JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 17

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 18

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuration File: JS7_CONTROLLER_CONFIG_DIR/private/private.conf

...

Find examples for Controller configuration for download:



Code Block
languageyml
titleController configuration file: private.conf
linenumberstrue
collapsetrue
js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                password="plain:secret"
            }

            # History account of JOC Cockpit (used to release events)
            History {
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }

            # JOC account of JOC Cockpit (requires UpdateItem permission for deployment)
            JOC {
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
                ]
            }
        }

        # for each Agent specify Agent ID and plain text password for authentication
        agents {
           agent-001="plain:secret-agent-001"
           agent-002="plain:secret-agent-002"
           agent-003="plain:secret-agent-003"
        }
    }

    configuration {
        # directory for trusted public keys and certificates used with signatures
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

    journal {
        # allow History account to release unused journals
        users-allowed-to-release-events=[
            History
        ]
    }

    web {
        # keystore and truststore location for https connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }

        # disable use of client authentication certificates
        server {
            auth {
                https-client-authentication=off
            }
        }
    }
}

...

  • The configuration file is located in the JS7_CONTROLLER_CONFIG_DIR/private folder.
  • Note that the above configuration has to be deployed to both Controller instances if a Controller Cluster is to be used.
  • The configuration items relevant to Server Authentication from the example above are described in the following sectionsthe example above are described in the following sections.

Specify Controller ID and Password

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for HTTPS connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                password="plain:secret"
            }
        }
     }
}

Explanation:

  • This setting is not required when using a Standalone Controller. It is used for password authentication between Controller instances in a cluster.
  • Note that the Controller element name is an example that has to be replaced by the Controller ID which is specified with identical values during installation of both Controller instances in a cluster.
  • If the password is modified in the private.conf file of a Primary Controller instance then it also has to be modified for the Secondary Controller instance to make passwords match.
  • A plain-text password has to be specified that is preceded with plain:: Passwords should be quoted.

Specify Agent ID and Password

...

Code Block
languageyml
titleAgent configuration file: private.conf
linenumberstrue
collapsetrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                 password="plain:secret"
                 # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2"
            }
        }
    }
    
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }
    
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password="jobscheduler"
                store-password="jobscheduler"
                # alias=
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password="jobscheduler"
                    # alias=
                }
            ]
        }

        # Disable use of client authentication
        server {
            auth {
                https-client-authentication=off
            }
        }
    }
}

...

  • The configuration file is located with the JS7_AGENT_CONFIG_DIR/private folder.
  • Consider that the above configuration has to be deployed to any Agent instances.
  • The configuration items relevant to Server Authentication with passwords from the example above are described in the following sections.

Specify Controller ID and Password

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                 password="plain:secret-agent-001"
                 # password="sha512:$JhbM9ClpBpH2oB2O$qmWRbhOAfNHbmz3bp1AV.ATV0WIKVdZp3ceVXJZc.GHX4L7/iWJB7RGpzjZ2JzvbdPBtlpCFy8CLvYpKoBBKP/fcef10f554e086d2f572fed70e494a6e03eac3034d1c928a9553bc9435b2b94081183958b5d1f53088b6ed2c1a968b1c4322854163a01a671cf07a1cd59ea006"
            }
        }
    }

Explanation:

  • In this example Controller is the Controller ID used by a Standalone Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during installation. The Controller ID cannot be changed unless the Controller's journal is reset.
  • The password for the Controller ID in the Agent configuration is the same as stated in the Controller configuration with the js7.auth.agents setting.
    • The password has to be preceded with plain: if a plain text password is used.
    • The password has to be preceded with sha512: if a password hashed with this algorithm is used
      • There are a number of ways to create sha512 hash values from passwords.
      • One possible solution includes using:  openssl passwd -6echo -n "secret-agent-001" | openssl dgst -sha512

Disable Client Authentication

...