...

• HTTPS Server Authentication is preferably used in combination with Client Authentication (mutual authentication) as this allows a secure configuration without the use of passwords.
  • The purpose of Server Authentication is to secure the identity of an HTTP server and to encrypt the communication between client and server.
  • The purpose of Client Authentication is to prove the identity of a client. Without proof of identity any HTTP client could perform a man-in-the-middle attack e.g. by by, for example, pretending to be a Controller that connects to an Agent.
• Consider Please refer to the communication scheme between JS7 components as explained from described in the JS7 - System Architecture article:
  
  • User browsers acting as HTTPS clients establish connections to JOC Cockpit as an HTTPS server.
  • JOC Cockpit acting as an HTTPS client establishes connections to Controller instances acting as HTTPS servers.
  • Controller instances acting as HTTPS clients establish connections to Agents acting as HTTPS servers.
• We recommend to apply applying mutual authentication, however. However, there might be reasons why use of Client Authentication is not an immediate option, for example:
  • Use of a wildcard certificate for Server Authentication leverages the effort for certificate management. At the same time such certificates cannot be used for Client Authentication.
• Should If mutual authentication is not be an immediate option then passwords can be used by following the recommendations from made in this article for use of passwords apply.

Controller Configuration

...

• The configuration file is located with in the sos-berlin.com/js7/controller/config/private folder.
• Consider Note that the above configuration has to be deployed to both Controller instances should if a Controller Cluster is to be used.
• Find below explanations about The configuration items relevant to Server Authentication from the above example relevant to Server Authentication with passwordsexample above are described in the following sections.

Specify Agent ID and Password

js7 {
    auth {
        # for each Agent specify Agent ID and plain text password for authentication
        agents {
           agent-dev-001="secret"
           agent-dev-002="secret"
        }
    }
}

Explanation:

• For The Agent ID for each Agent the Agent ID is specified as e.g. with according to the pattern agent-dev-001. An Agent is assigned a unique Agent ID during initial operation with JOC Cockpit that cannot be changed unless an Agent's journal would be is dropped.
• The plain text password secret is specified.

...

• The configuration file is located with the sos-berlin.com/js7/agent/config_<port>/private folder.
• Consider that the above configuration has to be deployed to any Agent instances.
• Find below explanations about above The configuration items relevant to Server to Server Authentication with passwords from the example above are described in the following sections.

Specify Controller ID and Password

...

• In this example js7_dev is the Controller ID used by a solo Controller or by a Controller Cluster. A Controller is assigned a unique Controller ID during installation. The Controller ID cannot be changed unless the Controller's journal is reset.
• The password for the Controller ID in the Agent configuration is the same as stated with in the Controller configuration.
  • The password has to be preceded with "plain:" if a plain text password is used.
  • The password has to be preceded with "sha512" if a password hashed with this algorithm is used
    • There are a number of ways how to create sha512 hash values from passwords.
    • A One possible solution includes to useusing: openssl passwd -6

Disable Client Authentication

...