Skip to end of metadata
Go to start of metadata

Introduction

  • The JS7 - Identity Services offer integration with HashiCorp® Vault authentication server.
  • The Vault Identity Service integration is available from JOC Cockpit:
    • This requires HashiCorp® Vault to be downloaded, installed and operated by the user. Vault is not a built-in Identity Service and does not ship with JS7.
    • JS7 implements a REST client for use with HashiCorp® Vault 1.7.0 and newer.

Identity Service Types

The following integration levels are available from Identity Service Types that can be used with Vault:

Identity ServiceIdentity Service Configuration ItemsJOC Cockpit Configuration
Service TypeBuilt-inUser Accounts/Passwords
stored with
User Accounts/Passwords
managed by
Roles/Permissions
stored with
Roles->User Accounts Mapping
managed with
Roles Mapping
VAULTnoVault ServerVault ServerJS7 DatabaseVault ServerMapping of Vault Policies to JOC Cockpit Roles
VAULT-JOCnoVault ServerVault ServerJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit
VAULT-JOC-ACTIVEnoVault ServerVault Server / JOC CockpitJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit


Explanation:

  • Service Type: VAULT
    • Management of user accounts and passwords is performed by the Vault Server.
    • In addition, an automated mapping of policies - assigned a user account in Vault - to JOC Cockpit roles takes place.
    • The JOC Cockpit does not know any user accounts, passwords and role assignments as this information is managed with Vault only.
  • Service Type: VAULT-JOC
    • Management of user accounts and passwords is performed by the Vault Server.
    • The assignment of roles to user accounts is performed with the JOC Cockpit and is stored with the JS7 database.
    • The JOC Cockpit knows user accounts and role assignments. The JOC Cockpit does not know passwords as this information is managed with Vault only
  • Service Type: VAULT-JOC-ACTIVE
    • Management of user accounts and passwords is performed by the JOC Cockpit. The JOC Cockpit forwards user accounts and passwords to the Vault Server. The JOC Cockpit stores users accounts (not: passwords) in the JS7 database.
    • The assignment of roles to user accounts is performed with the JOC Cockpit and is stored with the JS7 database.
    • The JOC Cockpit knows user accounts and role assignments. The JOC Cockpit temporarily knows passwords until this information is forwarded to Vault.

Vault Authentication Methods

JS7 supports the following authentication methods with Vault:

  • Username & Password
  • LDAP
    • It is not required to use Vault to connect to an LDAP Directory Service as there is a built-in JS7 - LDAP Identity Service for this purpose.
    • This authentication method can be used with the VAULT Identity Service Type only.

JS7 does not support cloud based authentication methods with Vault as such methods are typically used for engineering and administrative roles with cloud services that are not related to an application such as JS7.

Vault Server Configuration

Application Role

If the VAULT-JOC-ACTIVE Identity Service Type is used then an Application Role has to be created and an access token has to be generated with Vault that is added to the JOC Cockpit configuration of the Vault Identity Service.

Access tokens created for the Application Role have to include Vault permissions to manage user accounts if the Username & Password authentication method is used

Authentication Methods

Username & Password

  • The authentication method has to be added to Vault.
    • The path of the authentication method has to be added to the Identity Service configuration in the JOC Cockpit.
  • If the VAULT Identity Service Type is used then:
    • user accounts are managed exclusively by Vault,
    • policies have to be set up in Vault with names that exactly match the names of roles in the JOC Cockpit.
      • a user account will be assigned the roles matching policy names when performing a login to the JOC Cockpit.
      • it is not required to add specific permissions to policies with Vault.
  • If the VAULT-JOC Identity Service Type is used then:
    • user accounts are managed by Vault.
    • user accounts are added to the JOC Cockpit to allow assignment of roles:
      • user accounts in Vault and in the JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • no passwords are managed by the JOC Cockpit.
  • If the VAULT-JOC-ACTIVE Identity Service Type is used then:
    • user accounts are managed by the JOC Cockpit and are stored with Vault.
    • user accounts are assigned roles with the JOC Cockpit.

LDAP

  • It is not necessary to use Vault to connect to an LDAP Directory Service as there is the built-in JS7 - LDAP Identity Service for this purpose.
  • The authentication method has to be added to Vault.
    • The path of the Authentication Method has to be added to the Identity Service configuration in JOC Cockpit.
  • The VAULT Identity Service Type has to be used, meaning that:
    • user accounts are managed with Vault.
    • user accounts are added to the JOC Cockpit to allow assignment of roles:
      • user accounts in Vault and in the JOC Cockpit have to match as otherwise the user account is not assigned a role.
      • no passwords are managed by the JOC Cockpit.

Tokens

When a user logs in to the JOC Cockpit then user credentials are forwarded to the Vault Server that authenticates the user and returns an access token.

