JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 13

changes.mady.by.user Alan Amos

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The JS7 - Identity Services offer provide integration with LDAP Directory Services for authentication and authorization.
  • The LDAP Identity Service is a built-in service available from JOC Cockpit

...

Identity Service Configuration

The The Image Added icon in the JOC Cockpit provides main menu is used to select the Manage Identity Services page for the configuration of Identity Services. This page is accessed from the user menu of an administrative account:

Add Identity Service

To add an Identity Service use the button Add Identity Service from the page above that lists the available Identity Services:

...

  • General
    • LDAP Server URL: The LDAP Server URL specifies the protocol, e.g. ldap:// for Plain Text and TLS connections, ldaps:// for SSL connections. The protocol is added the hostname (FQDN) and port of the LDAP Server.
    • LDAP Start TLS: This switch makes TLS the protocol for the connection to the LDAP Server.
    • LDAP Host Name Verification: This switch has to be active to verify if hostnames in the LDAP Server URL and in the LDAP Server certificate match.
    • LDAP Truststore PathShould the LDAP Server be configured for TLS/SSL protocols then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.
      • For connections to well known LDAP Identity Providers such as Azure® users should specify the path to the Java cacerts truststore file that ships with the Java JDK used with JOC Cockpit.
      • The truststore can include a selfPrivate CA-signed certificate Certificate or a Public CA-signed certificateCertificate. Typically the Root CA certificate Certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
      • If the LDAP Server is operated for TLS/SSL connections and this setting is not specified then JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
      • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then specify the file name only, typically with a .p12 extension. Other relative locations can be specified using e.g. ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. No absolute path can be specified and no path can be specified that lies before the JETTY_BASE directory in the file system hierarchy.
    • LDAP Truststore Password: If an LDAP truststore is used and the LDAP truststore is protected by a password, then the password has to be specified.
    • LDAP Truststore Type: If an LDAP truststore is used then the type of the indicated truststore has to be specified as being either PKCS12 or JKS (deprecated).
  • Authentication
    • LDAP User DN Template: The Distinguished Name (DN) identifies a user account. The value {0} can be used for Active Directory LDAP Servers and will replaced by the user account specified during login. Alternatively an LDAP query can be specified, for example uid={0},OU=Operations,O=IT,O=Users,DC=example,DC=com.
  • Authorization
    • LDAP Search Base: The Search Base for looking up user accounts in the hierarchy of LDAP Server entries, for example OU=Operations,O=IT,O=Users,DC=example,DC=com.
    • LDAP Group Search Base: Similarly to the Search Base the Group Search Base is used to find Security Groups which a user account has membership of. This setting specifies the hierarchy starting from the Security Groups which are looked up.
    • LDAP Group Search Filter: This filter specifies an LDAP query which is used to identify Security Groups the user account is a member of. The filter is applied to search results provided starting from the Group Search Base.
    • LDAP User Search Filter: This filter specifies an LDAP query that is used to identify the user account in the hierarchy of LDAP entries.
    • LDAP Group Name Attribute: This attribute provides the name of the Security Group that a user account is a member of, for example the CN (Common Name) attribute.
    • LDAP User Name Attribute: This attribute provides the name of the user account, frequently the CN (Common Name) attribute is used.
  • Group/Roles Mapping
    • The LDAP Group/Roles Mapping is in fact a mapping of Security Groups which the user account is a member of and JS7 roles. Security Groups have to be specified depending on the LDAP Group Search Attribute as Distinguished Names, e.g. CN=js7_admins,OU=Operations,O=IT,O=Groups,DC=example,DC=com, or as Common Names, e.g. js7_admins.

...

Logging

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes reporting success or failure of authentication.
    • Successful and failed authentication attempts including the user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during the setup of an Identity Service, increase the log level as explained in the JS7 - Log Levels and Debug Options article.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.

...