JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

  • The JS7 - Identity Services offer provide local management of user accounts for authentication and authorization.
  • The JOC Identity Service is a built-in service available from the JOC Cockpit

Identity Service Type

...

Roles
Identity ServiceIdentity Service Configuration ItemsJOC Cockpit Configuration
Service TypeBuilt-inUser Accounts/Passwords
stored within		User Accounts/Passwords
managed by		Roles/Permissions
stored within		Roles->User Accounts Mapping
managed withby		Role Mapping
JOCyesJS7 DatabaseJOC CockpitJS7 DatabaseJOC CockpitMapping of user accounts and roles with the JOC Cockpit


Explanation:

  • Service Type: JOC
    • Management of user accounts and passwords is performed with using the JOC Cockpit.
    • The assignment of roles to user accounts is performed with  using the JOC Cockpit.
    • The JOC Cockpit stores user accounts, hashed passwords and role assignments.

Identity Service Configuration

The Image Added icon in the JOC Cockpit offers main menu is used to select the Manage Identity Services view from the user menu of an administrative account for configuration of Identity Services page:

...

Addition of an Identity Service

To add an Identity Service use the button Add Identity Service button from the page above to list of the available Identity Services:


The remaining input fields for the popup window look like this:

...

  • The Identity Service Name is a unique identifier that can be freely chosen.
  • The Identity Service Type can be selected as available from the matrix shown above matrix.
  • The Ordering specifies the sequence in which a login is performed with the available Identity Services.
  • The Required attribute specifies if login with the respective an Identity Service is required to be successful, for example if a number of Identity Services are triggered on login of with a user account.
  • The Identity Service Authentication Scheme allows to selectselection of:
    • single-factor authentication: a user account and password are specified for login with the Identity Service.
    • two-factor authentication: in addition to a user account and password, a Client Authentication Certificate is required, see JS7 - Certificate based Authentication
  • Password as single factor: if the single-factor Authentication Scheme is selected then this switch specifies if whether the user account and password can be used to login.
  • Certificate as single factor: if the single-factor Authentication Scheme is selected then this switch specifies if whether use of a certificate allows a certificate login - without specifying specification of a user account and password - allows to login.

Authentication Scheme

The Authentication Scheme allows a number of options how to authenticate for authentication with the JOC Cockpit:

  • Two-factor authentication forces a user to provide both the a user account/password and a certificate. As certificates are stored in the user's local certificate store they represent a factor that limits access to specific client devices that are equipped with a certificate store holding the given certificate. The user account/password is considered a factor that is in a the user's mind.
  • Single-factor authentication gives a choice to use one of using either user account/password or certificate authentication methods.

Certificate based Authentication

  • Certificate based Authentication makes use of the Common Name that is available from the certificate's subject and that maps to the user account that which is managed with the JOC Cockpit. Certificates cannot be used for authentication if the user account indicated by the Common Name has not been added to the Identity Service.
    • When used with two-factor authentication then the certificate's Common Name has to exactly match the user account specified during login that and has to be available with for the JOC Cockpit.
    • When used with single-factor authentication then the certificate's Common Name has to exactly match a user account available with the JOC Cockpit.
  • Certificates act as a replacement for user accounts and passwords. This can be useful for external scripts and for JS7 jobs that access the JS7 - REST Web Service API and that which should not store passwords with their configuration. For example the JS7 - Monitoring interface is offered provided for external scripts, e.g. for System Monitors, to check availability of JS7 components products on a regular basis. Such scripts can use a certificate that maps to a JOC Cockpit user account with limited permissions to request the health status of JS7 components onlyproducts.

Identity Service Settings

...

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes to report reports of authentication success or failure of authentication.
    • Successful and failed authentication attempts including and the user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.

...