Introduction

The article is focused on configuration items used for HTTPS Basic Authentication with passwords. For a complete overview of settings see JS7 - Controller Configuration Items and JS7 - Agent Configuration Items,

• HTTP Basic Authentication with passwords is a straightforward means allow to identify client and server in HTTP connections. However, HTTP connections are not secure and forwarding passwords without transport encryption means the passwords are visible in the network. It is therefore recommended that users switch to HTTPS Server Authentication which implements transport encryption.
• Note the communication scheme between JS7 components products as described in the JS7 - System Architecture article:
  
  • User browsers acting as http HTTP clients establish connections to JOC Cockpit as an http HTTP server.
  • JOC Cockpit acting as an http HTTP client establishes connections to Controller instances acting as http HTTP servers.
  • Controller instances acting as http HTTP clients establish connections to Agents acting as http servers.HTTP servers.

Location of Configuration Files

In the following the JS7_CONTROLLER_CONFIG_DIR placeholder specifies the configuration directory of the Controller. The JS7_AGENT_HOME, JS7_AGENT_CONFIG_DIR placeholders specify the directories where the Agent is installed and configured.

• JS7_CONTROLLER_CONFIG_DIR is the Controller's configuration directory that is specified during installation:
  
  • <extraction-directory/controller/var/config (default on Unix/Windows for JS7 - Controller - Headless Installation on Linux and Windows)
  • C:\ProgramData\sos-berlin.com\js7\controller\config (default on Windows for JS7 - Controller - Installation Using the Windows Graphical Installer)

• JS7_AGENT_HOME is the installation path that is specified during the JobScheduler Agent installation:
  
  • <extraction-directory>/agent (default on Unix/Windows for JS7 - Agent - Headless Installation on Unix and Windows)
  • C:\Program Files\sos-berlin.com\js7\agent (default on Windows for JS7 - Agent - Installation Using the Windows Graphical Installer)
• JS7_AGENT_CONFIG_DIR is the Agent's configuration directory that is specified during Agent installation:
  
  • <extraction-directory>/agent/var_<port>/config (default on Unix/Windows for JS7 - Agent - Headless Installation on Unix and Windows)
  • C:\ProgramData\sos-berlin.com\js7\agent\config (default on Windows for JS7 - Agent - Installation Using the Windows Graphical Installer)

Controller Configuration

Configuration File: JS7_CONTROLLER_CONFIG_DIR/controller.conf

DownloadFind an example for Controller configuration for download: controller.conf

# Allow http connections
js7.web.server.auth.public = true

...

• The configuration file is located with the sos-berlin.com/js7/controller/config folder. JS7_CONTROLLER_CONFIG_DIR folder.
• This configuration item is required to enable HTTP connections to a Controller.

Configuration File: JS7_CONTROLLER_CONFIG_DIR/private/private.conf

Download: Find an example for Controller configuration for download: private.conf

js7 {
    auth {
        users {
            # History account of JOC Cockpit (used forto release events)
            History {
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }

            # JOC account (needsof JOC Cockpit (requires UpdateItem permission for deployment)
            JOC {
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
                ]
            }
        }
    }

    configuration {
        # truststore location for signatures
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

    journal {
        # allow History account to release unused journalsevents
        users-allowed-to-release-events=[
            History
        ]
    }
}

...

• The configuration file is located in the sos-berlin.com/js7/controller/config/JS7_CONTROLLER_CONFIG_DIR/private folder.
• Note that the above configuration has to be deployed to both Controller instances if a Controller Cluster is to be used.
• The configuration items relevant to Server Authentication with passwords from the example above are described in the following sections.

Agent Configuration

Configuration File: JS7_AGENT_CONFIG_DIR/agent.conf

Download: Find an example for Agent configuration for download: agent.conf

# Allow http connections
js7.web.server.auth.public = true

...

• The configuration file is located in the sos-berlin.com/js7/agent/config_<port> JS7_AGENT_CONFIG_DIR folder.
• This configuration item is required to enable HTTP connections to a Controller.

Configuration File: JS7_AGENT_CONFIG_DIR/private/private.conf

Download: Find an example for Agent configuration for download: private.conf

js7 {    
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }    
}

...

• The configuration file is located in the sos-berlin.com/js7/agent/config_<port>JS7_AGENT_CONFIG_DIR/private folder.
• Note that the above configuration has to be deployed to all Agent instances.
• The js7.configuration.trusted-signature-keys setting specifies directories that hold PGP public keys and X.509 certificates required by an Agent to verify the signatures of deployed objects such as workflows.
  • If you do not use PGP public keys then disable the PGP setting as otherwise warnings might occur if no PGP public keys are found from the directory specified.
  • Accordingly drop the use of X.509 certificates by disabling the X509 setting if no X.509 certificates are available in the directory specified.
• The js7.job.execution setting specifies that job scripts which include shell code can be used. If this setting is assigned the false value or is omitted then jobs are limited to executing existing shell scripts from the sos-berlin.com/js7/agent/config_<port>the JS7_AGENT_CONFIG_DIR/executables folder. Some users of JS7 might consider it more secure to disallow shell commands in job scripts and instead to limit jobs to executing existing scripts located in this folder.

...