- The JS7 - Identity Services provide local management of user accounts for authentication and authorization.
- The JOC Identity Service is a built-in service available from the JOC Cockpit
Identity Service Type
The following integration level is available from Identity Service Types that can be used with JOC:
|Identity Service||Identity Service Configuration Items||JOC Cockpit Configuration|
|Service Type||Built-in||User Accounts/Passwords|
|Roles->User Accounts Mapping|
|JOC||yes||JS7 Database||JOC Cockpit||JS7 Database||JOC Cockpit||Mapping of user accounts and roles with the JOC Cockpit|
- Service Type:
- Management of user accounts and passwords is performed using the JOC Cockpit.
- The assignment of roles to user accounts is performed using the JOC Cockpit.
- The JOC Cockpit stores user accounts, hashed passwords and role assignments.
Identity Service Configuration
The the Manage Identity Services page: icon in the JOC Cockpit main menu is used to select
Addition of an Identity Service
To add an Identity Service use the Add Identity Service button from the page above to list the available Identity Services:
The remaining input fields for the popup window look like this:
Identity Service Nameis a unique identifier that can be freely chosen.
Identity Service Typecan be selected as available from the matrix shown above.
Orderingspecifies the sequence in which a login is performed with the available Identity Services.
Requiredattribute specifies if login with an Identity Service is required to be successful, for example if a number of Identity Services are triggered on login with a user account.
Identity Service Authentication Schemeallows selection of:
single-factorauthentication: a user account and password are specified for login with the Identity Service.
two-factorauthentication: in addition to a user account and password, a Client Authentication Certificate is required, see JS7 - Certificate based Authentication
Password as single factor: if the single-factor
Authentication Schemeis selected then this switch specifies whether the user account and password can be used to login.
Certificate as single factor: if the single-factor
Authentication Schemeis selected then this switch specifies whether use of a certificate allows a login - without specification of a user account and password.
The Authentication Scheme allows a number of options for authentication with the JOC Cockpit:
- Two-factor authentication forces a user to provide both a user account/password and a certificate. As certificates are stored in the user's local certificate store they represent a factor that limits access to specific client devices that are equipped with a certificate store holding the given certificate. The user account/password is considered a factor that is in the user's mind.
- Single-factor authentication gives a choice of using either user account/password or certificate authentication methods.
Certificate based Authentication
- Certificate based Authentication makes use of the Common Name that is available from the certificate's subject and maps to the user account which is managed with the JOC Cockpit. Certificates cannot be used for authentication if the user account indicated by the Common Name has not been added to the Identity Service.
- When used with two-factor authentication then the certificate's Common Name has to exactly match the user account specified during login and has to be available for the JOC Cockpit.
- When used with single-factor authentication then the certificate's Common Name has to exactly match a user account available with the JOC Cockpit.
- Certificates act as a replacement for user accounts and passwords. This can be useful for external scripts and for JS7 jobs that access the JS7 - REST Web Service API and which should not store passwords with their configuration. For example the JS7 - Monitoring interface is provided for external scripts, e.g. for System Monitors, to check availability of JS7 products on a regular basis. Such scripts can use a certificate that maps to a JOC Cockpit user account with limited permissions to request the health status of JS7 products.
Identity Service Settings
No settings are required for use of the JOC Identity Service.
- Log Files
- Standard Log Files
- Identity Services log output to the
JETTY_BASE/logs/joc.logfile. This includes reports of authentication success or failure.
- Successful and failed authentication attempts and the user accounts involved are logged to the
- Identity Services log output to the
- Debug Log Files
- For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
JETTY_BASE/logs/joc-debug.logfile includes general debug output of JOC Cockpit.
JETTY_BASE/logs/authentication-debug.logfile includes debug output related to authentication and authorization.
JETTY_BASE/logs/jetty.logfile includes debug output of attempts to establish SSL connections.