Page History
Table of Contents |
---|
Introduction
The article is focused on configuration items used for HTTPS Server Authentication with passwords. For a complete overview of settings see JS7 - Controller Configuration Items and JS7 - Agent Configuration Items,
- HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without the use of passwords.
- The purpose of Server Authentication is to secure the identity of an HTTP server and to encrypt the communication between client and server.
- The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any HTTP client could perform a man-in-the-middle attack by, for example, pretending to be a Controller that connects to an Agent.
- Please refer to the communication scheme between JS7 components products as described in the JS7 - System Architecture article:
- User browsers acting as HTTPS clients establish connections to JOC Cockpit as an HTTPS server.
- JOC Cockpit acting as an HTTPS client establishes connections to Controller instances acting as HTTPS servers.
- Controller instances acting as HTTPS clients establish connections to Agents acting as HTTPS servers.
- We recommend applying It is recommended to apply TLS mutual authentication. However, there might be reasons why use of Client Authentication is not an immediate option, for example:
- Use of a wildcard certificate for Server Authentication leverages the effort for certificate management. At the same time such certificates cannot be used for Client Authentication.
- If mutual authentication is not an immediate option then passwords can be used by following the recommendations made in this article.
...
Configuration File: JS7_CONTROLLER_CONFIG_DIR/private/private.conf
...
Find examples for Controller configuration for download:
- Standalone Controller: private.conf
...
- -example-standalone-controller
- Controller Cluster (for use with both Controller instances): private.conf-example-controller-cluster
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
Code Block | ||||||||
| ||||||||
js7 { auth { # User accounts for HTTPS connections users { # Controller ID for connections by primary/secondary Controller instance js7_devController { password="plain:secret" } # History account of JOC Cockpit (used to release events) History { password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08" } # JOC account of JOC Cockpit (requires UpdateRepoUpdateItem permission for deployment) JOC { password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE" permissions=[ UpdateItem ] } } # for each Agent specify Agent ID and plain text password for authentication agents { agent-dev-001="plain:secret-agent-001" agent-dev-002="secret-002="plain:secret-agent-002" agent-003="plain:secret-agent-003" } } configuration { # directory for trusted public keys and certificates used with signatures trusted-signature-keys { PGP=${js7.config-directory}"/private/trusted-pgp-keys" X509=${js7.config-directory}"/private/trusted-x509-keys" } } journal { # allow History account to release unused journals users-allowed-to-release-events=[ History ] } web { # keystore and truststore location for https connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password=jobscheduler store-password=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password=jobscheduler } ] } # disable use of client authentication certificates server { auth { https-client-authentication=off } } } } |
...
- The configuration file is located in the
JS7_CONTROLLER_CONFIG_DIR/private
folder. - Note that the above configuration has to be deployed to both Controller instances if a Controller Cluster is to be used.
- The configuration items relevant to Server Authentication from the example above are described in the following sections.
Specify
...
Controller ID and Password
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # User accounts for eachHTTPS Agentconnections specify Agent users { # Controller ID for connections by primary/secondary Controller instance Controller { password="plain:secret" } } } } |
Explanation:
- This setting is not required when using a Standalone Controller. It is used for password authentication between Controller instances in a cluster.
- Note that the
Controller
element name is an example that has to be replaced by the Controller ID which is specified with identical values during installation of both Controller instances in a cluster. - If the password is modified in the
private.conf
file of a Primary Controller instance then it also has to be modified for the Secondary Controller instance to make passwords match. - A plain-text password has to be specified that is preceded with
plain:
: Passwords should be quoted.
Specify Agent ID and Password
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # for each Agent specify Agent ID ID and plain text password for authentication agents { agent-dev-001="secretagent-001="plain:secret-agent-001" agent-002="plain:secret-agent-002" agent-dev-002003="plain:secret-agent-003" } } } |
Explanation:
- The Agent ID for each Agent is specified according to from the pattern examples
agent-dev-001001
,agent-002
etc. An Agent is assigned a unique Agent ID during initial operation with JOC Cockpit that . The Agent ID cannot be changed unless an Agent's journal is dropped. - The A plain text password
secret
is specified that is preceded withplain:
. Passwords should be quoted.
Disable Client Authentication
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
js7 { auth { # User accounts for https connections users { # Controller ID for connections by primary/secondary Controller instance js7_devController { password="plain:secret" # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/"sha512:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2" } } } configuration { # Locations of certificates and public keys used for signature verification trusted-signature-keys { PGP=${js7.config-directory}"/private/trusted-pgp-keys" X509=${js7.config-directory}"/private/trusted-x509-keys" } } job { # Enable script execution from signed workflows execution { signed-script-injection-allowed = yes } } web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" # alias= } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" truststore.p12" store-password="jobscheduler" # store-passwordalias=jobscheduler } ] } # Disable use of client authentication certificates server { auth { https-client-authentication=off } } } } |
...
- The configuration file is located with the
JS7_AGENT_CONFIG_DIR/private
folder. - Consider that the above configuration has to be deployed to any Agent instances.
- The configuration items relevant to Server Authentication with passwords from the example above are described in the following sections.
Specify Controller ID and Password
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # User accounts for https connections users { # Controller ID for connections by primary/secondary Controller instance js7_devController { password="plain:secret-agent-001" # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/fcef10f554e086d2f572fed70e494a6e03eac3034d1c928a9553bc9435b2b94081183958b5d1f53088b6ed2c1a968b1c4322854163a01a671cf07a1cd59ea006" } } } |
Explanation:
- In this example
js7_dev
isController
is the Controller ID used by a Standalone Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during installation. The Controller ID cannot be changed unless the Controller's journal is reset. - The
password
for the Controller ID in the Agent configuration is the same as stated in the Controller configuration with thejs7.auth.agents
setting.- The password has to be preceded with
plain:
if a plain text password is used. - The password has to be preceded with
sha512:
if a password hashed with this algorithm is used- There are a number of ways to create sha512 hash values from passwords.
- One possible solution includes using:
openssl passwd -6
echo -n "secret-agent-001" | openssl dgst -sha512
- The password has to be preceded with
Disable Client Authentication
...
Overview
Content Tools