Status Operations