Introduction
The article is focused on configuration items used for HTTPS Server and Client Authentication. For a complete overview of settings see JS7 - Controller Configuration Items and JS7 - Agent Configuration Items,
- HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without the use of passwords.
- The purpose of Server Authentication is to secure the identity of an http HTTP server and to encrypt the communication between client and server.
- The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any http HTTP client could perform a man-in-the-middle attack e.g. by by, for example, pretending to be a Controller that connects to an Agent.
- Consider the communication scheme between JS7 components products as explained from in the JS7 - System Architecture article:
- User browsers acting as http HTTP clients establish connections to the JOC Cockpit as an http HTTP server.
- The JOC Cockpit acting as an http HTTP client establishes connections to Controllers Controller instances acting as http HTTP servers.
- Controllers Controller instances acting as http HTTP clients establish connections to Agents acting as http HTTP servers.
...
Location of Configuration
...
Configuration File: private.conf
Download: private.conf
Files
In the following the JS7_CONTROLLER_CONFIG_DIR placeholder specifies the configuration directory of the Controller. The JS7_AGENT_HOME, JS7_AGENT_CONFIG_DIR placeholders specify the directories where the Agent is installed and configured.
JS7_CONTROLLER_CONFIG_DIR is the Controller's configuration directory that is specified during installation:
JS7_AGENT_HOME is the installation path that is specified during the JobScheduler Agent installation:
JS7_AGENT_CONFIG_DIR is the Agent's configuration directory that is specified during Agent installation:
Controller Configuration
Configuration File: JS7_CONTROLLER_CONFIG_DIR/private/private.conf
Find an example for Controller configuration for download: private.conf
| Code Block |
|---|
| language | yml |
|---|
| title | Controller configuration file: private.conf |
|---|
| linenumbers | true |
|---|
| collapse | true |
|---|
|
js7 {
auth {
|
| Code Block |
|---|
| language | yml |
|---|
| title | Controller configuration file: private.conf |
|---|
| linenumbers | true |
|---|
| collapse | true |
|---|
|
js7 {
auth {
# User accounts for HTTPS connections
users {
# Controller account for connections by primary/secondary controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
# User accounts ]
for HTTPS connections
users }{
# Controller ID Historyfor accountconnections (used to release events)by primary/secondary controller instance
HistoryController {
distinguished-names=[
"DNQ=SOS CA, CN=joccontroller-2-0-primarysecondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
]
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
] }
password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
}
# JOC# History account (requiresused UpdateRepoto permissionrelease for deploymentevents)
JOCHistory {
distinguished-names=[
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FEB793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
}
permissions=[
# JOC account (requires UpdateRepo permission for deployment)
UpdateItem
JOC {
]
distinguished-names=[
}
}
}
configuration {
# directory for trusted public keys and certificates used with signatures
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS trusted-signature-keys {CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
]
X509=${js7.config-directory}"/private/trusted-x509-keys password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
}
}permissions=[
journal {
# allow History account to release unused journals
UpdateItem
users-allowed-to-release-events=[]
History}
]}
}
webconfiguration {
# keystore and truststore location directory for httpstrusted connections
public keys and certificates used with https {signatures
keystore trusted-signature-keys {
# Default: PGP=${js7.config-directory}"/private/https-keystore.p12trusted-pgp-keys"
fileX509=${js7.config-directory}"/private/https-keystore.p12trusted-x509-keys"
}
}
key-password=jobschedulerjournal {
# allow History account to release store-password=jobschedulerunused journals
}users-allowed-to-release-events=[
truststores=[History
]
}
web {
# keystore and truststore location for https connections
# Default:https ${js7.config-directory}"/private/https-truststore.p12"
keystore {
# Default: file=${js7.config-directory}"/private/https-truststorekeystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
store key-password="jobscheduler"
}store-password="jobscheduler"
] # alias
}
}
} |
Explanation:
- The configuration file is located with the
sos-berlin.com/js7/controller/config/private folder. - Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
- Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.
Specify Distinguished Names
Controller Connections
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
# User accounts for HTTPS connections file=${js7.config-directory}"/private/https-truststore.p12"
users {
# Controller account for connections by primary/secondary controller instance
store-password="jobscheduler"
# Controller {alias=
distinguished-names=[}
]
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
Explanation:
Explanation:
- The configuration file is located in the
JS7_CONTROLLER_CONFIG_DIR/private folder. - Note that the above configuration has to be deployed to both Controller instances This setting applies if a Controller Cluster is being used. In this situation a Primary Controller requires the above setting to allow access from a Secondary Controller and vice versa.
