Skip to end of metadata
Go to start of metadata

The information from this article is valid, however, starting from the following releases HTTPS for a Master-Agent connection can be used without use of a proxy as explained with the JobScheduler Universal Agent - HTTPS Agent and Master Authentication article:

FEATURE AVAILABILITY STARTING FROM RELEASE 1.10.5

FEATURE AVAILABILITY STARTING FROM RELEASE 1.11

Scope

Prerequisites

You will have to install one of the following software components for configuring your reverse proxy:

  • httpd
  • nginx

Get a TLS Certificate

A TLS certificate can be acquired by

  • buying a TLS certificate
  • creating a self-signed certificate

Configure a reverse proxy

JobScheduler Universal Agent itself does not provide configuration options to encrypt it's communication by HTTPS. The recommended solution is to run a reverse proxy on the same host but under a different user.

The reverse proxy needs to be configured to

  • only accept HTTPS connections
  • use the above TLS certificate
  • proxy all HTTPS requests by to localhost on the Agent port using HTTP

Sample Apache 2.2 configuration for HTTPS on Port 24445
 <VirtualHost *:24445>
 
  ProxyPass / http://localhost:4445/
  ProxyPassReverse / http://localhost:4445/
 
  # Enable/Disable SSL for this virtual host.
  SSLEngine on
 
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/agent_host.crt
  SSLCertificateKeyFile /etc/pki/tls/private/agent_host.key
 
</VirtualHost>

This is the configurate for the file ssl.conf that is usually stored usually under /etc/httpd/conf.d

Sample nginx configuration for HTTPS on Port 34445
server {
    listen       34445;
 
    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/agent_host.crt;
    ssl_certificate_key  /etc/pki/tls/private/agent_host.key;
 
    ssl_protocols  TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
 
    location / {
        proxy_pass http://localhost:4445/;
    }
}

This is the configurate for the file nginx.conf that is usually stored usually under /etc/nginx

Import the self-signed certificate into the Java Truststore of JobScheduler Master

This step is not required if the TLS certificate was bought from a trusted certificate authority.

  • Copy the certificate file (e.g. agent_host.crt) to your JobScheduler Master host
  • Locate the JVM that JobScheduler Master is using
    • If you are uncertain, search the scheduler.log file for jvm.dll (Windows) or LD_LIBRARY_PATH (Unix). This will list the path of your Java installation (JRE or JDK).
  • Run the Java keytool from that Java installation to import the certificate

Importing the self signed certificate with the Java keytool
 <path_to_java_keytool>/keytool -importcert -keystore <path_to_java_for_scheduler>/lib/security/cacerts -alias agent_host -file <path_to_certificate>/agent_host.crt -storepass changeit
  • Java keytool is usually under the bin folder for Java. in that case you search for the Java that you are using for the JobScheduler Master.

Configure JobScheduler Master to use the reverse proxy

The proxy URL along with the HTTPS keyword is configured in the process class for the Agent:

Process class definition with HTTPS
<process_class  max_processes="20" remote_scheduler="https://agent_host:24445"/>

References

 

 

 

Write a comment…