JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 11

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Profiles include a number of categories such as Preferences, Permissions etc.
  • The Profile includes settings used for digitally signing objects such as workflows for JS7 - Deployment.
  • The underlying security requirements are explained with in the JS7 - Secure Deployment article.

The JS7 - Security Architecture suggests to operate that the JOC Cockpit in is operated with one of the following security levels:

  • Security Level Low
    • Inventory objects are automatically signed with the private key that is stored with the root account.
    • Signing is automatically applied when performing the Deploy operation.
    • The Profile page for Signature Key Management is available only for the user account only that is specified as the default profile account with in the JS7 - Settings, chapter: JOC Cockpit Settings.
  • Security Level Medium
    • Inventory objects are automatically signed with the private key that is stored with the current user's account.
    • Signing is automatically applied when performing the Deploy operation.
    • The Profile page for Signature Key Management is available individually for any user account holding a Deploy permission, see JS7 - Default Roles and Permissions.
  • Security Level High
    • Inventory objects are signed outside of JOC Cockpit.
    • As a consequence no A Profile page for Signature Key Management is not available.

The article is intended for a security-aware audience that is technically familiar with digital key management. JS7 supports both X.509 and PGP certificates, the following explanations descriptions are focused on the use of X.509 certificates.

...

The Profile page is accessible from the user menu of an account in the upper right upper hand corner of any JOC Cockpit view:

...

The Profile page offers a number of sub-views. The following section explains describes the Signature Key Management sub-view.

...

The Signature Key Management sub-view offers allows configuration of the following settings:

CA Certificate

Users have the option to to:

  • use a CA-signed certificate
    • created by the JS7 - Certificate Authority available with JOC Cockpit,
    • created by their own or by a trusted 3rd-party Certificate Authority,
  • use a self-signed certificate.

Use The use of CA certificates includes that means that:

  • the CA Certificate is required to verify the user account's private key and certificate for digital signing when performing deployments.
    • This includes to check checking that the user account's certificate is signed with the given CA Certificate or a later CA Intermediate Certificate.
    • This includes to check checking expiration dates of certificates.
    • Depending on whether the fact that the JS7 Certificate Authority or an external Certificate Authority is used the used, the respective CA Certificate has to be added to the user account's Profile.
  • for an X.509 CA Certificate (Root CA Certificate or Intermediate CA Certificate) the certificate's subject is displayed.

Operations for CA Certificates include to:

  • view viewing the CA Certificate by use of Certificate using the  icon,update
  • updating the CA Certificate by use of using the  icon,
  • import importing the CA Certificate by use of using the  icon.

View CA Certificate

...

  • If a user's certificate is signed by a Certificate Authority then it is sufficient to rollout the CA Certificate to the Controller and Agent instances to which the user should be entitled to deploy scheduling object such as workflows.
  • if If a user's certificate is self-signed then the user's certificate has to be rolled out to Controller to the Controller and Agent instances to which the user should be entitled to perform deployments.

...

  • Use of the built-in JS7 Certificate Authority
    • The JOC Cockpit offers to sign provides the option of digitally signing a user account's public key for digital signing from its built-in CA, see JS7 - Certificate Authority
    • In a single operation users Users can generate a private/public key pair and make the JS7 Certificate Authority sign their public key to a certificate in a single operation.
  • Use of an external Certificate Authority
    • If an external CA should is to be consulted then users have to create a Certificate Signing Request (CSR) outside of the JOC Cockpit and make their external CA sign this request. The resulting certificate can be added to the user's Profile in JOC Cockpit.
  • If users do not operate a CA or do not dispose of certificates then they can continue to use the default private key and certificate that ship with the JOC Cockpit.
    • In this situation by default only the root account only can be used to deploy scheduling objects such as workflows which suggests to operate operating the JOC Cockpit for Security Level Low as the root account's key and certificate will be used for signing deployments by any users user accounts.
    • For a The Security Level Medium each means that each user account has to be equipped with a private key and certificate.

Operations for the user account's private key and certificate include to:

  • view viewing the private key and certificate by use of using the  icon,update
  • updating the private key and certificate by use of certificate using the  icon,import
  • importing the private key by use of key using the  icon,generate
  • generating the private key by use of key using the  icon.

View Key and Certificate

...

A user account's private key can be created by an external CA and can be imported from a file like this:


Consider Note that an X.509 certificate matching the user account's private key has to be signed by a CA and has to be added by use of using the Update Key and Certificate operation as explained above.

...

  • When choosing Key Algorithm PGP or RSA then only a private key only is will be created.

    • Consider Note that an X.509 certificate matching the user account's public key is signed by an external CA and has to be added by use of using the Update Key and Certificate operation as explained above.

  • When choosing Key Algorithm ECDSA then a private key is created and a CA-signed certificate is created if the JS7 Certificate Authority is in use.

...