...
As indicated in the schematic architecture diagram above, communication between the JOC Cockpit, the Web Service and the JobScheduler Masters and Agents can be carried out using both HTTP and HTTPS protocols. By default after installation HTTP will be used. However, HTTPS should be implemented by system administrators for all communication steps when the JobScheduler is to be used in sensitive environments.
- Information about the configuration of the Jetty Web Server delivered with the JOC Cockpit for HTTPS can be found from the JOC Cockpit - HTTPS Authentication article and on the Jetty Web Site.
- Information about setting up a secure connection between the JOC Cockpit - Web Service and the JobScheduler Master can be found from the JOC Cockpit - HTTPS Authentication article.
- Consider JobScheduler Universal Agent - HTTPS Agent and Master Authentication for securing the connections between a JobScheduler Master and Agents.
Authorization Tokens
Separate authorization tokens are used for each communication step between the JOC Cockpit, the JobScheduler Web Service and the JobScheduler Masters and Agents. This means that if an attacker is able to take over and use a token they will only be able to bypass a part of the communication chain.
...
- the browser's local storage will not be emptied after a period of time when Remember Me is set and a user does not log in again,.
Session Timeout
The JOC Cockpit uses the timeout period set in the shiro.ini configuration file for user sessions:
...
- the authorization token will remain valid for the specified period since the last user activity;
- the user session in the JOC Cockpit will be closed but the JobScheduler Web Service will still accept the authorization token for the specified period.
Default User Account
The JOC Cockpit ships with a default setting in the shiro.ini configuration file for the account "root" with the password "root" and with permissions to carry out all operations with the JOC Cockpit.
...
- users should ask their system administrator to modify their password in the shiro.ini file if local configuration is used;
- any password changes effected for a directory service are automatically considered when using the JOC Cockpit if LDAP configuration is used.
See also
- JobScheduler Secure Operation
- How To - Security
- for information about how to securely configure all JobScheuler components