JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 32

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 33

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • By default mutual authentication is in place.
    • JOC Cockpit is challenged by the Controller to present its Client Authentication certificate that is verified by the Controller.
      • In addition the distinguished name of the JOC Cockpit Client Authentication certificate is checked and a password is used to identify the JOC Cockpit instance.
      • Consider that any number of clustered JOC Cockpit instances can connect to a Controller.
    • If a Controller cluster is used then connections from the partnering Controller instance are authenticated by the distinguished name of the instance's Client Authentication certificate.

  • The JS7_CONTROLLER_CONFIG_DIR/private/private.conf configuration file should include authentication details like this:

    Code Block
    titleExample for private.conf file specifying JOC Cockpit authentication
    js7 {
    auth {
        users {
            # History account (used for release events)
            History {
                distinguished-names=[
                    "DNQ=SOS CA, CN=apmacwin_joc_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }
            # JOC account (needs UpdateItem permission for deployment)
            JOC {
                distinguished-names=[
                    "DNQ=SOS CA, CN=apmacwin_joc_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
                ]
            }
            # Controller ID for connections by primary/secondary controller instance
            jobscheduler {
                distinguished-names=[
                    "DNQ=SOS CA, CN=apmacwin_secondary_client, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
}


    Explanation:
    • The History and JOC user accounts are used by the JS7 - History Service and by the JS7 - REST Web Service API.
      • The distinguished-names property offers to add a number of distinguished names as available from the subject of Client Authentication certificates that are used by JOC Cockpit instances when connecting to the Controller.
        • Except for whitespace between attributes the precise sequence and values as available from the certificate's subject has to match this property value.
      • The password is used for authentication of the History and JOC service accounts with the Controller. Both accounts typically are running in the same JOC Cockpit instance. 
        • If HTTP connections are used then the password is the only means for authentication. If HTTPS connections with mutual authentication are used then the password is not relevant as certificate based authentication is in place.
        • The symmetric password is specified with the section joc of the Settings page of JOC Cockpit and in the private.conf file. 
          • User Input to the Settings page of JOC Cockpit can look like this:

            Image Added

            Input to the GUI simply accepts the password and does not require to use the prefixes sha512: or plain:.
        • In the private.conf file a A hashed value or a plain text value can be used specified like this:
          • password="sha512:B793649879D6..."
          • password="plain:JS7-History"
        • If the password is modified in the private.conf file then it has to be modified in the JOC Cockpit settings too to make the passwords match.
        • The password setting cannot be omitted, however, an empty password can be specified, for example with mutual authentication HTTPS connections, like this:
          • password="plain:"
        • By From the private.conf file that ships by default the clear plain text for value and the hashed value isvalues are:
          • History: 
            • Plain Text: JS7-History
            • Hash: sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08
          • JOC:
            • Plain Text: JS7-JOC
            • Hash: sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE
    • The jobscheduler user account is an example for a Controller ID as that is used by a partnering Controller instance.
      • This setting is not required if a standalone Controller is used.
      • For a Controller cluster the Controller ID is specified during installation.

...