Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

JS7 introduces digital signing for the deployment of objects such as workflows and jobs.

  • Digital signatures are created automatically and do not increase the effort for the deployment of objects.
  • The security mechanism includes having certificates for digital signatures ready with the Controller and the Agents that execute jobs. If the signature does not match the available certificates then deployment is denied. This mechanism does not prevent an authorized person from deploying workflows but it prevents attackers from hijacking a user's identity and deploying malicious code.

...

Digital signing is applied to Workflows, File Order Sources and Job Resources when performing workflows when performing JS7 - Deployment of Scheduling Objects.

  • The signing process is performed by the JOC Cockpit and includes:
    • the user is assigned a private key and a certificate (X.509) or a public/private key (PGP),
    • to create a signature from the JSON representation of the respective inventory object workflow by use of the user's private key.
  • The verification process is performed by the Controller and Agent which has been assigned the relevant workflow and job:
    • Both Controller and Agents look up available X.509 certificates and PGP public keys from files with the following locations:
      • Unix
        • X.509 certificates: ./config/private/trusted-x509-keys
        • PGP public key: ./config/private/trusted-pgp-keys
      • Windows
        • X.509 certificates: .\config\private\trusted-x509-keys
        • PGP public key: .\config\private\trusted-pgp-keys
    • If a certificate or public key is found then the signature of the deployed object workflow is verified as follows:
      • X.509: 
        • the Root CA certificate Certificate or Intermediate CA certificate Certificate that was used originally to sign the user's private key has key has to be in place or
        • the user's certificate has to be in place.
        • Using the Root CA certificate Certificate or Intermediate CA certificates Certificates simplifies certificate management as only a single certificate file has to be present for any Controller or Agent instance. At the same time, security-aware administrators might prefer to deploy individual user certificates to Controller and Agent instances for more fine-grained control of which Agent workflows and other objects can be deployed by a specific user to a given Agent.
      • PGP: the public key available for the given user who signed the deployed object workflow has to be present.
    • Controller and Agent instances make use of all the certificate files and public key files found available in the directories mentioned above. If none of the files matches the signature of a deployable object deployed workflow then deployment is denied.

...

The JOC Cockpit is installed for one of the following security levels, see the JS7 - Security Architecture article for more information.

The signing process includes the following steps according to the JOC Cockpit security level in use:

  • Security Level Low
    • Inventory objects are automatically signed with the private key that is stored with the root account.
    • Signing is automatically applied when performing the Deploy operation.
  • Security Level Medium
    • Inventory objects are automatically signed with the private key that is stored with the current user's account.
    • Signing is automatically applied when performing the Deploy operation.
  • Security Level High
    • Inventory objects Workflows are signed outside of JOC Cockpit:
      • Inventory objects Workflows are exported using the Export operation using and the option for For signing.
      • The export archive file is transferred to a secure device, e.g. to a secure desktop machine.
      • The export archive file is extracted and each inventory object workflow file included is signed individually. 
        • There is no prerequisite regarding the tools used for signing. For example the OpenSSL command line utility can be used as well as tools such as OpenPGP Kleopatra.
        • The signing step includes creating to create a signature file for each inventory workflow file with the same name and the extension .sig (using X.509 certificates) .asc (using PGP keys).
      • The signed inventory workflow files and signature files are added to the same or to a new .zip archive file.
    • The archive file that includes the inventory object signatures workflows and signatures is imported by the to JOC Cockpit. The deployment step is performed inline with the import step.

Further Resources