JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 7

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • assumes deployment of objects , e.g. such as workflows and jobs, is not subject to compliance requirements such as non-repudiation.
  • specifies HTTP connections which are used to expose unencrypted communication between Controller instances and Agent. Authentication is performed by hashed passwords.

...

  • deployment of objects with digital signatures that can be used to restrict and to verify who deploys a given object such as a workflow.
  • HTTPS connections that encrypt communication and that which include mutual authentication by with certificates - without the use of passwords.

Compliance: Use of Signing Certificates

Agents accept deployments for a number of objects such as workflows from a Controller only if such these objects are digitally signed.

  • If the JOC Cockpit is operated for Security Level Low then a single X.509 private key assigned to the JOC Cockpit root account is used to sign any all objects by from any JOC Cockpit accounts.
  • If JOC If the JOC Cockpit is operated for Security Level Medium or High then each account that deploys objects has to own an individual X.509 private key or PGP private key.

To verify the signature of an object, the Agent has to apply the a public key or certificate that matches the private key used for signing with the JOC Cockpit.

  • If X.509 private keys are used for the signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective private key has to be in place with the Agent.
  • If PGP private keys are used for the signing of objects then the public key matching the signing key has to be in place with the Agent.
  • The Agent expects certificates/public keys in the following locations:
    • X.509 Certificates
      • Location:
        • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-x509-keys
        • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-x509-keys
      • The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension .pem.
      • Note that instead of individual certificates for each signing kekey, y the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
    • PGP Public Keys
      • Location:
        • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-pgp-keys
        • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-pgp-keys
      • PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension .asc.
      • Note that for each PGP private key that is used for signing, the corresponding public key has to be available with the Agent.
    • By default the Agent ships with an X.509 certificate of from SOS that matches the default signing key available with the JOC Cockpit root account.
  • In order to add individual certificates/public keys, add the relevant files to the location locations specified above according to the key type. To revoke certificates/public keys accordingly remove the relevant files from the location specified above for the key type.
  • The locations for certificates/public keys specified above can be accessed from the Docker volume specified with the --mount option for the Agent's container directory /var/sos-berlin.com/js7/agent/var_4445/config. The locations for X.509 certificates and PGP public keys are available from sub-directories.

Security: Use with HTTPS Connections

The Agent is prepared by default is prepared for connections by Controller instances using the HTTP and the HTTPS protocols. 

In order to activate HTTPS consider Note the following prerequisites before activating HTTPS.

Provide Keystore, Truststore and Configuration for Mutual Authentication

Connections to Agents are established from Controller instances. If the HTTPS protocol is used then, in addition to securing the communication channel, the Agent requires mutual authentication.

...

Info
titleKeystore, Truststore and Configuration out-of-the-box

If you are new to certificate management or are looking for a solution that works out-of-the-box then you can use the configuration from the attached archives:

  • Download
  • The archives include the folders:
    • config.http
      • This folder includes the agent.conf configuration file and the private sub-directory with signing certificates.
      • The contents of this folder corresponds to what you get from with the default installation of an Agent.
    • config.https
      • This folder includes the agent.conf configuration file and the private sub-directory with signing certificates and private.conf, keystore and truststore files.
      • The private key and certificate is created by SOS and works for use with Docker containers that are started for the following hostnames:
        • js7-agent-primary
        • js7-agent-secondary
        • js7-controller-primary
        • js7-controller-secondary
      • As the private key is publicly available you should not consider this a solution to secure your HTTPS connections. However, for evaluation purposes it saves the effort of creating and signing key pairs.
    • To apply the configuration, replace the contents of the config folder that is mounted to an Agent container with the contents of the config.http or config.https folders respectivelyas required.

Agent Keystore and Truststore

  • The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usages.
  • The Agent is provided with:
    • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
    • a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller instance's certificate.
  • Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
    • Keystore
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-keystore.p12
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-keystore.p12
    • Truststore
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-truststore.p12
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-truststore.p12

Agent Configuration

  • The following configuration items have to be added tp the Agent's private.conf configuration file has to be added the following configuration items. For details see see the JS7 - Agent Configuration Items article.
    • Mutual Authentication
      • Code Block
        languagebash
        titleAgent Configuration for Mutual Authentication
        linenumberstrue
        js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=js7-controller-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=js7-controller-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
      • This setting specifies the distinguished names that are available from the subjects of Controller instance certificates. Consider Note that the common name (CN) attribute specifies the hostname of a Controller instance. The configuration authenticates a given Controller instance as the distinguished name is unique for a server certificate and therefore replaces the use of passwords.
    • Keystore and truststore locations:
      • Code Block
        languagebash
        titleAgent Configuration for Keystore and Truststore Locations
        linenumberstrue
        js7 {
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}
      • The above configuration items above specify the locations of the keystore and truststore.
      • Consider Note the optional use of a key password and store password for keystores and the use of a store password for truststores.

...

  • When using HTTPS connections then consider dropping access to the Agent's HTTP port by omitting the following settings:
    • --publish=16445:4445 This mapping should be dropped in order to prevent incoming traffic to the Agent's HTTP port.

...