...
As indicated in the schematic architecture diagram above, communication between the JOC Cockpit, the Web Service and the JobScheduler Masters and Agents can be carried out using both HTTP and HTTPS protocols. By default after installation HTTP will be used. However, HTTPS should be implemented by system administrators for all communication steps when the JobScheduler is to be used in sensitive environments.
- Information about the configuration of the Jetty Web Server delivered with the JOC Cockpit for HTTPS can be found from the JOC Cockpit - HTTPS Authentication article and on the Jetty Web Site.
- Information about setting up a secure connection between the JOC Cockpit - Web Service and the JobScheduler Master can be found from the JOC Cockpit - HTTPS Authentication article.
- Consider JobScheduler Universal Agent - HTTPS Agent and Master Authentication for securing the connections between a JobScheduler Master and Agents.
Authorization Tokens
Separate authorization tokens are used for each communication step between the JOC Cockpit, the JobScheduler Web Service and the JobScheduler Masters and Agents. This means that if an attacker is able to take over and use a token they will only be able to bypass a part of the communication chain.
...
- the browser's local storage will not be emptied after a period of time when Remember Me is set and a user does not log in again,.
Session Timeout
The JOC Cockpit makes use ofuses the timeout period set in the the shiro.ini configuration file for user sessions:
| Code Block | ||
|---|---|---|
| ||
securityManager.sessionManager.globalSessionTimeout = 900000 |
The default value of 900'.000 milliseconds translates to 15 minutes. To apply changes to this value the JOC Cockpit has to be restarted.
If a user does not logout from the JOC Cockpit , but e.g. closes the but, for example, closes their browser or browser tab , then:
- the authorization token will remain valid for the specified period since the last user activity.;
- the user session in the JOC Cockpit is closed, however, will be closed but the JobScheduler Web Service will still accept the authorization token for the specified period.
Default User Account
The JOC Cockpit ships with a default setting in the shirothe shiro.ini configuration file for the account "root" to use with the password "root" having permissions for any and with permissions to carry out all operations with the JOC Cockpit.
Please adjust the account and password to be used. For a secure configuration it is recommended to configure that LDAP access to a directory service is implemented for users and with roles with configured in the shiro.ini. This would guarantee that general policies such as frequency of password change or password complexity are considered when using the JOC Cockpit.
See the Authentication and Authorization - Configuration article for more information.
Audit Log
| Excerpt Include | ||||||
|---|---|---|---|---|---|---|
|
...
A user password cannot be reset or changed with the JOC Cockpit. Depending on the configuration configuration set in the the shiro.ini configuration file :
- users should ask their JobScheduler system administrator to modify the their password in the shiro.ini file if local configuration is used;
- any password changes effected for a directory service are automatically considered when using the JOC Cockpit if LDAP configuration is used.
See also
- JobScheduler Secure Operation
- How To - Security
- for information about how to securely configure all JobScheuler components