Introduction

• JS7 components products are easy to install out-of-the-box. However, a number of configuration items have to be considered when operating JS7 for a secure environment.
• Secure operation is applied to the following areas:
  • Connection Management
    
    • Network Connections
    • Database Connections
  • Access Management
    • Authentication
    • Authorization
  • Credentials Management
    • Database Credentials
    • Job Credentials
• Secure operation includes users configuring JS7 components products in a compliance-conformant way.

Connection Management

JS7 components products use the following connections:

...

• All network connections make use of HTTP:
  • Connections by users to the JS7 - Browser User Interface
  • Connections by the PowerShell CLI to the JS7 - REST Web Service API
  • Connections by the JOC Cockpit to the JS7 Controller using the JS7 REST Web Service API
  • Connections by JS7 Controller instances to Agents
• Port Usage
  • The JOC Cockpit can be accessed at port 4446
  • The JOC Cockpit REST Web Service can be accessed at port 4446
  • The JS7 Controller uses port 4444
  • The JS7 Agent listens to port 4445
• Network Interface Usage
  • By default JS7 components products will listen to the above mentioned ports on any available network interfaces.
• Firewall Settings
  • Open ports in your firewall exclusively for the hosts, protocols and ports as specified above. Consider allowing connections only for the directions indicated in the diagram above.

...

• Configure network connections to use HTTPS:
  • Use of HTTPS includes providing valid certificates for the hosts that JS7 components products are operated for. Use of self-signed certificates is not recommended as they cannot be verified to a trusted source.
  • As HTTPS is limited to secure connections, additional authentication is required. In this case, a JS7 Controller instance is configured to authenticate with an Agent in order to guarantee that the Controller instance is in fact, what it claims to be and is entitled to access the Agent.
  • The JS7 - Secure Connections article explains the use of the built-in Certificate Authority and the use with external Certificate Authorities.
  • For detailed instructions for configuration see:
    • JS7 - JOC Cockpit HTTPS Connections, which explains HTTPS configuration for the JOC Cockpit and connection to the JS7 Controller.
    • JS7 - Controller HTTPS Connections
    • JS7 - Agent HTTPS Connections
• Restrict use of network interfaces:
  • Consider restricting JS7 components products to only listen to specific network interfaces.
  • The JS7 Controller can be configured by use of the --http_port and --https_port command line options to specify network interfaces, see the JS7 - Controller - Command Line Operation article for details.
    
  • The JS7 Agent can be configured by use of the --http-port and --https-port options to specify network interfaces, see JS7 - Agent Command Line Operation.
  • The JOC Cockpit can be similarly configured to only use specific network interfaces, see:
    • JS7 - JOC Cockpit Configuration for Containers
    • JS7 - JOC Cockpit Configuration Items

...

The JOC Cockpit is the only JS7 component product that uses a database.

Database connections are based on JDBC. If JDBC type 4 drivers are used then a DBMS client is not required for the operation of the JOC Cockpit. The Hibernate access layer is used for database access.

...

Access Management

Access to JS7 components products is centrally secured by the JS7 - REST Web Service API. This interface is used by the JS7 - Browser User Interface and by external applications using the REST API.

...

• Do not use passwords.
  • Users frequently ask if JS7 can encrypt credentials. The answer is "no" as it makes no sense to handle a symmetric key that is in reach of the component product that makes use of it. Encrypted passwords correspond to the "key under the mat". They do not provide additional security. However, they contribute perfectly to obfuscation.
  • There is one way only how to securely handle passwords: do not use them.
• Use Integrated Security
  • This authentication scheme is based on the fact that the account which a component product is operated for has already been authenticated and therefore can access a database without specifying user/password credentials.
  • This feature is available for a number of DBMS such as:
    • Microsoft SQL Server®, see the JS7 - How to connect to an SQL Server database without using passwords article.
    • Oracle® including support for Oracle® Wallet, see the JS7 - How to make JOC Cockpit connect to an Oracle database using Wallet® article.

...