Page History
...
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
# Security configuration
js7 {
auth {
# User accounts for HTTPS connections
users {
# Controller ID for connections by primary/secondary controller instance
Controller {
distinguished-names=[
"DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
}
# History account (used to release events)
History {
distinguished-names=[
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
}
# JOC account (requires UpdateRepo permission for deployment)
JOC {
distinguished-names=[
"DNQ=SOS CA, CN=joc-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
"DNQ=SOS CA, CN=joc-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
]
password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
permissions=[
UpdateRepo
]
}
}
}
configuration {
# directory for trusted public keys and certificates used with signatures
trusted-signature-keys {
PGP=${js7.config-directory}"/private/trusted-pgp-keys"
X509=${js7.config-directory}"/private/trusted-x509-keys"
}
}
journal {
# allow History account to release events to free space claimed by journals
users-allowed-to-release-events=[
History
]
}
web {
# keystore and truststore location for HTTPS connections
https {
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler
store-password=jobscheduler
# alias=
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password=jobscheduler
# alias=
}
]
}
}
}
|
Client Authentication
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
js7 {
web {
# keystore and truststore location for https connections
https {
client-keystore {
# Default: ${js7.config-directory}"/private/https-client-keystore.p12"
file=${js7.config-directory}"/private/https-client-keystore.p12"
key-password=jobscheduler
store-password=jobscheduler
}
keystore {
# Default: ${js7.config-directory}"/private/https-keystore.p12"
file=${js7.config-directory}"/private/https-keystore.p12"
key-password=jobscheduler
store-password=jobscheduler
# alias=
}
truststores=[
{
# Default: ${js7.config-directory}"/private/https-truststore.p12"
file=${js7.config-directory}"/private/https-truststore.p12"
store-password=jobscheduler
# alias=
}
]
}
}
} |
Explanation:
- HTTPS keystore and truststore are used to hold private keys and certificates.
- The keystore holds the Controller instance's private key and certificate. This information is used:
- for Server Authentication with the JOC Cockpit and
- for Client Authentication with Agents.
- The truststore holds the certificate(s) used to verify:
- Client Authentication certificates presented by the JOC Cockpit and
- Server Authentication certificates presented by Agents.
- The keystore holds the Controller instance's private key and certificate. This information is used:
- Optionally a separate HTTPS client keystore can be used:
- The client keystore is used for HTTPS mutual authentication and holds a private key and certificate created for
Client Authextended key usage. - When using HTTPS mutual authentication then:
- a single certificate can be used that is generated for both
Server AuthandClient Authextended key use. In this case do not use the HTTPS client keystore but use the HTTPS keystore to hold the certificate. - separate certificates can be used with the certificate for
Server Authkey usage being stored with the HTTPS keystore and the certificate forClient Authkey use being stored with the HTTPS client keystore.
- a single certificate can be used that is generated for both
- For details see
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JS-1959
- The client keystore is used for HTTPS mutual authentication and holds a private key and certificate created for
- Keystore and Truststore locations are specified. In addition:
- a password for the private keys included in the keystore and a password for access to the keystore can be specified
- for the truststore a password for access to the truststore can be specified.
- Passwords for keystores and truststores do not tend to improve security of the configuration: the passwords have to be specified as plain text and have to be in reach of the Controller. This mechanism is not too different from hiding the key under your doormat. In fact limiting ownership and access permissions for keystore and truststore files to the JS7 Controller's run-time account are more important than using a password.
- The
key-passwordis used for access to a private key in a keystore. - The
store-passwordsetting is used for access to a keystore or to a truststore. - For PKCS12 (*.p12) keystores both settings have to use the same value. The settings can be omitted if no passwords are usedpasswords are used.
- The
- The
aliassetting can be used for example with a keystore that holds a number of private keys from which the relevant private key is selected by its alias name.
Configuration Items
General Configuration File: controller.conf
...
js7 | web | https | |||
|---|---|---|---|---|---|
keystore | |||||
file | <path> | ||||
key-password | <text> | ||||
store-password | <text> | ||||
alias | <text> | ||||
truststores | |||||
file | <path> | ||||
store-password | <text> | ||||
alias | <text> |
- This setting is used to specify the location of a keystore and any truststores used for HTTPS connections.
- Keystore and truststore files are expected in PKCS#12 format.
keystore- The keystore includes the private key for the Controller's incoming HTTPS connections.
- Private key types RSA and ECDSA are supported.
file: the full path to the location of the keystore file is expected.key-password: Any keys included with the keystore are protected with a password. The same password has to be used for all private keys in the given keystore.store-password: The keystore file is protected by a password.alias: can be used for example with a keystore that holds a number of private keys from which the relevant private key is selected by its alias name.
truststores- A truststore contains the certificates or public keys for the Controller's incoming HTTPS connections.
- Certificates are signed by a Certificate Authority (CA), alternatively a self-signed certificate can be used.
- It is recommended that certificates are used instead of public keys.
- Certificates of type X.509 are supported.
file: the full path to the location of the truststore file is expected.store-password: A truststore file is protected by a password.alias: can be used for example with a truststore that holds a number of certificates from which the relevant certificate is selected by its alias name.- A number of truststores can be specified by repeating the
fileand,store-passwordand optionallyaliassettings.
- A truststore contains the certificates or public keys for the Controller's incoming HTTPS connections.
| Anchor | ||||
|---|---|---|---|---|
|
...
Overview
Content Tools