Page History
...
- using HTTPS connections which are secured by private keys and certificates,
- using authentication between JS7 products:
- Option 1 (recommended):
- applying mutual authentication between Controller and Agent,
- applying mutual authentication between Director Agent instances and Subagents in an Agent Cluster.
- Option 2:
- applying password authentication between components should mutual authentication not be in place.
- Option 1 (recommended):
Find examples of private.conf
files for Agent configuration:
- Standalone Agent
- Standalone Agents: private.conf-example-standalone-agent
- Agent Cluster
- Primary Director Agent: private.conf-example-primary-director-agent
- Secondary Director Agent: private.conf-example-secondary-director-agent
- Subagents: private.conf-example-subagent
Standalone Agent Configuration
Find an example for download: private.conf-example-standalone-agent
Client Authentication with Controller
Consider that client authentication is an alternative to Password Authentication with Controller.
Anchor | ||||
---|---|---|---|---|
|
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Code Block | ||||||||
| ||||||||
# Security configuration js7 { auth { # User accounts for https connections users { # Controller ID for connections by primary/secondary Controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } } configuration { # Locations of certificates and public keys used for signature verification trusted-signature-keys { PGP=${js7.config-directory}"/private/trusted-pgp-keys" X509=${js7.config-directory}"/private/trusted-x509-keys" } } job { # Enable script execution from signed workflows execution { signed-script-injection-allowed = yes } } web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password="jobscheduler" store-password="jobscheduler" # alias= } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password="jobscheduler" # alias= } ] } } } |
Director Agent Configuration
The following configuration applies to use of a Director Agent in a JS7 - Agent Cluster.
A single Director Agent and a Director Agent Cluster of two instances can be used.
Client Authentication with Controller
} |
Explanation:
- This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller
element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of Controller instances. - The
distinguished-names
element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.- The Agent configuration specifies the distinguished names of the Controller instances that access the Agent by use of a Client Authentication certificate. For a Standalone Controller there is a single distinguished name, for a Controller Cluster each instance's distinguished name is specified.
- Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.
The following command can be used to read the distinguished name from a certificate file:
Code Block title Example for OpenSSL command to read a certificate's distinguished name # read distinguished name from the pairing Controller instance's certificate openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject # output is returned with a prefix "subject= " or similar that is not part of the distinguished name # subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE
Password Authentication with Controller
Consider that password authentication is an alternative to Client Consider that client authentication is an alternative to Password Authentication with Controller.
Anchor | ||||
---|---|---|---|---|
|
...
|
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { | ||||
Code Block | ||||
| ||||
js7 { auth { # User accounts for https connections users { # Controller ID for connections by primary/secondary Controller instance Controller auth { # User accounts for distinguished-names=[https connections "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", users { # Controller ID for connections by primary/secondary Controller instance "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" Controller { ]password="plain:secret" } } } } |
Explanation:
- This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller
element element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances.Thedistinguished-names
element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password. - The Agent configuration specifies the distinguished names of the Controller instances that access the Agent by use of a Client Authentication certificate. For a Standalone Controller there is a single distinguished name, for a Controller Cluster each instance's distinguished name is specified.
- Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host. The following command can be used to read the distinguished name from a certificate file:
Code Block | ||
---|---|---|
| ||
# read distinguished name from the pairing Controller instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject
# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE |
Client Authentication with pairing Director Agent Instance
Consider that client authentication an alternative to Password Authentication with pairing Director Agent Instance.
...
- This setting specifies the password indicated with the Controller instance's
js7.auth.agents
configuration item. Passwords should be quoted.- The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.
- The password can be specified as plain text preceded by
Director Agent Configuration
The following configuration applies to use of a Director Agent in a JS7 - Agent Cluster.
A single Director Agent instance and a Director Agent Cluster of two instances can be used. For a single Director Agent instance the explanations provided for the Primary Director Agent apply, settings related to a Secondary Director Agent should be omitted.
Find examples for download:
- Primary Director Agent: private.conf-example-primary-director-agent
- Secondary Director Agent: private.conf-example-secondary-director-agent
Client Authentication with Controller
Consider that client authentication is an alternative to Password Authentication with Controller.
The same settings apply as explained for Standalone Agents, see Client Authentication with Controller.
Client Authentication with pairing Director Agent Instance
Consider that client authentication an alternative to Password Authentication with pairing Director Agent Instance.
Anchor | ||||
---|---|---|---|---|
|
Code Block | ||||
---|---|---|---|---|
| ||||
js7 {
auth {
# User accounts for https connections | ||||
Code Block | ||||
| ||||
js7 { auth { # User accounts for https connections users { # Subagent ID of pairing Director Agent instance subagent-id { permissions = [ AgentDirector ] distinguished-names=[ "DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } } } |
Explanation:
...
users {
# Subagent ID of pairing Director Agent instance
subagent-id {
permissions = [ AgentDirector ]
distinguished-names=[
"DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
}
}
} |
Explanation:
- This setting applies to use of the Subagent component within a Director Agent instance in a JS7 - Agent Cluster.
- Note that the
subagent-id
element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For theprivate.conf
file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - The
permissions
element should be used as indicated. - The
distinguished-names
element identifies the pairing Director Agent instance's Client Authentication certificate. The certificate acts as a replacement for a password.- Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.
The following command can be used to read the distinguished name from a certificate file:
Code Block title Example for OpenSSL command to read a certificate's distinguished name # read distinguished name from the pairing Director Agent instance's certificate openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject # output is returned with a prefix "subject= " or similar that is not part of the distinguished name # subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE
Password Authentication with Controller
Consider that password authentication is an alternative to Client Authentication with Controller.
The same settings apply as explained for Standalone Agents, see Password Authentication with Controller
...
Code Block | ||
---|---|---|
| ||
# read distinguished name from the pairing Director Agent instance's certificate
openssl x509 -in centostest-secondary.crt -noout -nameopt RFC2253 -subject
# output is returned with a prefix "subject= " or similar that is not part of the distinguished name
# subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE |
Password Authentication with Controller
Consider that password authentication is an alternative to Client Authentication with Controller.
...
Code Block | ||||
---|---|---|---|---|
| ||||
js7 {
auth {
# User accounts for https connections
users {
# Controller ID for connections by primary/secondary Controller instance
Controller {
password="plain:secret"
}
}
}
} |
Explanation:
...
.
Password Authentication with pairing Director Agent Instance
...
The following configuration applies to use of Subagents in a JS7 - Agent Cluster.
Find an example for download: private.conf-example-subagent
Client Authentication with Director Agent Instances
...