- This setting specifies the distinguished name indicated with the partner Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
- A Primary Controller configuration specifies the distinguished name of the Secondary Controller's Client Authentication certificate.
- A Secondary Controller configuration specifies the distinguished name of the Primary Controller's Client Authentication certificate.
...
- The configuration items relevant to mutual authentication from the example above are described below.
Authentication with pairing Controller instances and JOC Cockpit instances
Controller Connections
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
# User accounts for HTTPS connections
users {
# HistoryController accountID (used to release events)for connections by primary/secondary controller instance
HistoryController {
distinguished-names=[
"DNQ=SOS CA, CN=joccontroller-2-0-primarysecondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"]
]}
}
}
} |
Explanation:
- The setting listed above applies for a Controller Cluster. In this situation a Primary Controller requires the setting to allow access from a Secondary Controller and vice versa.
- Note that the
Controller element name is an example that has to be replaced by the Controller ID that is specified with the same value during installation of both Controller instances in a cluster. - This setting specifies the
distinguished-names indicated with the partner Controllers' Client Authentication certificate. The distinguished name is given with the subject attribute of a Client Authentication certificate. The distinguished name is considered a replacement for a password.- A Primary Controller configuration specifies the distinguished name of the Secondary Controller's Client Authentication certificate.
- A Secondary Controller configuration specifies the distinguished name of the Primary Controller's Client Authentication certificate.
- Note that the common name (CN) attribute of the distinguished name has to match the fully qualified domain name (FQDN) of the partner Controller's host.
JOC Cockpit Connections
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
auth {
# User accounts for HTTPS connections
users { password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
}
# JOC account (requires UpdateRepo permission for deployment)
JOC {
distinguished-names=[
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
# History account password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"(used to release events)
History {
permissions=[
distinguished-names=[
UpdateItem
"DNQ=SOS CA, ]CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
}
}
}
} |
Explanation:
- This setting applies to the connection established from one or more JOC Cockpit instances to a Controller. JOC Cockpit can be used with a cluster including two or more instances.
- This setting specifies the distinguished name indicated with the respective JOC Cockpit's Client Authentication certificate. The certificate acts as a replacement for a password. For each JOC Cockpit instance the
distinguished-name is specified that is stated with the JOC Cockpit's certificate. - Two entries are available for
js7.auth.users.History and js7.auth.users.JOC:History represents the JS7 - History Service that updates state transitions of orders and log output of jobs to the JS7 database.JOC represents the JOC Cockpit Proxy Service that establishes the connection to a Controller and that is used to provide current information about orders to the JOC Cockpit GUI. In addition to e.g. deployment of workflows and submission of orders.
- In addition permissions are specified for JOC Cockpit instances that indicate with the
UpdateItem setting that JOC Cockpit instances are allowed to add/update/delete deployable objects such as workflow.
Specify HTTPS Keystore and Truststore Locations
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
web {"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
}
# JOC account (requires UpdateItem permission for deployment)
JOC {
distinguished-names=[
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
# keystore and truststore location for https connections]
https {
password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
keystore {
permissions=[
# Default: ${js7.config-directory}"/private/https-keystore.p12"
UpdateItem
file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler]
store-password=jobscheduler
}
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password=jobscheduler
}
]
}
}
} |
Explanation:
- HTTPS keystore and truststore are used to hold private keys and certificates
- The keystore holds the Controller instance's private key and certificate. This information is used for
- Server Authentication with JOC Cockpit and for
- Client Authentication with Agents.
- The truststore holds the certificate(s) used to verify
- Client Authentication certificates presented by JOC Cockpit and
- Server Authentication certificates presented by Agents.
- Keystore and Truststore locations are specified. In addition for
- the keystore a password for the private keys included and a password for access to the keystore can be specified
- the truststore a password for access to the truststore can be specified.
- Passwords for keystores and truststores have no tendency to improve security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Controller. This mechanism is not too different from hiding the key under your doormat. In fact limiting ownership and access permissions for keystores and truststores to the JS7 Controller's run-time account are more important than using a password.
Agent Configuration
Configuration File: private.conf
Download: private.conf
Explanation:
- The setting listed above applies for the connection established from one or more JOC Cockpit instances to a Controller. The JOC Cockpit can be used as a cluster comprising two or more instances.
