JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Security Level Low
    • Inventory objects are automatically signed with the private key Private Key that is stored with the root account.
    • Signing is automatically applied when performing the Deploy operation.
    • The Profile page for Signature Key Management is available only for the user account that is specified as the default profile account in the JS7 - Settings, chapter: JOC Cockpit Settings.
  • Security Level Medium
    • Inventory objects are automatically signed with the private key Private Key that is stored with the current user's account.
    • Signing is automatically applied when performing the Deploy operation.
    • The Profile page for Signature Key Management is available individually for any user account holding a Deploy permission, see JS7 - Default Roles and Permissions.
  • Security Level High
    • Inventory objects are signed outside of JOC Cockpit.
    • A Profile page for Signature Key Management is not available.

The article is intended for a security-aware audience that is technically familiar with digital key management. JS7 supports both X.509 and PGP certificates, the following descriptions are focused on the use of X.509 certificatesCertificates.

Profile Page

The Profile page is accessible from the user menu of an account in the upper right hand corner of any JOC Cockpit view:

...

The Signature Key Management sub-view allows configuration of the following settings:

CA Certificate

Users have the option to:

  • use a CA-signed certificate
    • created by the JS7 - Certificate Authority available with JOC Cockpit,
    • created by their own or by a trusted 3rd-party Certificate Authority,
  • use a self-signed certificate.

The use of CA certificates means that:

...

...

Operations for CA Certificates include:

  • viewing the CA Certificate using the Image Removed icon,
  • updating the CA Certificate using the Image Removed icon,
  • importing the CA Certificate using the Image Removed icon.

View CA Certificate

...

Image Removed

Update CA Certificate

...

Image Removed

Import CA Certificate

...

Image Removed

Keys and Certificates

User accounts have to be equipped with a private key Private Key and certificate Certificate issued for digital signing in order to deploy scheduling objects to Controllers and Agents:

  • If a user's certificate Certificate is signed by a Certificate Authority then it is sufficient to rollout the CA Certificate to the Controller and Agent instances to which the user should be entitled to deploy scheduling object such as workflows.
  • If a user's certificate Certificate is self-signed issued then the certificate Certificate has to be rolled out to the Controller and Agent instances to which the user should be entitled to perform deployments.

Users have options about the issuer of private keys Private Keys and certificatesCertificates:

  • Use of the built-in JS7 Certificate Authority
    • The JOC Cockpit provides the option of digitally signing a user account's public key from its built-in CA, see JS7 - Certificate Authority
    • Users can generate a privatePrivate/public key pair and make Public Key pair and make the JS7 Certificate Authority sign their public key Public Key to a certificate Certificate in a single operation.
  • Use of an external Certificate Authority
    • If an external CA is to be consulted used then users have to create a Certificate a Certificate Signing Request (CSR) outside of the JOC Cockpit and make their external CA sign this request. The resulting certificate can be added to the user's Profile in JOC Cockpit. For details see JS7 - How to create X.509 Signing Certificates.
  • If users do not operate a CA or do not dispose of certificates then they can continue to use the default private key Private Key and certificate Certificate that ship with the JOC Cockpit.
    • In this situation by default only the root account can be used to deploy scheduling objects such as workflows which suggests operating the JOC Cockpit for Security Level Low as the root account's key Private Key and certificate Certificate will be used for signing deployments by any user accounts.
    • The Security Level Medium means that each user account has to be equipped with a private key Private Key and certificateCertificate.

Operations for the user account's private key Private Key and certificate Certificate include:

  • viewing the private key Private Key and certificate Certificate using the the icon,
  • updating the private key and certificate using Private Key and Certificate using the  icon,
  • importing the private key using Private Key using the  icon,
  • generating the private key using Private Key using the  icon.

View Key and Certificate

The user account's private key Private Key and certificate Certificate for digital signing is displayed like this:

...

Update Key and Certificate

A user account's private key Private Key and certificate Certificate can be created by an external CA and can be updated by pasting from the clipboard like this:

...

Import Key

A user account's private key Private Key can be created by an external CA externally and can be imported from a file like this:


Note that an X.509 certificate Certificate matching the user account's private key Private Key has to be signed by a CA and has to be added by using the the Update Key and Certificate operation as explained above.

Generate Key

A user account's private key Private Key and optionally the certificate Certificate can be generated like this:

...

  • When choosing Key Algorithm PGP or RSA then only a private key Private Key will be created.

    • Note that an X.509 certificate Certificate matching the user account's public key Public Key is signed by an external CA and has to be added by using the the Update Key and Certificate operation as explained above.

  • When choosing Key Algorithm ECDSA then a private key Private Key is created and a CA-signed certificate Certificate is created if the JS7 Certificate Authority is in use.

...