Introduction
- HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without use of passwords.
- The purpose of Server Authentication is to secure the identity of an http server and to encrypt the communication between client and server.
- The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any http client could perform a man-in-the-middle attack e.g. by pretending to be a Controller that connects to an Agent.
- Consider the communication scheme between JS7 components as explained from the JS7 - System Architecture:
- User browsers acting as http clients establish connections to JOC Cockpit as an http server.
- JOC Cockpit acting as an http client establishes connections to Controllers acting as http servers.
- Controllers acting as http clients establish connections to Agents acting as http servers.
- We recommend to apply mutual authentication, however, there might be reasons why use of Client Authentication is not an immediate option, e.g.:
- Use of a wildcard certificate for Server Authentication leverages the effort for certificate management. At the same time such certificates cannot be used for Client Authentication.
- Should mutual authentication not be an immediate option then the recommendations from this article for the handling of passwords apply.
Controller Configuration
Download: private.conf
Explanation:
- Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
- Find below explanations about configuration items relevant to both Client and Server.
Specify Agent ID and Password
xx
js7 { auth { # for each Agent specify Agent ID and plain text password for authentication agents { agent-dev-001="secret" agent-dev-002="secret" } } }
Explanation:
- For each Agent the Agent ID is specified. An Agent is assigned a unique Agent ID during initial operation that cannot be changed.
Disable Client Authentication
xx
js7 { web { # disable use of client authentication certificates server { auth { https-client-authentication=off } } }
Explanation:
- By default Client Authentication is required if Server Authentication is in place.
- The above setting disables Client Authentication.
Agent Configuration
Download: private.conf
Explanation:
- Consider that the above configuration has to be deployed to any Agent instances.
- Find below explanations about configuration items relevant to an Agent.
Specify Controller ID and Password
xx
js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary Controller instance js7_dev { password="plain:secret" } } }
Explanation:
- In this example
js7_dev
is the Controller ID used by solo Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during initial operation. The Controller ID cannot be changed. - The
password
for the Controller ID in the Agent configuration is the same as stated with the Controller configuration.- The password has to be preceded with "plain:" if a plain text password is used.
- The password has to be preceded with "sha512" if a hashed password is used
- There are a number of ways how to create an sha512 hash value from a password.
- A possible solution includes:
openssl passwd -6
Disable Client Authentication
xx
js7 { web { # disable use of client authentication certificates server { auth { https-client-authentication=off } } }
Explanation:
- By default Client Authentication is required if Server Authentication is in place.
- The above setting disables Client Authentication.
Overview
Content Tools