- This setting specifies the
distinguished-names indicated with the relevant JOC Cockpit's Client Authentication certificate. The certificate is considered a replacement for a password. For each JOC Cockpit instance, the distinguished name is specified which is stated in the JOC Cockpit's certificate. - Two entries are available for
js7.auth.users.History and js7.auth.users.JOC:History represents the JS7 - History Service that receives state transition events for orders and log output of jobs and adds them to the JS7 database.JOC represents the JOC Cockpit Proxy Service that establishes the connection to a Controller and which is used to provide current information about orders to the JOC Cockpit GUI, in addition to, for example the deployment of workflows and submission of orders.- For both
History and JOC services a hashed password is specified by the JOC Cockpit. The password has no relevance for the security of the connection. Instead it is used to distinguish the services that both are running with the same JOC Cockpit instance and therefore use the same Client Authentication certificate.
- In addition permissions are specified for JOC Cockpit services that indicate with the
UpdateItem setting that the JOC Cockpit service is allowed to add/update/delete deployable objects such as workflows.
Locations of Public Keys and Certificates for Signature Verification
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
configuration {
# directory for trusted public keys and certificates used with signatures
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
} |
Explanation:
- The Controller verifies the signature of deployable objects such as workflows. This can be performed for PGP signatures and X.509 signatures.
- The
trusted-signature-keys setting specifies the locations for PGP public keys and for X.509 certificates. - If either PGP public keys or X.509 certificates are not used then the relevant setting should not be specified as it implies that the indicated directory will be populated with public keys or certificates accordingly.
Services entitled to release events from the Controller journal
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
journal {
# allow History account to release unused journals
users-allowed-to-release-events=[
History
]
}
} |
Explanation:
- The journal holds e.g. information about order state transitions. This information is consumed by the JS7 - History Service that updates the JS7 database from this information.
- The Controller's journal would grow if entries that have been consumed by the History Service could not be released. The
users-allowed-to-release-events setting specifies the names, e.g. History, of the accounts for which authentication settings are indicated from the js7.auth.users section. - A single
History account is used with any number of JOC Cockpit instances. If more than one consumer account was to be specified then all consumers would have to confirm having received order transition events before such events could be removed from the journal.
HTTPS Keystore and Truststore Access
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 {
web {
# keystore and truststore location for https connections
https {
client-keystore {
# Default: ${js7.config-directory}"/private/https-client-keystore.p12"
file=${js7.config-directory}"/private/https-client-keystore.p12"
key-password="jobscheduler"
store-password="jobscheduler"
}
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password="jobscheduler"
store-password="jobscheduler"
# alias=
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password="jobscheduler"
# alias=
}
]
}
}
} |
Explanation:
- HTTPS keystores and truststores are used to hold private keys and certificates
- Keystore and truststore settings accept the path to a file in PKCS12 format or in PEM format.
- A keystore holds the Controller instance's private key and certificate. This information is used for:
- Server Authentication with JOC Cockpit and for
- Client Authentication with Agents.
- A truststore holds the certificate(s) used to verify:
- Client Authentication certificates presented by JOC Cockpit and
- Server Authentication certificates presented by Agents.
- Any number of truststores can be used.
- Optionally a separate HTTPS client keystore can be used:
- The client keystore is used for HTTPS mutual authentication and holds a private key and certificate created for the
Client Auth extended key usage. - When using HTTPS mutual authentication then:
- a single certificate can be used that is generated for both
Server Auth and Client Auth extended key usages. In this case do not use the HTTPS client keystore but use the HTTPS keystore to hold the certificate. - separate certificates can be used with the certificate for
Server Auth key usage being stored in the HTTPS keystore and the certificate for Client Auth key usage being stored in the HTTPS client keystore.
- For details see
| Jira |
|---|
| server | SOS JIRA |
|---|
| columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
|---|
| serverId | 6dc67751-9d67-34cd-985b-194a8cdc9602 |
|---|
| key | JS-1959 |
|---|
|
- Keystore and Truststore locations are specified. In addition:
- a password for the private keys included in the keystore and a password for access to the keystore can be specified,
- a password for access to the truststore can be specified.
- Passwords for keystore and truststore are not intended for security of the configuration, they are used to verify the integrity of certificate stores as the password used for creating and reading the certificate store must be the same.
- The
key-password setting is used for access to a private key in a keystore. - The
store-password setting is used for access to a keystore or to a truststore. - For PKCS12 keystores both settings have to use the same value. The settings can be omitted if no passwords are used.
