Introduction

The article is focused on configuration items used for HTTPS Server Authentication with passwords. For a complete overview of settings see JS7 - Controller Configuration Items and JS7 - Agent Configuration Items,

• HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without the use of passwords.
  • The purpose of Server Authentication is to secure the identity of an http HTTP server and to encrypt the communication between client and server.
  • The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any http HTTP client could perform a man-in-the-middle attack e.g. by by, for example, pretending to be a Controller that connects to an Agent.
• Consider Please refer to the communication scheme between JS7 components products as explained from described in the JS7 - System Architecture article:
  
  • User browsers acting as http HTTPS clients establish connections to JOC Cockpit as an http HTTPS server.
  • JOC Cockpit acting as an http HTTPS client establishes connections to Controllers Controller instances acting as http HTTPS servers.
  • Controllers Controller instances acting as http HTTPS clients establish connections to Agents acting as http HTTPS servers.
• We recommend It is recommended to apply TLS mutual authentication, however. However, there might be reasons why use of Client Authentication is not an immediate option, e.g.for example:
  • Use of a wildcard certificate for Server Authentication leverages the effort for certificate management. At the same time such certificates cannot be used for Client Authentication.
• Should If mutual authentication is not be an immediate option then passwords can be used by following the recommendations from made in this article for the handling of passwords apply.

...

Location of Configuration

...

Files

In the following the JS7_CONTROLLER_CONFIG_DIR placeholder specifies the configuration directory of the Controller. The JS7_AGENT_HOME, JS7_AGENT_CONFIG_DIR placeholders specify the directories where the Agent is installed and configured.

• JS7_CONTROLLER_CONFIG_DIR is the Controller's configuration directory that is specified during installation:
  
  • <extraction-directory/controller/var/config (default on Unix/Windows for JS7 - Controller - Headless Installation on Linux and Windows)
  • C:\ProgramData\sos-berlin.com\js7\controller\config (default on Windows for JS7 - Controller - Installation Using the Windows Graphical Installer)

• JS7_AGENT_HOME is the installation path that is specified during the JobScheduler Agent installation:
  
  • <extraction-directory>/agent (default on Unix/Windows for JS7 - Agent - Headless Installation on Unix and Windows)
  • C:\Program Files\sos-berlin.com\js7\agent (default on Windows for JS7 - Agent - Installation Using the Windows Graphical Installer)
• JS7_AGENT_CONFIG_DIR is the Agent's configuration directory that is specified during Agent installation:
  
  • <extraction-directory>/agent/var_<port>/config (default on Unix/Windows for JS7 - Agent - Headless Installation on Unix and Windows)
  • C:\ProgramData\sos-berlin.com\js7\agent\config (default on Windows for JS7 - Agent - Installation Using the Windows Graphical Installer)

Controller Configuration

Configuration File: JS7_CONTROLLER_CONFIG_DIR/private/private.conf

Find examples for Controller configuration for download:

• Standalone Controller: private.conf-example-standalone-controller
• Controller Cluster (for use with both Controller instances): private.conf-example-controller-cluster

js7 {
    auth {
        # User accounts for HTTPS connections

Download: private.conf

js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
            }
            # History account (used to release events)
            History {
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }
            # JOC account (requires UpdateRepo permission for deployment)
            JOC {
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
        users {
       ]
     # Controller ID for connections by primary/secondary Controller }instance
        }

    Controller {
    # for each Agent specify Agent ID and plain text password for authentication password="plain:secret"
        agents {
    }

       agent-dev-001="secret"
     # History account of JOC  agent-dev-002="secret"
   Cockpit (used to release events)
     }
    }

   History configuration {
        # directory for trusted public keys and certificates used with signatures
 password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }

         trusted-signature-keys {
  # JOC account of JOC Cockpit (requires UpdateItem permission  PGP=${js7.config-directory}"/private/trusted-pgp-keys"
for deployment)
            JOC X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

    journal {
password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
         # allow History account to release unused journalspermissions=[
        users-allowed-to-release-events=[
            HistoryUpdateItem
        ]
     }
   ]
    web {
       }
 # keystore and truststore location for https connections}

        https# {
for each Agent specify Agent ID and plain text password for authentication
 keystore {
      agents {
         # Default: ${js7.config-directory}"/private/https-keystore.p12 agent-001="plain:secret-agent-001"
                file=${js7.config-directory}"/private/https-keystore.p12agent-002="plain:secret-agent-002"
                key-password=jobscheduleragent-003="plain:secret-agent-003"
        }
        store-password=jobscheduler}

    configuration {
       }
 # directory for trusted public keys and certificates used with  truststores=[signatures
                trusted-signature-keys {
                    # Default: PGP=${js7.config-directory}"/private/https-truststore.p12trusted-pgp-keys"
                    fileX509=${js7.config-directory}"/private/https-truststore.p12trusted-x509-keys"
        }
    }

        store-password=jobschedulerjournal {
        # allow History account to release unused  }journals
            ]users-allowed-to-release-events=[
        }

