JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Introduction

  • The JS7 - Identity Services offer local management of user accounts for authentication and authorization.
  • The JS7 - Shiro Identity Service is a built-in service available from JOC Cockpit
    • The Shiro Identity Service is available for early releases of JS7.
    • The Shiro Identity Service is discontinued: 
      FEATURE AVAILABILITY ENDING WITH RELEASE 2.4.0
  • Migration tools are available for users who upgrade from early JS7 2.0, 2.1 releases and from JS1 1.12, 1.13 releases.
    • A Shiro Identity Service configuration is migrated to a JS7 - JOC Identity Service.
    • Migration tools remain in place and can be applied throughout future JS7 2.x releases independently from the fact that the Shiro Identity Service is discontinued.

When to migrate

  • Users of JS7
    • JS7 releases up to 2.3 can be operated with an existing Shiro Identity Service configuration.
    • Later JS7 releases require migration of the Shiro Identity Service configuration.
  • Users of JS1
    • Users of JS1 releases 1.12 and 1.13 who migrate to JS7 should apply the migration procedure.

What to migrate

For use of Shiro with releases 1.12, 1.13, 2.0, 2.1, 2.2 the following applies:

  • JOC Cockpit stores user accounts, hashed passwords and role assignments
    • in its database and
    • to the JETTY_BASE/resources/joc/shiro.ini.active file (for information purposes)
      • Users can create a copy of the shiro.ini.active file, add their modifications and submit changes by renaming the file to shiro.ini.
      • With the next login of a user the shiro.ini file will be applied and its contents are added to the JS7 database.
      • As a result of this operation the shiro.ini file is renamed to shiro.ini.active. A previously available shiro.ini.active file is renamed to shiro.ini.backup.
  • The migration procedure includes to specify the location of the shiro.ini.active file or a file with an arbitrary name holding the latest Shiro configuration.

How to migrate

For migration purposes the JS7 Identity Service management script is used: joc_manage_identity_service.sh|.cmd

The script is executed in the JS7 environment to which the Shiro configuration should be migrated. The script is available from

  • JETTY_HOME/install/joc_manage_identity_service.sh |.cmd
  • If not otherwise specified during installation then the JETTY HOME directory defaults to
    • /opt/sos-berlin.com/js7/joc (for Unix environments)
    • Program Files\sos-berlin.com\js7\joc (for Windows environments)

The management script is invoked like this:

Run the management script for Shiro migration with Unix
/opt/sos-berlin.com/js7/joc/install/joc_manage_identity_service.sh <shiro-configuration-file>
Run the management script for Shiro migration with Windows
C:\Program Files\sos-berlin.com\js7\joc\install\joc_manage_identity_service.cmd <shiro-configuration-file>


The <shiro-configuration-file> specifies the file holding the latest Shiro configuration of the JobScheduler release from which to migrate, see What to migrate. Users can copy the file to their JS7 environment. During execution of the management script a connection to the JobScheduler installation that should be migrated is not required.

Execution of the management script for migration performs the following operations in JS7:

  • Add an Identity Service with Service Type JOC and the name JOC-FROM-SHIRO
    • For each LDAP realm included with the <shiro-configuration-file> a corresponding Identity Service is created form the name of the LDAP realm.
  • Populate roles of the JOC-FROM-SHIRO Identity Service
    • Any roles and permissions from the  <shiro-configuration-file> are added to the JOC-FROM-SHIRO Identity Service.
  • Populate accounts of the JOC-FROM-SHIRO Identity Service
    • Any user accounts from the  <shiro-configuration-file> are added to the JOC-FROM-SHIRO Identity Service.
    • This includes to add assignments of roles to user accounts provided that assignments and roles are specified.
    • This includes to add hashed passwords available from the <shiro-configuration-file>.
      • JS7 implements its own password hashing algorithm. However, password hashes migrated from Shiro can be used with JS7.
      • When a user changes the password then the JS7 password hashing algorithm is applied.
      • This procedure is intended for smooth migration that does not force users to change passwords.
  • Should the management script find existing configuration items with the same name in the JOC-FROM-SHIRO Identity Service, for example matching names of roles or user accounts then they will not be overwritten from the <shiro-configuration-file>.

If things go terribly wrong then consider JS7 - Rescue in case of lost access to JOC Cockpit.



  • No labels