Page History

...

• An additional authentication mechanism is applied when using HTTPS Certificates or public keys for incoming connections, see below: the client of the incoming connection, e.g. JOC Cockpit, is required to provide a Client Authentication certificate and a password. This includes two certificates that are in place for a secure HTTPS connection: the given Controller's Server Authentication Certificate and the JOC Cockpit's Client Authentication Certificate. 
  • The fact that a given certificate is to be used for Server Authentication and/or Client Authentication is specified with the key usage when the certificate is being created and signed.
  • The distinguished name that is specified with the Controller's configuration has to match the Client Authentication Certificate's or Client public key's subject attribute. This attribute specifies the hostname and additional information that is created when the certificate or public key is generated.
• Controller
  • Settings in this section are used for connections from a pairing Controller instance, e.g. for a Secondary Controller instance if the given configuration is used for the Primary Controller instance and vice versa. 
  • distinguished-names: 
    • Specifies the distinguished name as given with the subject of the Client Authentication Certificate for incoming HTTPS connections of a pairing Controller instance.
    • Any number of distinguished names can be specified allowing a number of incoming HTTPS connections from different Controller instances. At a given point in time only one pairing Controller instance can connect to the given Controller.
• History
  • Settings in this section are used for the History Service of JOC Cockpit instances that access the given Controller.
  • distinguished-names:  the same as for the Controller setting.
  • password: a password has to be used in addition to use of a certificate or public key. In addition the password is used if incoming HTTP connections are allowed.
• JOC
  • Settings in this section are used for JOC Cockpit instances that access the given Controller.
  • distinguished-names:  the same as for the Controller setting.
  • password:  a password has to be used in addition to use of a certificate or public key. In addition the password is used if incoming HTTP connections are allowed.
  • permissions: JOC Cockpit requires the UpdateRepo permission to enable users to deploy objects such as workflows.

js7.auth.agents: HTTPS Authentication and Authorization

• By default for HTTPS connections both Server Authentication Certificates and Client Authentication Certificates are used. If no Client Authentication Certificates should be used then the Controller has to use a password to authenticate with an Agent.
• For each Agent the <Agent ID> and a password is specified. A plain-text password is required. The same password has to be specified with the Agents private.conf configuration file.

js7.web.https: HTTPS Certificates

...

js7.web.server: HTTPS Authentication

• This setting is used to specify the authentication type for HTTPS connections to a Controller.
• https-client-authentication
  
  • The value on (default) specifies that mutual authentication with certificates for Server Authentication and Client Authentication is used.
  • The value off specifies that HTTP Basic Authentication only is used.
• By default JS7 makes use of mutual authentication including both Server and Client Authentication Certificates. This setting can be switched off to use Server Authentication Certificates only.

...