Introduction
A number of JITL job templates make use of the JS7 - REST Web Service API to retrieve information from JOC Cockpit:
The following prerequisites apply to operation of such JITL jobs:
- Network access from the Agent that executes the job to the JOC Cockpit instance,
- Availability of the Controller and of JOC Cockpit,
- Authentication and authorization with JOC Cockpit.
The job templates use a common mechanism for authentication with the JS7 - REST Web Service API
- by use of user account/password and/or
- by use of a certificate, for details see JS7 - Authentication.
Authentication
For authentication purposes the job templates make use of the Agent's ./config/private/private.conf
file to find a number of configuration items that allow authentication:
js7 { auth { ... } configuration { ... } job { ... } web { ... } api-server { # API Server URL url = [ "https://joc-2-0-primary:4443", "https://joc-2-0-secondary:4443", ] # Option 1: use of a Credential Store cs-file=${js7.config-directory}"/private/secret.kdbx" cs-key=${js7.config-directory}"/private/secret.key" cs-password="secret" # Option 1: use of references to credentials username="cs://myAccounts/joc@username" password="cs://myAccounts/joc@password" # Option 2: use of account and password # username="root" # password="root" } }
Explanation:
- The
api-server
configuration section specifies authentication details for JITL job templates and can occur in any position directly within thejs7
configuration block. - Configuration items available from this configuration section are explained with the following chapters.
Certificate Based Authentication
JS7 - Certificate based Authentication is configured with the ./config/private/private.conf
file:
- The
url
configuration item is required that specifies the URL of the JS7 REST Web Service API. Typically this corresponds to the JOC Cockpit URL.- Users can set up a number of JOC Cockpit instances that are clustered for automated fail-over.
- Users can set up a load balancer that routes requests to a number of available JOC Cockpit instances.
- For use with JITL job templates both active and standby JOC Cockpit instances can be used.
- No further configuration items are used.
- The Client Authentication Certificate has to be available from the keystore file indicated with the
js7.web.https.keystore
orjs7.web.https.client_keystore
settings.- This includes that JOC Cockpit is configured to use a truststore that holds the Root CA Certificate and Intermediate CA Certificate that was used to sign the Agent's Client Authentication Certificate.
- For details see JS7 - JOC Cockpit HTTPS Connections.
User Account / Password Authentication
User account/password authentication is configured with the ./config/private/private.conf
file:
- The
url
configuration item is required as explained above. - The
username
andpassword
can be specified from the following options:- Option 1: Use of a JS7 - Credential Store
- with the following settings:
cs-file:
Specifies the path to a KeePass database file (required).cs-key
: Specifies the path to a KeePass key file (optional).cs-password
: Specifies the password for the KeePass database file (optional).username
: Specifies the path to the entry in the KeePass database that holds the account name (required).password
: Specifies the path to the entry in the KeePass database that holds the password (required).
- that suggest to preferably use a KeePass key file (
cs-key
) to protect the KeePass database. Basically it is pointless to protect a Credential Store by use of a password (cs-password
) that is similarly visible as putting the key under the mat. Use of a key file allows to apply OS ownership and file permissions to protect to the key file from visibility by 3rd parties.
- with the following settings:
- Option 2: Use of user account and password
- with the following settings:
username
: Specifies the account name (required).password
: Specifies the plain text password (required).
- that include both settings to be visible from the configuration file.
- with the following settings:
- Option 1: Use of a JS7 - Credential Store