Introduction
- HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without use of passwords.
- The purpose of Server Authentication is to secure the identity of an http server and to encrypt the communication between client and server.
- The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any http client could perform a man-in-the-middle attack e.g. by pretending to be a Controller that connects to an Agent.
- Consider the communication scheme between JS7 components as explained from the JS7 - System Architecture:
- User browsers acting as http clients establish connections to JOC Cockpit as an http server.
- JOC Cockpit acting as an http client establishes connections to Controllers acting as http servers.
- Controllers acting as http clients establish connections to Agents acting as http servers.
Controller Configuration
Configuration File: private.conf
Download: private.conf
Explanation:
- The configuration file is located with the
sos-berlin.com/js7/controller/config/private
folder. - Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
- Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.
Specify Distinguished Names
Controller Connections
js7 { auth { # User accounts for HTTPS connections users { # Controller account for connections by primary/secondary controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } } }
Explanation:
- This setting applies if a Controller Cluster is used. In this situation a Primary Controller requires the above setting to allow access from a Secondary Controller and vice versa.
- This setting specifies the distinguished name indicated with the partner Controller's Client Authentication certificate. The certificate acts as a replacement for a password.
- A Primary Controller configuration specifies the distinguished name of the Secondary Controller's Client Authentication certificate.
- A Secondary Controller configuration specifies the distinguished name of the Primary Controller's Client Authentication certificate.
JOC Cockpit Connections
js7 { auth { # User accounts for HTTPS connections users { # History account (used to release events) History { distinguished-names=[ "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08" } # JOC account (requires UpdateRepo permission for deployment) JOC { distinguished-names=[ "DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE" permissions=[ UpdateItem ] } } } }
Explanation:
- This setting applies to the connection established from one or more JOC Cockpit instances to a Controller. JOC Cockpit can be used with a cluster including two or more instances.
- This setting specifies the distinguished name indicated with the respective JOC Cockpit's Client Authentication certificate. The certificate acts as a replacement for a password. For each JOC Cockpit instance the
distinguished-name
is specified that is stated with the JOC Cockpit's certificate. - Two entries are available for
js7.auth.users.History
andjs7.auth.users.JOC
:History
represents the JS7 - History Service that updates state transitions of orders and log output of jobs to the JS7 database.JOC
represents the JOC Cockpit Proxy Service that establishes the connection to a Controller and that is used to provide current information about orders to the JOC Cockpit GUI. In addition to e.g. deployment of workflows and submission of orders.
- In addition permissions are specified for JOC Cockpit instances that indicate with the
UpdateItem
setting that JOC Cockpit instances are allowed to add/update/delete deployable objects such as workflow.
Specify Keystore and Truststore Locations
js7 { web { # disable use of client authentication certificates server { auth { https-client-authentication=off } } }
Explanation:
- By default Client Authentication is required if Server Authentication is in place.
- The above setting disables Client Authentication.
Agent Configuration
Configuration File: private.conf
Download: private.conf
Explanation:
- The configuration file is located with the
sos-berlin.com/js7/agent/config_<port>/private
folder. - Consider that the above configuration has to be deployed to any Agent instances.
- Find below explanations about above configuration items relevant to Server Authentication with passwords.
Specify Controller ID and Password
js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary Controller instance js7_dev { password="plain:secret" # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/" } } }
Explanation:
- In this example
js7_dev
is the Controller ID used by a solo Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during initial operation. The Controller ID cannot be changed unless the Controller's journal is reset. - The
password
for the Controller ID in the Agent configuration is the same as stated with the Controller configuration.- The password has to be preceded with "plain:" if a plain text password is used.
- The password has to be preceded with "sha512" if a password hashed with this algorithm is used
- There are a number of ways how to create sha512 hash values from passwords.
- A possible solution includes to use:
openssl passwd -6
Disable Client Authentication
js7 { web { # disable use of client authentication certificates server { auth { https-client-authentication=off } } }
Explanation:
- By default Client Authentication is required if Server Authentication is in place.
- The above setting disables Client Authentication.
Overview
Content Tools