    History
    # disable use of client authentication certificates]
    }

    serverweb {
        # keystore and truststore location for authhttps {connections
        https {
        https-client-authentication=off
    keystore {
       }
        }
 #   }
}

Explanation:

Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }

        # disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
    }
}

Explanation:

• The configuration file is located in the JS7_CONTROLLER_CONFIG_DIR/private folder.
• Note that the above configuration has to be deployed to both Controller instances if a Controller Cluster is to be used.
• The configuration items relevant to Server Authentication from the example above are described in the following sections.

Specify Controller ID and Password

js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                password="plain:secret"
            }
        }
     }
}

Explanation:

• This setting is not required when using a Standalone Controller. It is used for password authentication between Controller instances in a cluster.
• Note that the Controller element name is an example that has to be replaced by the Controller ID which is specified with identical values during installation of both Controller instances in a cluster.
• If the password is modified in the private.conf file of a Primary Controller instance then it also has to be modified for the Secondary Controller instance to make passwords match.
• A plain-text password has to be specified that is preceded with plain:: Passwords should be quoted
• Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
• Find below explanations about configuration items relevant to both Client and Server.

Specify Agent ID and Password

js7 {
    auth {
        # for each Agent specify Agent ID and plain text password for authentication
        agents {
           agent-dev-001="secret001="plain:secret-agent-001"
           agent-002="plain:secret-agent-002"
           agent-dev-002003="plain:secret-agent-003"
        }
    }
}

Explanation:

• For each Agent the Agent ID is specifiedThe Agent ID for each Agent is specified from the examples agent-001, agent-002 etc. An Agent is assigned a unique Agent ID during initial operation that cannot be changedoperation with JOC Cockpit. The Agent ID cannot be changed unless an Agent's journal is dropped.
• A plain text password is specified that is preceded with plain:. Passwords should be quoted.

Disable Client Authentication

js7 {
    web {
        # disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
}

...

• By default Client Authentication is required used if Server Authentication is in place.
• The above setting disables Client Authentication.

Agent Configuration

Configuration File: JS7_AGENT_CONFIG_DIR/private/private.conf

Download: private.conf

js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller account for connections by primary/secondary instance
            Controller instance{
            js7_dev {     password="plain:secret"
                 # password="plainsha512:secretbd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2"
            }
        }
    }
    
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }
    
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                keystore-password="jobscheduler"
                # store-passwordalias=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
.config-directory}"/private/https-truststore.p12"
                    store-password="jobscheduler"
                    # store-passwordalias=jobscheduler
                }
            ]
        }

        # Disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
    }
}

Explanation:

• The configuration file is located with the JS7_AGENT_CONFIG_DIR/private folder.
• Consider that the above configuration has to be deployed to any Agent instances.Find below explanations about configuration items relevant to an
• AgentThe configuration items relevant to Server Authentication with passwords from the example above are described in the following sections.

Specify Controller ID and Password

js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller accountID for connections by primary/secondary Controller instance
            js7_devController {
                 password="plain:secret-agent-001"
                 # password="sha512:fcef10f554e086d2f572fed70e494a6e03eac3034d1c928a9553bc9435b2b94081183958b5d1f53088b6ed2c1a968b1c4322854163a01a671cf07a1cd59ea006"
            }
        }
    }

Explanation:

• In this example js7_dev is Controller is the Controller ID used by solo a Standalone Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during initial operationinstallation. The Controller ID cannot be changed unless the Controller's journal is reset.
• The password for the Controller ID in the Agent configuration is the same as stated with in the Controller configuration with the js7.auth.agents setting.
  • The password has to be preceded with "plain:" if a plain text password is used.
  • The password has to be preceded with "sha512" : if a password hashed password with this algorithm is used
    • There are a number of ways how to create an sha512 hash value values from a passwordpasswords.
    • A One possible solution includes using:  openssl passwd -6echo -n "secret-agent-001" | openssl dgst -sha512

Disable Client Authentication

js7 {
    web {
        # disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
}

...

• By default Client Authentication is required used if Server Authentication is in place.
• The above setting disables Client Authentication.

...