JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 6

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Summary

  • The Controller Controllers makes use of two configuration files:
    • the general configuration from controller.conf
    • the security configuration from private.conf
  • Restart the Controller instance Controller instances have to be restarted to apply changes to any the configuration file files.

General Configuration

File: controller.conf

...

  • When using HTTPS Certificates or public keys for incoming connections, see below, then an additional authentication mechanism applies: the client of the incoming connection, e.g. JOC Cockpit, is required to provide a Client Authentication certificate or a password. This includes that two certificates are in place for a secure HTTPS connection: the given Controller's Server Authentication Certificate and the JOC Cockpit's Client Authentication Certificate. 
    • The fact that a given certificate is used for Server Authentication and/or Client Authentication is specified with the key usage when creating and signing the certificate.
    • The distinguished name that is specified with the Controller's configuration has to match the Client Authentication Certificate's or Client public key's " subject " attribute. This attribute specifies the hostname and additional information that is created when the certificate or public key is generated.
  • Controller
    • Settings in this section are used for connections from a pairing Controller instance, e.g. for a Secondary Controller if this the given configuration is used for the Primary Controller and vice versa. 
    • distinguished-names
      • Specifies the distinguished name as given with the subject of the Client Authentication Certificate for incoming HTTPS connections of a pairing Controller.
      • Any number of distinguished names can be specified , thus allowing a number of incoming HTTPS connections from different Controllers. At a given point in time only one pairing Controller can connect to the given Controller.
  • History
    • Settings in this section are used for the History Service of JOC Cockpit instances that access the given Controller.
    • distinguished-names:  same as for Controller setting.
    • password: a password can be used in addition to use of a certificate or public key. In addition the password is applied in case that insecure incoming HTTP connections are allowed.
  • JOC
    • Settings in this section are used for JOC Cockpit instances that access the given Controller.
    • distinguished-names:  same as for Controller setting.
    • password:  a password can be used in addition to use of a certificate or public key. In addition the password is applied in case that insecure incoming HTTP connections are allowed.
    • permissions: JOC Cockpit requires the UpdateRepo permission to enable users to deploy objects such as workflows.

...

  • For any deployed objects such as workflows the Controller expects a signature. Such signatures are created with a private key and are verified by the Controller based on the available certificates.  Agents perform similar signature verification and are configured accordingly.
  • When deploying objects with JOC Cockpit
    • for a Low Security Level JOC Cockpit creates the signature from a single private key that is used for any JOC Cockpit user accounts allowed to deploy objects.
    • for a Medium Security Level JOC Cockpit creates the signature from the private key of the JOC Cockpit user account that deploy objects.
    • for a High Security Level the user creates the signature outside of JOC Cockpit and uploads the signed objects.
  • The Controller supports PGP public keys and X509 certificates. This setting expects a directory respectively that holds a number of public key files or certificate files.
  • trusted-signature-keys
    • PGP: specifies the directory from which PGP public keys are used to verify the signature of deployed objects.
    • X509: specifies the directory from which X509 certificates are used to verify the signature of deployed objects.

...

  • This setting is used to specify the location of a keystore and any truststores used for HTTPS connections.
  • Keystore and truststore files are expected in PKCS#12 format.
  • keystore
    • The keystore includes the private key for the Controller's incoming HTTPS connections.
    • Private key type types RSA and ECDSA are supported. 
    • file:  the full path to the location of the keystore file is expected.
    • key-password: Any keys included with the keystore are protected with a password. The same password has to be used for any all private keys in the given keystore.
    • store-password: The keystore file is protected by a password.
  • truststores
    • A truststore contains the certificates or public keys for the Controller's incoming HTTPS connections.
      • Certificates are signed by a Certificate Authority (CA), alternatively a self-signed certificate can be used.
      • It is recommended to use certificates instead of public keys.
      • Certificates of type X509 are supported.
    • file:  the full path to the location of the truststore file is expected.
    • store-password: A truststore file is protected by a password.
    • A number of truststores can be specified by repeating the file and store-password settings.

...