Problem

After successfully performing JS7 - Initial Operation for the Agent from the  JS7 - Dashboard, users observe the Agent as being up and running.

However, when adding an order to a workflow for the Agent, the order enters the BLOCKED state (purple color) without entries being added to the JS7 - History. The error listed below can be found in the following log files:

  • controller.log (Controller)
  • agent.log (Agent).

For details see the JS7 - Log Files and Locations article.


2021-11-23T14:44:52,853 ERROR js7.controller.agent.AgentDriver - (my_agent) Agent rejected AttachSignedItem(Signed(Workflow:Simon~711c515f-b1f7-4e77-858f-0348a076d8aa {job1: Named(job1,Map(),None); end/*implicit*..., SignedString({"TYPE":"Workflow","path":"Simon","versionId":"711c515f-b1f7-4e77-858f-0348a076d8aa",...(length 307), Signature(MEUCIQDzqm7jTgv.../eAUGf43rIAcmk=)))): MessageSignedByUnknown: The message is signed with an unknown key

followed by

ERROR js7.controller.agent.AgentDriver - (my_agent) Agent rejected AttachOrder

Analysis

The JS7 Agent executes workflows. It stores information about execution results and JS7 - Order State Transitions in its journal and passes results to the Controller.

The Controller and Agent have to be equipped with a certificate to verify the signatures of any deployments - for details see the JS7 - Deployment of Scheduling Objects article. The check of a deployment's signature is performed by the Controller and by the Agent independently from the JOC Cockpit security level.

  • The above error messages indicate that no certificate is in place which could be used to verify the digital signature of a deployment.
  • The certificates for digital signing are included with the ./config/trusted-x509-certificates directory which is available with both the Controller and with the Agent.
  • By default JS7 Controllers and Agents ship with a certificate from the sos*.pem file that is available from:
    • the Controller's ./var/config/trusted-x509-certificates directory,
    • the Agent's ./var_<port>/config/trusted-x509-certificates directory.
  • After extracting the Controller or Agent from its installation .tar.gz or .zip archive users might have specified a different location for the ./var (Controller) or ./var_<port> (Agent) directories. As a result the Controller and Agent start script will populate the newly created configuration directory with the sub-folders ./config, ./logs, ./state and ./work. However, the ./config/trusted-x509-certificates directory will remain empty and therefore no certificate will be available to verify a deployment.

Solution

Users should copy the trusted certificate from the ./config/trusted-x509-certificates location of the original Controller or Agent .tar.gz or .zip archive to the:

  • ./var/config/trusted-x509-certificates (Controller)
  • ./var_<port>/config/trusted-x509-certificates (Agent)

directories. Then restart the Controller or Agent as appropriate.