JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Alan Amos

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Configuring the Controller

Note that it is not necessary to configure the Controller - it runs out-of-the-box. The default configuration:

...

  • deployment of objects with digital signatures which can be used to restrict and verify who deploys a given object such as a workflow.
  • HTTPS connections that encrypt communication and include mutual authentication with certificates - without the use of passwords.

Compliance: Use of Signing Certificates

Controller instances accept deployments for a number of objects such as workflows from a JOC Cockpit instance only if such objects are digitally signed.

...

  • If X.509 private keys are used for the signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the relevant private key has to be in place with the Controller.
  • If PGP private keys are used for the signing of objects then the public key matching the signing key has to be in place with the Controller.
  • The Controller expects certificates/public keys in the following locations:
    • X.509 Certificates
      • Location:
        • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-x509-keys
        • Unix: /var/sos-berlin.com/js7/controller/var/config/private/trusted-x509-keys
      • The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension .pem.
      • Note that instead of individual certificates for each signing key, the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
    • PGP Public Keys
      • Location:
        • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-pgp-keys
        • Unix: /var/sos-berlin.com/js7/controller/var/config/private/trusted-pgp-keys
      • PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension .asc.
      • Note that for each PGP private key that is used for signing, the corresponding public key has to be available with the Controller instance.
    • By default the Controller ships with an X.509 certificate of SOS that matches the default signing key available with the JOC Cockpit root account.
  • In order to add individual certificates/public keys, add the relevant files to the location specified above according to the key type. To revoke certificates/public keys accordingly remove the relevant files from the location specified above for the key type.
  • The locations for certificates/public keys specified above can be accessed from the Docker volume specified with the --mount option for the Controller's container directory /var/sos-berlin.com/js7/controller/var/config. The locations for X.509 certificates and PGP public keys are available from sub-directories.

Security: Use with HTTPS Connections

The Controller is prepared by default for connections with JOC Cockpit instances using the HTTP and the HTTPS protocols. 

...

Info
titleKeystore, Truststore and Configuration out-of-the-box

If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the download archives linked below:

  • Download
  • The archives include the folders:
    • config.http
      • This folder includes the controller.conf configuration file and the private sub-directory with signing certificates.
      • The contents of this folder corresponds to what you get with the default installation of an Agent.
    • config.https
      • This folder includes the controller.conf configuration file and the private sub-directory with signing certificates and private.conf, keystore and truststore files.
      • The private key and certificate is created by SOS and works for use with Docker containers that have been started with the following hostnames:
        • js7-agent-primary
        • js7-agent-secondary
        • js7-controller-primary
        • js7-controller-secondary
      • As the private key is publicly available you should not consider this to be a solution for securing your HTTPS connections. However, for evaluation purposes it saves the effort of creating and signing key pairs.
    • To apply the configuration, replace the contents of the config folder that is mounted to a Controller container with the contents of the config.http or config.https folders as required.

Provide Keystore, Truststore and Configuration for Mutual Authentication

Connections to Controller instances are established from a JOC Cockpit instance. If the HTTPS protocol is to be used then, in addition to securing the communication channel, the Controller instance requires mutual authentication.

Controller Keystore and Truststore

  • The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key use.
  • The Controller instance is provided with:
    • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
    • a truststore that holds the certificate chain - consisting of the Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller's certificate.
  • Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
    • Keystore
      • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\https-keystore.p12
      • Unix: /var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12
    • Truststore
      • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\https-truststore.p12
      • Unix: /var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12

Controller Configuration

  • The following configuration items have to be added to the Controller instance's private.conf configuration file. For details see the JS7 - Controller Configuration Items article.
    • Mutual Authentication
      • Code Block
        languagebash
        titleController Configuration for Mutual Authentication
        linenumberstrue
        js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary JOC Cockpit instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=js7-joc-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=js7-joc-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
      • This setting specifies the distinguished names which are available from the subjects of JOC Cockpit certificates. Note that the common name (CN) attribute specifies the hostname of a JOC Cockpit instance. The configuration authenticates a given JOC Cockpit instance as the distinguished name is unique for the server certificate and therefore replaces the use of passwords.
    • Keystore and truststore locations:
      • Code Block
        languagebash
        titleController Configuration for Keystore and Truststore Locations
        linenumberstrue
        js7 {
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                store-password="jobscheduler"
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password="jobscheduler"
                }
            ]
        }
    }
}
      • The configuration items described above specify the locations of keystore and truststore.
      • Note the optional use of a key password and store password for keystores and the use of a store password for truststores.

Run Controller Container for HTTPS Connections

The following additional arguments are required for HTTPS connections:

...

  • --publish The Controller image is prepared to accept HTTPS requests on port 4443. If the Controller instance is not operated in a Docker container network, then an outside port of the Docker container's host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
  • --env=RUN_JS_HTTPS_PORT The port assigned to this environment variable is the same as the inside HTTPS port specified with the --publish option.

...

  • When using HTTPS connections, consider to dropping the HTTP port of the Controller instance by omitting the following from the settings listed above:
    • --publish=15444:4444 This mapping should be dropped in order to prevent incoming traffic to the Controller instance's HTTP port.

High Availability: Operating a Cluster

The Controller can be operated as a passive cluster for high availability. 

...