  • Vault access tokens are created with the following restrictions:
    • time to live (TTL):
      • the access token will expire after the given period,
      • the Identity Service renews the access token 60s before expiration, this step is performed for an arbitrary number of renewals. This requires that the access token's TTL exceeds 60s and the Vault permission self for renewing a token by the token owner to be in place.
    • maximum time to live:
      • the access token's overall lifetime is limited, renewals cannot take place after the specified period.
  • If an access token cannot be renewed by the Identity Service then the user session is terminated and the user is forced to login and to specify credentials.
    • This happens in the event of the maximum TTL being exceeded or that the token has been revoked.
    • Vault administrators should check for reasonable values of the TTL, maybe not less than 300s, and the maximum TTL, maybe at least 15 minutes, as otherwise users would have to repeatedly login quite frequently.
  • The JOC Cockpit handles the idle timeout of user sessions independently of Vault, see JS7 - Identity Services.
    • If the idle timeout is exceeded then the user session is terminated.
    • The Identity Service tries to revoke the access token. This requires the Vault permission self to revoke a token by the token owner. 
  • The Identity Service does not make use of Vault child tokens.

Identity Service Configuration

The JOC Cockpit Manage Identity Services page from the user menu of an administrative account is provided for the configuration of Identity Services:

Add Identity Service

To add an Identity Service use the button Add Identity Service from the page shown above, listing the available Identity Services:


The remaining input fields for the popup window look like this:


Explanation:

  • The Identity Service Name is a unique identifier that can be freely chosen.
  • The Identity Service Type can be selected as available from the above matrix.
  • The Ordering specifies the sequence in which a login is performed with available Identity Services.
  • The Required attribute specifies if login with the respective Identity Service is required to be successful, for example if a number of Identity Services are triggered on login of a user account.
  • The Identity Service Authentication Scheme allows to select
    • single-factor authentication: user account and password are specified for login with the Identity Service.
    • two-factor authentication: in addition to user account and password a Client Authentication Certificate is required - see the JS7 - Certificate based Authentication article for more information.

Identity Service Settings

Having added a Vault Identity Service it is necessary to add settings for the Vault integration from the Identity Service's Manage Settings action menu item:


For use of the HashiCorp® Vault Identity Service:

  • the Vault product has to be installed and has to be accessible for JOC Cockpit and
  • the following settings have to be specified: 


Explanation:

  • Vault URL: the base URL for which the Vault REST API is available.
  • Vault Authentication Method Path: the path specifies the Vault Authentication Method to be used, see the Authentication Methods section above.
  • Vault Truststore Path:  Should the Vault Server be configured for HTTPS connections then the indicated truststore has to include an X.509 certificate specified for the Extended Key Usage of Server Authentication.
    • The truststore can include a self-signed certificate or a CA signed certificate. Typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the Server Authentication Certificate has to be available with the truststore.
    • If the Vault Server is operated for HTTPS connections and this setting is not specified then the JOC Cockpit will use the truststore that is configured with the JETTY_BASE/resources/joc/joc.properties configuration file. This includes use of settings for the truststore password and truststore type.
    • The path to the truststore is specified relative to the JETTY_BASE/resources/joc directory. If the truststore is located in this directory then only the file name is specified, typically with a .p12 extension. Other relative locations can be specified using, for example, ../../joc-truststore.p12 if the truststore is located in the JETTY_BASE directory. An absolute path cannot be specified and a path cannot be specified that lies before the JETTY_BASE directory in the file system hierarchy.
  • Vault Truststore Password: If the Vault Server is configured for HTTPS connections and the indicated truststore is protected by a password then the password has to be specified.
  • Vault Truststore Type: If the Vault Server is configured for HTTPS connections then the type of the truststore has to be specified being either PKCS12 or JKS (deprecated).
  • Vault Application Token: The application token setting is available only if the VAULT-JOC-ACTIVE Identity Service Type is used.
    • The JOC Cockpit requires this token in order to manage users with Vault. This token has to be created with Vault, see the Application Role section above. This token allows JOC Cockpit to access the Vault REST API to manage user accounts.
    • This token is not used for login of users.  

Logging

  • Log Files
  • Standard Log Files
    • Identity Services log output to the JETTY_BASE/logs/joc.log file. This includes reporting success or failure of authentication.
    • Successful and failed authentication attempts including the user accounts involved are logged to the JETTY_BASE/logs/audit.log file.
  • Debug Log Files
    • For problem analysis during setup of an Identity Service increase the log level as explained with JS7 - Log Levels and Debug Options.
    • The JETTY_BASE/logs/joc-debug.log file includes general debug output of JOC Cockpit.
    • The JETTY_BASE/logs/authentication-debug.log file includes debug output related to authentication and authorization.
    • The JETTY_BASE/logs/jetty.log file includes debug output of attempts to establish SSL connections.



  • No labels