JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 25

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 26

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • By default mutual authentication is in place.
    • The Controller verifies the Agent's Server Authentication certificate.
    • The Controller is challenged by the Agent to present its Client Authentication certificate which is then verified by the Agent.
    • If a Controller Cluster is used then connections from both Controller instances are authenticated by the Distinguished Name of the Controller instance's Client Authentication certificate.

  • The JS7_AGENT_CONFIG_DIR/private/private.conf configuration file should include authentication details like this:

    Code Block
    titleExample for private.conf file specifying Controller authentication
    js7 {
    auth {
        users {
            # Controller ID for connections by primary/secondary Controller instance
            jobscheduler {
                distinguished-names=[
                    "DNQ=SOS CA, CN=primary_controller_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=secondary_controller_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}


    Explanation:
    • The jobscheduler account is an example of a Controller ID that is specified during Controller installation.
    • The distinguished-names property allows the addition of a number of Distinguished Names as available from the subject of Client Authentication certificates that are used by Controller instances when connecting to the Agent.
      • Except for whitespace between attributes the precise sequence and values as available from the certificate's subject has to match this property value.
      • Distinguished Names can be displayed in different flavors. JS7 makes use of RFC2253 compliant Distinguished Names. The following command can be executed to verify the Distinguished Name from a given certificate file:
        • openssl x509 -in <controller-cert.pem> -noout -nameopt RFC2253 -subject
        • The output that you receive - except for a subject: or subject= prefix - should be used as the Controller's Distinguished Name
      • Sample Output:
        • subject= ST=Berlin,OU=JS7,O=SOS,L=Berlin,C=DE,CN=centostest-primary
        • The prefix subject= has to be omitted from the Distinguished Name.

Step 3: Setting up the Agent Instance Start Script for HTTPS

...