Skip to end of metadata
Go to start of metadata

Introduction

  • HTTP Basic Authentication with passwords is a basic means to identify client and server in HTTP connections. However, as HTTP connections are not secure and forward passwords without transport encryption the passwords are visible in the network. It is therefore recommended to switch to HTTPS Server Authentication that implements transport encryption.
  • Consider the communication scheme between JS7 components as explained from the JS7 - System Architecture:
    • User browsers acting as http clients establish connections to JOC Cockpit as an http server.
    • JOC Cockpit acting as an http client establishes connections to Controller instances acting as http servers.
    • Controller instances acting as http clients establish connections to Agents acting as http servers.

Controller Configuration

Configuration File: controller.conf

Download: controller.conf

Controller configuration file: controller.conf
# Allow http connections
js7.web.server.auth.public = true

Explanation:

  • The configuration file is located with the sos-berlin.com/js7/controller/config folder.
  • This configuration item is required to enable HTTP connections to a Controller.

Configuration File: private.conf

Download: private.conf

Controller configuration file: private.conf
js7 {
    auth {
        users {
            # History account (used for release events)
            History {
                password="sha512:B793649879D61613FD3F711B68F7FF3DB19F2FE2D2C136E8523ABC87612219D5AECB4A09035AD88D544E227400A0A56F02BC990CF0D4CB348F8413DE00BCBF08"
            }
            # JOC account (needs UpdateItem permission for deployment)
            JOC {
                password="sha512:3662FD6BF84C6B8385FC15F66A137AB75C755147A81CC7AE64092BFE8A18723A7C049D459AB35C059B78FD6028BB61DCFC55801AE3894D2B52401643F17A07FE"
                permissions=[
                    UpdateItem
                ]
            }
        }
    }

    configuration {
        # truststore location for signatures
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }

    journal {
        # allow History account to release unused journals
        users-allowed-to-release-events=[
            History
        ]
    }
}

Explanation:

  • The configuration file is located with the sos-berlin.com/js7/controller/config/private folder.
  • Consider that the above configuration has to be deployed to both Controller instances should a Controller Cluster be used.
  • Find below explanations about configuration items from the above example relevant to Server Authentication with passwords.

Agent Configuration

Configuration File: agent.conf

Download: agent.conf

Agent configuration file: agent.conf
# Allow http connections
js7.web.server.auth.public = true

Explanation:

  • The configuration file is located with the sos-berlin.com/js7/agent/config_<port> folder.
  • This configuration item is required to enable HTTP connections to a Controller.

Configuration File: private.conf

Download: private.conf

Agent configuration file: private.conf
js7 {    
    configuration {
        # Locations of certificates and public keys used for signature verification
        trusted-signature-keys {
            PGP=${js7.config-directory}"/private/trusted-pgp-keys"
            X509=${js7.config-directory}"/private/trusted-x509-keys"
        }
    }
    
    job {
        # Enable script execution from signed workflows
        execution {
            signed-script-injection-allowed = yes
        }
    }    
}

Explanation:

  • The configuration file is located with the sos-berlin.com/js7/agent/config_<port>/private folder.
  • Consider that the above configuration has to be deployed to any Agent instances.
  • The js7.configuration.trusted-signature-keys setting specifies directories that hold PGP public keys and X.509 certificates required by an Agent to verify the signatures of deployed objects such as workflows.
    • If you do not use PGP public keys then disable the PGP setting as otherwise warnings might occur if no PGP public keys are found from the indicated directory.
    • Accordingly drop use of X.509 certificates by disabling the X509 setting if no X.509 certificates are available from the indicated directory.
  • The js7.job.execution setting specifies that job scripts can be used that include shell code. If this setting is assigned the false value or is omitted then jobs are limited to execute existing shell scripts from the sos-berlin.com/js7/agent/config_<port>/executables folder. Some users of JS7 might consider it more secure to disallow job scripts to include shell commands and instead to limit jobs to execute existing scripts located in this folder.




  • No labels
Write a comment…