Page History
Table of Contents |
---|
Configuring the Controller
Consider Note that it is not required necessary to configure the Controller - it runs out-of-the-box. The default configuration includes :
- assumes that
...
- the deployment of objects , e.g. such as workflows and jobs , is not subject to compliance requirements such as non-repudiation.
- specifies HTTP connections, which are used that to expose unencrypted communication between JOC Cockpit and Controller. Authentication is performed by hashed passwords.
Users who intend to operate a compliant and secure job scheduling environment should consider the descriptions below explanations forcovering:
- deployment of objects with digital signatures that which can be used to restrict and to verify who deploys a given object such as a workflow.
- HTTPS connections that encrypt communication and that include mutual authentication by with certificates - without the use of passwords.
Compliance: Use of Signing Certificates
Controller instances accept deployments for a number of objects such as workflows from a JOC Cockpit instance only if such objects are digitally signed.
- If the JOC Cockpit is operated for Security Level Low then a single X.509 private key assigned to the JOC Cockpit
root
account is used to sign any all objects by from any JOC Cockpit accounts. - If JOC If the JOC Cockpit is operated for Security Level Medium or High then each account that deploys objects has to own an individual X.509 private key or PGP private key.
...
- If X.509 private keys are used for the signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective relevant private key has to be in place with the Controller.
- If PGP private keys are used for the signing of objects then the public key matching the signing key has to be in place with the Controller.
- The Controller expects certificates/public keys from in the following locations:
- X.509 Certificates
- Location:
- Windows:
C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-x509-keys
- Unix:
/var/sos-berlin.com/js7/controller/var/config/private/trusted-x509-keys
- Windows:
- The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension
.pem
. - Consider Note that instead of individual certificates per for each signing key, the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
- Location:
- PGP Public Keys
- Location:
- Windows:
C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-pgp-keys
- Unix:
/var/sos-berlin.com/js7/controller/var/config/private/trusted-pgp-keys
- Windows:
- PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension
.asc
. - Consider Note that for each PGP private key that is used for signing, the corresponding public key has to be available with the Controller instance.
- Location:
- By default the Controller ships with an X.509 certificate of SOS that matches the default signing key available with the JOC Cockpit
root
account.
- X.509 Certificates
- In order to add individual certificates/public keys, add the respective relevant files to the location specified above location corresponding according to the key type. To revoke certificates/public keys accordingly remove the respective relevant files from the location specified above location matching for the key type.
- The above locations for certificates/public keys specified above can be accessed from the Docker volume specified with the
--mount
option for the Controller's container directory/var/sos-berlin.com/js7/controller/var/config
. The locations for X.509 certificates and PGP public keys are available from sub-directories.
Security: Use with HTTPS Connections
The Controller is prepared by default is prepared for connections by with JOC Cockpit instances using the HTTP and the HTTPS protocols. In order to activate HTTPS consider the following prerequisites
Note that the following prerequisites have to be met in order to activate HTTPS:
Info | ||
---|---|---|
| ||
If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the download archives linked below:
|
Provide Keystore, Truststore and Configuration for Mutual Authentication
Connections to Controller instances are established from a JOC Cockpit instance. If the HTTPS protocol is to be used then, in addition to securing the communication channel, the Controller instance requires mutual authentication.
Controller Keystore and Truststore
- The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usagesuse.
- The Controller instance is provided with:
- a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
- a truststore that holds the certificate chain - consisting of the Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller's certificate.
- Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
- Keystore
- Windows:
C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\https-keystore.p12
- Unix:
/var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12
- Windows:
- Truststore
- Windows:
C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\https-truststore.p12
- Unix:
/var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12
- Windows:
- Keystore
Controller Configuration
- The following configuration items have to be added to the Controller instance's
private.conf
configuration file has to be added the following configuration items. For details see see the JS7 - Controller Configuration Items article.- Mutual Authentication
Code Block language bash title Controller Configuration for Mutual Authentication linenumbers true js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary JOC Cockpit instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=js7-joc-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=js7-joc-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } }
- This setting specifies the distinguished names that which are available from the subjects of JOC Cockpit certificates. Consider Note that the common name (CN) attribute specifies the hostname of a JOC Cockpit instance. The configuration authenticates a given JOC Cockpit instance as the distinguished name is unique for a the server certificate and therefore replaces the use of passwords.
