JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 16

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 17

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

The article is focused on configuration items used for HTTPS Server Authentication with passwords. For a complete overview of settings see JS7 - Controller Configuration Items and JS7 - Agent Configuration Items,

  • HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without the use of passwords.
    • The purpose of Server Authentication is to secure the identity of an HTTP server and to encrypt the communication between client and server.
    • The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any HTTP client could perform a man-in-the-middle attack by, for example, pretending to be a Controller that connects to an Agent.
  • Please refer to the communication scheme between JS7 products as described in the JS7 - System Architecture article:
    • User browsers acting as HTTPS clients establish connections to JOC Cockpit as an HTTPS server.
    • JOC Cockpit acting as an HTTPS client establishes connections to Controller instances acting as HTTPS servers.
    • Controller instances acting as HTTPS clients establish connections to Agents acting as HTTPS servers.
  • We recommend applying It is recommended to apply TLS mutual authentication. However, there might be reasons why use of Client Authentication is not an immediate option, for example:
    • Use of a wildcard certificate for Server Authentication leverages the effort for certificate management. At the same time such certificates cannot be used for Client Authentication.
  • If mutual authentication is not an immediate option then passwords can be used by following the recommendations made in this article.

...

Code Block
languageyml
titleController configuration file: private.conf
linenumberstrue
collapsetrue
js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            js7_devController {
            }
    password="plain:secret"
        # History account   }

            # History account of JOC Cockpit (used to release events)
            History {
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }

            # JOC account of JOC Cockpit (requires UpdateRepoUpdateItem permission for deployment)
            JOC {
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
                ]
            }
        }

        # for each Agent specify Agent ID and plain text password for authentication
        agents {
           agent-dev-001="plain:secret-agent-001"
           agent-dev-002="secret-002="plain:secret-agent-002"
           agent-003="plain:secret-agent-003"
        }
    }

    configuration {
        # directory for trusted public keys and certificates used with signatures
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

    journal {
        # allow History account to release unused journals
        users-allowed-to-release-events=[
            History
        ]
    }

    web {
        # keystore and truststore location for https connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }

        # disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
    }
}

...

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # for each Agent specify Agent ID and plain text password for authentication
        agents {
           agent-dev-001="plain:secret-agent-001"
           agent-dev-002="secret-002="plain:secret-agent-002"
           agent-003="plain:secret-agent-003"
        }
    }
}

Explanation:

  • The Agent ID for each Agent is specified according to from the pattern examples agent-dev-001001, agent-002 etc. An Agent is assigned a unique Agent ID during initial operation with JOC Cockpit that . The Agent ID cannot be changed unless an Agent's journal is dropped.
  • The A plain text password secret is specified that is preceded with plain:. Passwords should be quoted.

Disable Client Authentication

...

Code Block
languageyml
titleAgent configuration file: private.conf
linenumberstrue
collapsetrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            js7_devController {
                 password="plain:secret"
                 # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/"
            }
        }
    }
    
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }
    
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12/https-keystore.p12"
                key-password="jobscheduler"
                keystore-password="jobscheduler"
                # store-passwordalias=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password="jobscheduler"
                    # alias=
                }
            ]
        }

        # Disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
    }
}

...

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            js7_devController {
                 password="plain:secret"
                 # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/"
            }
        }
    }

Explanation:

  • In this example js7_dev is Controller is the Controller ID used by a Standalone Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during installation. The Controller ID cannot be changed unless the Controller's journal is reset.
  • The password for the Controller ID in the Agent configuration is the same as stated in the Controller configuration.
    • The password has to be preceded with plain: if a plain text password is used.
    • The password has to be preceded with sha512: if a password hashed with this algorithm is used
      • There are a number of ways to create sha512 hash values from passwords.
      • One possible solution includes using: openssl passwd -6

...