Introduction

• JS7 components are easy to install out-of-the-box. However, a number of configuration items have to be considered when operating JS7 for a secure environment.
• Secure operation is applied to the following areas:
  • Connection Management
    
    • Network Connections
    • Database Connections
  • Access Management
    • Authentication
    • Authorization
  • Credentials Management
    • Database Credentials
    • Job Credentials
• Secure operation includes users configuring JS7 components in a compliance-conformant way.

Connection Management

JS7 components use the following connections:

Network Connections

All network connections are unidirectional, as indicated by the direction of the arrows in the diagram above.

Default Configuration

The following default configuration is implemented by the installer if users do not modify settings during installation:

• All network connections make use of HTTP:
  • Connections by users to the JS7 - Browser User Interface
  • Connections by the PowerShell CLI to the JS7 - REST Web Service API
  • Connections by the JOC Cockpit to the JS7 Controller using the JS7 REST Web Service API
  • Connections by JS7 Controller instances to Agents
• Port Usage
  • The JOC Cockpit can be accessed at port 4446
  • The JOC Cockpit REST Web Service can be accessed at port 4446
  • The JS7 Controller uses port 4444
  • The JS7 Agent listens to port 4445
• Network Interface Usage
  • By default JS7 components will listen to the above mentioned ports on any available network interfaces.
• Firewall Settings
  • Open ports in your firewall exclusively for the hosts, protocols and ports as specified above. Consider allowing connections only for the directions indicated in the diagram above.

Secure Configuration

The following settings are recommend to ensure secure network connections:

• Configure network connections to use HTTPS:
  • Use of HTTPS includes providing valid certificates for the hosts that JS7 components are operated for. Use of self-signed certificates is not recommended as they cannot be verified to a trusted source.
  • As HTTPS is limited to secure connections, additional authentication is required. In this case, a JS7 Controller instance is configured to authenticate with an Agent in order to guarantee that the Controller instance is in fact, what it claims to be and is entitled to access the Agent.
  • The JS7 - Secure Connections article explains the use of the built-in Certificate Authority and the use with external Certificate Authorities.
  • For detailed instructions for configuration see:
    • JS7 - JOC Cockpit HTTPS Connections, which explains HTTPS configuration for the JOC Cockpit and connection to the JS7 Controller.
    • JS7 - Controller HTTPS Connections
    • JS7 - Agent HTTPS Connections
• Restrict use of network interfaces:
  • Consider restricting JS7 components to only listen to specific network interfaces.
  • The JS7 Controller can be configured by use of the --http_port and --https_port command line options to specify network interfaces, see the JS7 - Controller - Command Line Operation article for details.
    
  • The JS7 Agent can be configured by use of the --http-port and --https-port options to specify network interfaces, see JS7 - Agent Command Line Operation.
  • The JOC Cockpit can be similarly configured to only use specific network interfaces, see:
    • JS7 - JOC Cockpit Configuration for Docker Containers
    • JS7 - JOC Cockpit Configuration Items

Database Connections

The JOC Cockpit is the only JS7 component that uses a database.

Database connections are based on JDBC. If JDBC type 4 drivers are used then a DBMS client is not required for the operation of the JOC Cockpit. The Hibernate access layer is used for database access.

Default Configuration

• JS7 ships with JDBC Drivers that are open source or that are free for distribution with JS7.
• The JOC Cockpit installer allows:
  
  • specification of alternative JDBC Drivers that can be downloaded from the respective vendor's web site.
  • specification of individual Hibernate configuration files with security related settings.
• For details see the JS7 - Database article.

Secure Configuration

• Depending on the DBMS version in use it is preferable to download and apply the DBMS vendor's current JDBC Driver version:
  • For use with MySQL® the JDBC Driver is not included with JS7. Instead a MariaDB® driver is provided for access to MySQL® databases.
  • For use with SQL Server® the JDBC Driver is not included. Instead users have to download a current JDBC Driver from the vendor's site.
  • For use with Oracle® newer JDBC Driver versions might be available from the vendor's web site.
• Vendor-specific JDBC Drivers include support for specific authentication mechanisms. For example
  • the use of JDBC with Oracle Wallet, see JS7 - How to make JOC Cockpit connect to an Oracle database using Wallet®,
  • the use of JDBC with Integrated Security, see JS7 - How to connect to an SQL Server database without using passwords.
• Consider additional security related settings that apply to your DBMS in the Hibernate configuration file. For the location of this file see the JS7 - Database article.

Access Management

Access to JS7 components is centrally secured by the JS7 - REST Web Service API. This interface is used by the JS7 - Browser User Interface and by external applications using the REST API.

Roles and Permissions

Default Configuration

• Refer to the hints provided in the JS7 - JOC Cockpit - Secure Operation article.
• The JS7 - REST Web Service API ships with a default configuration in ./joc/resources/joc/shiro.ini which includes:
  
  • use of local authentication with accounts and passwords stored as hash values.
  • use of local role assignment,
  • the following default values for user accounts, passwords and assigned roles (see JS7 - Manage User Accounts for more information):
    • Active Accounts:
      • root=root, all
    • Deactivated Accounts (passwords are presented in plain text for documentation purposes and are hashed in the shiro.ini configuration file:

      • # administrator=secret, administrator
# application_manager=secret, application_manager
# it_operator=secret, it_operator
# incident_manager=secret, incident_manager
# business_user=secret, business_user
# api_user=secret, api_user

• The JS7 Controller is not accessed by users but exclusively by the JOC Cockpit via the JS7 - REST Web Service API.
  • Default authentication for the connection from the JOC Cockpit to the Controller is provided by symmetric passwords available with:
    • the JOC Cockpit Settings page with the settings controller_connection_joc_password and controller_connection_history_password,
    • the Controller's private.conf file which holds the password setting optionally as a hashed value.
  • It is recommended that certificate based authentication using HTTPS connections with mutual authentication is implemented, see JS7 - Controller HTTPS Connections.
• JS7 Agents are not accessed by users but exclusively by a JS7 Controller. Default authentication is not provided.

