JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 36

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 37

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • using HTTPS connections which are secured by private keys and certificates,
  • applying mutual authentication between Controller and Agent.,
  • applying mutual authentication between Director Agent and Subagent in an Agent Cluster.
  • applying password authentication between components should mutual authentication not be in placereferring to the detailed explanations in the following sections.


Code Block
languagetext
titleSecure configuration example: private.conf
linenumberstrue
collapsetrue
# Security configuration
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=controller-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=controller-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}

Client Authentication with Controller

Anchor
js7-auth-users-Controller
js7-auth-users-Controller
Controller Connections

...

  • This setting applies to the use of an Agent with a solo Standalone Controller or with a Controller Cluster.
  • Note that the Controller element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances.
  • This setting specifies the distinguished name indicated with the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.
    • The Agent configuration specifies the distinguished names of any Controllers the Controller instances that access the Agent by use of a Client Authentication certificate.
    • Note that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.

Client Authentication with Director Agent

Anchor
js7-auth-users-Director
js7-auth-users-Director
Director Agent Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Director Agent ID for connections by primary/secondary Director Agent
            Director {
                distinguished-names=[
                    "DNQ=SOS CA, CN=director-2-0-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=director-2-0-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}

Explanation:

  • This setting applies to the use of a Subagent with a Director Agent in an JS7 - Agent Cluster.
    • Similar to a Controller that orchestrates Standalone Agents the Director Agent orchestrates Subagents.
    • Subagents do not know of a Controller, they know of a Director Agent.
  • Note that the Director element name is an example that has to be replaced by the Director Agent ID which is specified with the same value during installation of the Primary and Secondary Director Agent instances.
  • This setting specifies the distinguished name indicated with the Director Agent's Client Authentication certificate. The certificate acts as a replacement for a password.
    • The Agent configuration specifies the distinguished names of any Director Agent instances that access the Subagent by use of a Client Authentication certificate.
    • Note that the common name (CN) setting in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.

Password Authentication with Controller

Anchor
js7-auth-users-password-Controller
js7-auth-users-password-Controller
Controller Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller ID for connections by primary/secondary Controller instance
            Controller {
                password="plain:secret"
            }
        }
    }
}

Explanation:

  • This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
  • Note that the Controller element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances.
  • This setting specifies the password indicated with the Controller instance's js7.auth.agents configuration item. 
    • The password can be specified as plain text preceded by plain:.
    • The password can be specified as a hashed value preceded by sha512:.

Password Authentication with Director Agent

Anchor
js7-auth-users-password-Director
js7-auth-users-password-Director
Director Agent Connections

Code Block
languageyml
linenumberstrue
js7 {
    auth {
        # User accounts for https connections
        users {
            # Director Agent ID for connections by primary/secondary Director Agent
            Director {
                 password="plain:secret"
             }
        }
    }
}

Explanation:

  • This setting applies to the use of a Subagent with a Director Agent in an JS7 - Agent Cluster.
  • Note that the Director element name is an example that has to be replaced by the Director Agent ID which is specified with the same value during installation of the Primary and Secondary Director Agent instances.
  • This setting specifies the distinguished name indicated with the Director Agent's Client Authentication certificate. The certificate acts as a replacement for a password.
  • This setting specifies the password indicated with the Director Agent instance's js7.auth.subagents configuration item. 
    • The password can be specified as plain text preceded by plain:.
    • The password can be specified as a hashed value preceded by sha512:.

Server Authentication

Anchor
js7-web-https-keystore
js7-web-https-keystore
HTTPS Keystore and Truststore Locations

...