- Keystore and truststore locations:
Code Block language bash title Controller Configuration for Keystore and Truststore Locations linenumbers true js7 { web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password="jobscheduler" } ] } } }
- The above configuration items described above specify the locations of keystore and truststore.
- Consider Note the optional use of a key password and store password for keystores and the use of a store password for truststores.
- Mutual Authentication
Run Controller Container for HTTPS Connections
The following additional arguments are required for HTTPS connections:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/sh docker run -dit --rm \ ... --publish=15443:4443 \ --env="RUN_JS_HTTPS_PORT=4443" \ ... |
ExplanationsExplanation:
--publish
The Controller image is prepared to accept HTTPS requests on port4443
. If the Controller instance is not operated in a Docker container network, then an outside port of the Docker container's host has to be mapped to the inside HTTPS port4443
. The same port has to be assigned theRUN_JS_HTTPS_PORT
environment variable.--env=RUN_JS_HTTPS_PORT
The port assigned to this environment variable is the same as the inside HTTPS port specified with the--publish
option.
...
- When using HTTPS connections then , consider to drop dropping the HTTP port of the Controller instance by omitting the following from the settings listed above settings:
--publish=15444:4444
This mapping should be dropped in order to prevent incoming traffic to the Controller instance's HTTP port.
High Availability:
...
Operating a Cluster
The Controller can be operated as a passive cluster for high availability.
- Consider Note that the clustering operational feature of clustering is subject to JS7 - LicensingLicense. Without a license:
- no fail-over/switch-over will not take place between Controller cluster members.
- you have to move the Primary Controller instance's journal files to the Secondary Controller instance and (re)start the Secondary Controller instance if you want this instance to become active after the Primary Controller instance is shutdown or becomes unavailable.
- Journal files can be found from the
state
directory as explained with the JS7 - Controller Installation for Docker Containers article. - Take care that after manual fail-over/switch-over the Primary Controller instance is not (re)started with the original journal files being in place : as this might result in double job workflow execution by the Primary and Secondary Controller instance.
- Journal files can be found from the
- The installation of Controller cluster members is the same as explained with the JS7 - Controller Installation for Docker Containers article.
- Both Primary and Secondary Controller containers can be started from the same image.
Info title Hint for use with JS7 pre-release The JS7 pre-release does not support role assignment for Primary and Secondary Controller instances by JOC Cockpit. Instead, for the Secondary Controller instance the following steps have to be performed performed for the Secondary Controller instance and before start of the container (should the instance have been started before then you would have to drop the journal and remove all files from the Secondary Controller's
state
directory to make this instance accept the configuration below configuration).- Navigate to the
config
volume that is mounted from the Controller container as indicated with the JS7 - Controller Installation for Docker Containers article. Create a file
./config/controller.conf
and add the following configuration:Code Block language bash title Secondary Controller cluster configuration file example: controller.conf linenumbers true # Allow HTTP connections without authentication js7.web.server.auth.public = true # Cluster configuration js7.journal.cluster { node { is-backup = yes } }
- The configuration item
js7.web.server.auth.public = true
is intended for use with HTTP connections. Consider above recommendations to run recommendations already made (above) about running the container for HTTPS connections.
- Navigate to the
- Both Primary and Secondary Controller containers can be started from the same image.
- After applying the configuration described above configuration you can then register the Controller with JOC Cockpit as explained from in the chapter Register Controller Cluster of the JS7 - JOC Cockpit Installation for Docker Containers article.
- Both Controller instances will become visible with the JS7 - Dashboard View like this.
...