JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 40

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
SEO Metadata
keywordsAgent Cluster, High Availabilitly
titleSecurity Architecture

JS7 brings a security architecture based on certificates for connections between components products and for digital signing of workflows and jobs

...

  • The Security Architecture includes:
    • Secure Communication:
      • Certificate Management: Create and deploy certificates for secure network communication between componentsproducts.
      • Life Cycle Management: Create, update and delete certificates and deploy changes to componentsproducts.
    • Secure Configuration:
      • Configurations include workflows, jobs and related objects.
      • These objects are digitally signed and deployed by a responsible person.
    • Secure Operation:
      • Access Management: Authentication and Authorization via a LDAP, OIDC, Certificates, FIDO etc.
      • Credential Management: Use of a Credential Store for confidential data.
  • Wording
    • The term Deployment applies to a situation when a configuration is transferred from the JOC Cockpit to a Controller and Agents.
    • The term Roll-out applies to a situation when a configuration is transferred between environments, for example from non-production to production environments. Within the respective target environment a Deployment is performed to transfer configuration objects to Controllers and Agents.

...

  • Network connections between components use products use the HTTPS protocol.
  • Such connections are secured by x509 certificates, by default using mutual client and server authentication.
  • Connections are established in one direction only.

...

  • Certificates are created:
    • either from a CA independently from JS7,
      • This applies to users of JS7 who require the "high" Security Level and therefore operate a CA of their own.
    • or directly from the JS7 - Certificate Authority in JOC Cockpit.
      • This applies to users of JS7 who prefer a modest "low" or "medium" Security Level without the effort of maintaining a CA.
      • The JOC Cockpit implements:
        • a Root CA and Intermediate CA to create certificates for JS7 componentsproducts.
        • deployment capabilities to prepare the security configuration for JS7 componentsproducts, i.e. to generate keystores and truststores which the relevant certificates are added to.
  • Certificates can be maintained with JOC Cockpit if an individual CA is not in place.
    • Private Keys and Certificates are stored with the JS7 database.
    • A user interface is available for operations on certificates, such as creating, updating and deleting certificates.
  • Certificates are prepared for deployment:
    • A keystore and truststore to hold the required certificates is created for individual JS7 components products such as Controllers or Agents.
    • Keystores and truststores can be forwarded to Controllers and Agents by any suitable means, for example by file transfer, SSH, transportable disks etc.
    • Keystores and truststores can be imported to Controllers and Agents using a shell script.

...

  • Access Management includes access to JOC Cockpit and to the REST Web Service API. This applies to both users who access the JOC Cockpit GUI and & scripts, and applications that directly access the REST Web Service API.
  • The Controller is assumed not to be accessed by users directly but exclusively via the JOC Cockpit REST Web Service API. No default authentication is provided if the insecure HTTP protocol is used.
  • Agents are assumed not to be accessed by users directly but exclusively by a Controller. No default authentication is provided if the insecure HTTP protocol is used.

Access to JOC Cockpit is subject to authentication and authorization. 

JOC Cockpit implements a number of JS7 - Identity Services:

  • Identity Services with built-in support for local user management, LDAP, OIDC, Certificates, FIDO.
  • Identity Services for use with external Identity Providers such as Keycloak®, HashiCorp® Vault

JOC Cockpit offers Role Based Access Management, see JS7 - Authorization

  • Permissions for operations in the GUI and in the JS7 REST Web Service API can freely be grouped to roles.
  • Users are assigned roles.

Identity Services

JOC Cockpit offers a number of Identity Services for authentication and authorization:

Image Added

Certificate Based Authentication

Certificates can be used as a single factor for authentication or as a second factor (MFA). For details see JS7 - Certificate Identity Service.

Image Added

FIDO Authentication

The FIDO family of protocols offers FIDO2 and Passkeys as a single factor and as second factor in MFA. The FIDO U2F protocol can be used as a second factor.

For details see JS7 - FIDO Identity Service.

Image Added

Credential Management

  • Users frequently ask if JobScheduler can encrypt credentials. The answer is "no" as it makes no sense for an Open Source software to handle a symmetric key that is stored in the JS7 configuration. Encrypting credentials contributes to obfuscation, not to security.
  • There is only one way to handle passwords: not to use them.
  • Alternatives include use of a JS7 - Credential Store.

References


Resources