Secure Configuration

• Using the default root user account that ships with the JOC Cockpit is not recommended. The default user account is intended to enable initial login only.
• A fine-grained set of permissions is available that can be applied to any operation in the JOC Cockpit and in the JS7 REST Web Service API. Such permissions can freely be grouped to roles.
• LDAP Directory Services should be used whenever possible to establish role assignment for users based on membership in LDAP security groups.

LDAP Directory Service

Default Configuration

• LDAP Directory Service integration is not in place.
• Using the default configuration with local authentication for access to the JOC Cockpit is not recommended.

Secure Configuration

• LDAP Directory Services can be accessed for authentication and authorization:
  • users can connect by specifying their domain account.
  • membership in security groups can be optionally mapped to roles.
• The use of LDAP allows operation of a JOC Cockpit configuration that contains neither account data, passwords nor user role assignments. 
• This applies for any LDAP compliant product such as Microsoft Active Directory®, OpenLDAP etc.
• For details about LDAP support see the JS7 - LDAP Identity Service article.

Credentials Management

Database Credentials

Default Configuration

• Database credentials are specified during installation and are added to the following Hibernate configuration files:
  • JOC Cockpit: for access to the reporting database: JETTY_BASE/resources/joc/reporting.hibernate.cfg.xml
  • For details see the  JS7 - Database article.
• Default values are not provided by the installer.

Secure Configuration

• Do not use passwords.
  • Users frequently ask if JS7 can encrypt credentials. The answer is "no" as it makes no sense to handle a symmetric key that is in reach of the component that makes use of it. Encrypted passwords correspond to the "key under the mat". They do not provide additional security. However, they contribute perfectly to obfuscation.
  • There is one way only how to securely handle passwords: do not use them.
• Use Integrated Security
  • This authentication scheme is based on the fact that the account which a component is operated for has already been authenticated and therefore can access a database without specifying user/password credentials.
  • This feature is available for a number of DBMS such as:
    • Microsoft SQL Server®, see the JS7 - How to connect to an SQL Server database without using passwords article.
    • Oracle® including support for Oracle® Wallet, see the JS7 - How to make JOC Cockpit connect to an Oracle database using Wallet® article.

Job Credentials

Default Configuration

• The Windows Service for the JS7 Controller and Agent runs in the system account. 
  • The installer allows specification of a different account and the addition of credentials for that account. The installer does not store passwords entered during installation.
• By default jobs are executed in the context of the account that the JS7 Agent is operated with.

Secure Configuration

• It is considered a bad idea to run a JS7 Controller or Agent using a Unix root account or Windows Administrator account.
  • Certainly this makes life easy when it comes to switching to other user accounts or for accessing files.
  • However, you should not grant more permissions to a process than required.
• Use specific user accounts to run JS7 Controllers and Agents:
  • Do not use the system account (Windows) or root (Unix).
  • Create specific service accounts that are limited to the privileges that are required to execute jobs.
• Do not specify credentials for Windows Service accounts during installation:
  • The installer does not store such credentials but forwards them to the Windows Service interface. However, there is no guarantee that such credentials will be logged by some Windows mechanism.
  • Instead, use the Windows Service Panel to manually specify credentials for the service account.
• There are a number of options when it comes to running jobs for different user accounts:
  • In Unix environments:
    • Job scripts can switch to a different user context by use of sudo or su commands. sudo is the preferred option as this the standard Unix tool which allows secure configuration of the users that are allowed to execute certain commands (sudoers file). In addition sudo provides reporting capabilities about the (ab)use of commands.
  • In Windows environments:
    • You can use the Windows Credential Manager to safely store the credentials of the user account that a job should be executed for. The Agent will then read the credentials and will create a new process to run a job in the target user context. This is the preferred solution as it does not store credentials in the Agent or workflow configuration.
    • Find detailed information with the JS7 - Running Jobs as a different User article.
  • For all environments:
    • You can run a number of Agents in parallel using different user accounts.
• A credential store can be used for jobs that require credentials, e.g. to access a database: see the JS7 - Credential Store article for more information.
  • Credentials are not provided from parameters (that could be logged in clear text), instead an interface is provided that allows on demand access to the credential store. 
  • This feature is available for Shell jobs and for JVM jobs.

File Transfer Credentials

Such credentials are intended for use with the YADE file transfer utility, which is available from built-in job templates.

Default Configuration

• By default any accounts/passwords that are used for source connections, target connections and proxy connections are stored in clear text.
• See the YADE - Reference Documentation - Parameter Reference for more information.

Secure Configuration

• Use the YADE Credential Store to manage credentials centrally in a store which is referenced by YADE configuration items. See the How to set-up the Credential Store and YADE Parameter Reference - CredentialStoreFragment articles for more information.
• Should you use FTP connections then consider switching to using SFTP.
• SFTP connections can be used with private/public key files - there is no need to use passwords for such connections.

Further Resources

• JS7 - JOC Cockpit - Secure Operation