Agent Configuration
Configuration File: JS7_AGENT_CONFIG_DIR/private/private.conf
Find an example for Agent configuration for download: private.conf
| Code Block |
|---|
| language | yml |
|---|
| title | Agent configuration file: private.conf |
|---|
| linenumbers | true |
|---|
| collapse | true |
|---|
|
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
configuration {
# Locations of certificates and public keys used for signature verification
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
job {
# Enable script execution from signed workflows
execution {
signed-script-injection-allowed = yes
}
}
web {
# Locations of keystore and truststore files for HTTPS connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password="jobscheduler"
store-password="jobscheduler"
# alias=
}
truststores=[ |
| Code Block |
|---|
| language | yml |
|---|
| title | Agent configuration file: private.conf |
|---|
| linenumbers | true |
|---|
| collapse | true |
|---|
|
js7 {
auth {
# User accounts for https connections
users {
# Controller account for connections{
by primary/secondary Controller instance
Controller {
# Default: ${js7.config-directory}"/private/https-truststore.p12"
distinguished-names=[
file=${js7.config-directory}"/private/https-truststore.p12"
"DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
store-password="jobscheduler"
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" # alias=
]}
}]
}
}
configuration {
} |
Explanation:
- The configuration file is located in the
JS7_AGENT_CONFIG_DIR/private folder. - Note that the
Controller element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both Controller instances in a cluster. - Note that the above configuration has to be deployed to all Agent instances.
- The configuration items relevant to mutual authentication from the example above are described below.
Client Authentication
Controller Connections
For explanations see the JS7 - Agent Configuration Items#js7-auth-users-Controller article.
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 { # Locations of certificates and public keys used for signature verification
trusted-signature-keys auth {
# User accounts PGP=${js7.config-directory}"/private/trusted-pgp-keys"for https connections
X509=${js7.config-directory}"/private/trusted-x509-keys"
users {
# }
Controller ID for connections }by primary/secondary Controller instance
job {
Controller {
# Enable script execution from signed workflows
execution {distinguished-names=[
signed-script-injection-allowed = yes
"DNQ=SOS CA, CN=controller-2-0-primary, }
}OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
web {
# API Server URL
"DNQ=SOS api-server { url = "https://joc-2-0-secondary:4443" }
CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
# Locations of keystore and truststore files]
for HTTPS connections
https {}
}
}
} |
Server Authentication
HTTPS Keystore and Truststore Locations
See the JS7 - Agent Configuration Items#js7-web-https-keystore article for an explanation of the setting.
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7keystore {
web {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
and truststore location for https connections
https file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler
keystore {
store-password=jobscheduler
# Default: ${js7.config-directory}"/private/https-keystore.p12"
truststores=[
file=${js7.config-directory}"/private/https-keystore.p12"
{
key-password="jobscheduler"
# Default: ${js7.config-directory}"/private/https-truststore.p12"
store-password="jobscheduler"
# alias=
file=${js7.config-directory}"/private/https-truststore.p12"
}
store-passwordtruststores=jobscheduler[
}{
] # Default: ${js7.config-directory}"/private/https-truststore.p12"
}
}
} |
Explanation:
- The configuration file is located with the
sos-berlin.com/js7/agent/config_<port>/private folder. - Consider that the above configuration has to be deployed to any Agent instances.
- Find below explanations about above configuration items relevant to Server Authentication with passwords.
Specify Distinguished Names
Controller Connections
| Code Block |
|---|
| language | yml |
|---|
| linenumbers | true |
|---|
|
js7 { file=${js7.config-directory}"/private/https-truststore.p12"
auth {
# User accounts for https connections
store-password="jobscheduler"
users {
# alias=
# Controller account for connections by primary/secondary Controller instance}
Controller {]
}
distinguished-names=[}
} |
Signed Scheduling Objects
Locations of Public Keys and Certificates for Signature Verification
See the JS7 - Agent Configuration Items#js7-configuration-trusted-signature-keys article for an explanation of the setting.
| Code Block |
|---|
| language | text |
|---|
| title | Default configuration: assign directories for trusted certificates |
|---|
| linenumbers | true |
|---|
|
# Security configuration
js7 {
configuration {
# Locations of certificates and public "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
keys used for signature verification
"DNQ=SOS CA, CN=controllertrusted-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
]
}X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
} |
Explanation:
...
Script Execution from Signed Workflows
See the JS7 - Agent Configuration Items#js7-job-execution-signed-script-injection-allowed article for an explanation of the setting.
| Code Block |
|---|
| language | text |
|---|
| title | Default configuration: enable script execution from signed workflows |
|---|
| linenumbers | true |
|---|
|
# Allow http connections without authentication
js7.job.execution.signed-script-injection-allowed = yes
|
...