JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 10

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Digital signing is applied to Workflows, File Order Sources and Job Resources when performing JS7 - Deployment.

  • The signing process is performed by JOC Cockpit and includes
    • the user to be assigned a private key and a certificate (X.509) or a public/private key (PGP),
    • to create a signature from the JSON representation of the respective inventory object by use of the user's private key.
  • The verification process is performed by the Controller and Agent that is assigned the respective workflow and job:
    • Both Controller and Agents look up available X.509 certificates and PGP public keys from files with the following locations:
      • Unix
        • X.509 certificates: ./config/private/trusted-x509-keys
        • PGP public key: ./config/private/trusted-pgp-keys
      • Windows
        • X.509 certificates: .\config\private\trusted-x509-keys
        • PGP public key: .\config\private\trusted-pgp-keys
    • If a certificate or public key is found then the signature of the deployed object is verified like this:
      • X.509: 
        • the Root CA certificate or Intermediate CA certificate has to be in place that was used originally to sign the user's private key or
        • the user's certificate has to be in place.
        • Using the Root CA certificate or Intermediate CA certificates simplifies certificate management as a single certificate file only has to be present with any Controller or Agent instance. At the same time, security-aware administrators might prefer to deploy individual user certificates to Controller and Agent instances for more fine-grained control to which Agent workflows and other objects can be deployed by a specific user.
      • PGP: the public key available for the given user who signed the deployed object has to be present.
    • Controller and Agent instances make use of any certificate files and public key files found in the directories mentioned above. If non of the files matches the signature of a deployable object then deployment is denied.

...

JOC Cockpit is installed for one of the following security levels:, see JS7 - Security Architecture.

Depending on the JOC Cockpit security level in use the signing process includes the following steps:

...