ncce
| Table of Contents |
|---|
Scope
- The connection to JobScheduler Universal Agent can be secured by HTTPS.
- This article describes the steps required to set up secure HTTPS communication without the need of using a reverse proxy (for this use case see JobScheduler Universal Agent - connecting via HTTPS through a proxy).
...
Set up a secure connection to the Agent
In the following the placeholders SCHEDULER_HOME, SCHEDULER_DATA specify the directories where JobScheduler Master is installed and configured on the JobScheduler Master's server. The placeholders AGENT_HOME, AGENT_DATA specify the directories where JobScheduler Agent is installed and configured on the JobScheduler Agent's server.
SCHEDULER_HOMEis the installation path which is specified during the JobScheduler Master installation:- C:\Program Files\sos-berlin.com\jobscheduler\scheduler (default on Windows)
- /opt/sos-berlin.com/jjobscheduler/scheduler (default on Linux)
SCHEDULER_DATAis the JobScheduler Master's configuration directory which is specified during the JobScheduler Master installation:- C:\ProgramData\sos-berlin.com\joc (default on Windows)
- /home/<setup-user>/sos-berlin.com/joc (default on Linux)
AGENT_HOMEis the installation path which is specified during the JobScheduler Agent installation:- C:\Program Files\sos-berlin.com\jobscheduler\jobscheduler_agent (default on Windows)
- /opt/sos-berlin.com/jjobscheduler/jobscheduler_agent (default on Linux)
AGENT_DATAis the JobScheduler Agent's configuration directory which is specified during the JobScheduler Agent installation:- C:\ProgramData\sos-berlin.com\jobscheduler\jobscheduler_agent (default on Windows)
- /home/<setup-user>/sos-berlin.com/jobscheduler_agent (default on Linux)
Step 1: Create the Java Keystore
- Create On the JobScheduler Agent server create the Java Keystore using the Keytools from your Java JRE .or import a certificate that your received from your certificate authority:
- Generate the Java Keystore with the private key and certificate for the Agent and export the certificate to a second Keystore that is later on used by the Master or use the attached script keygen.sh to perform this task.
Example
Code Block language bash title Generate private key and export public certificate keytool -genkey -alias "agent-https" -dname "CN=apmacwin,O=SOS" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "AGENT_DATA/config/private/private-https.p12" -storepass jobscheduler -storetype PKCS12 keytool -exportcert -rfc -noprompt -file "agent-https.pem" -alias "agent-https" -keystore "AGENT_DATA/config/private/private-https.p12" -storepass jobscheduler -storetype PKCS12
- If not otherwise configured then JobScheduler Agent and Master by default use the password
jobschedulerfor the respective Keystore. - if you choose an individual password for the Agent Keystore then adjust the following properties in the
<agent_data>/config/private/private.confconfiguration file:- Explanations
jobscheduler.agent.webserver.https.keystore.fileis used for the path to the Keystorejobscheduler.agent.webserver.https.keystore.passwordis used for the Keystore passwordjobscheduler.agent.webserver.https.keystore.key-passwordis used for the password of your private HTTPS certificate
Example
Code Block language text title Sample private.conf file jobscheduler.agent.webserver.https.keystore { file = "C:/ProgramData/sos-berlin.com/jobscheduler/agent110/config/private/private-https.jks" # Backslashes are written twice (as in JSON notation): # file = "\\\\other-computer\\share\\my-keystore.jks" password = "secret" key-password = "secret" }
- Explanations
- For the Master the Keystore that contains the Agents' public trusted certificate is expected with the password
jobscheduler.
- Generate the Java Keystore with the private key and certificate for the Agent and export the certificate to a second Keystore that is later on used by the Master or use the attached script keygen.sh to perform this task.
- For On the JobScheduler Agent server store the Keystore with the private key in the directory
<agent_data>/config/private- File Default file name:
private-https.jks
- File Default file name:
- On the JobScheduler Master server store the Keystore Truststore with the trusted certificate of the Agent in the directory
<master_data>/config- File Default file name:
agent-https.jks Display feature availability StartingFromRelease 1.13.3 - The location, type and password of the Truststore can be specified
Code Block title Sample for specification of truststore with Agent certificates jobscheduler.master.agents.https.keystore { file = "/var/sos-berlin.com/jobscheduler/apmaccs_4444/config/agent-https.p12" # Backslashes are written twice (as in JSON notation): # file = "\\\\other-computer\\share\\my-keystore.jks" password = "jobscheduler" key-password = "jobscheduler" }
- The location, type and password of the Truststore can be specified
Example for import of a trusted certificate to the Master:
Code Block title Sample for import Agent certificate keytool -importcert -noprompt -file "agent-https.pem" -alias "agent-https-4445" -keystore "SCHEDULER_DATA/config/agent-https.p12" -storepass jobscheduler -trustcacerts -storetype PKCS12
- File Default file name:
Step 2: Set up authentication between Master and Agent
- Configure On the JobScheduler Master server configure the Master password in a file on the Master in the
<master_data>/config/privatedirectory:- File name:
private.conf The file should contain the following entry that specifies a plain text password
myjobscheduler4444that is used by the Master to authenticate against Agents:Code Block jobscheduler.master.credentials.password = "myjobscheduler4444"
- File name:
- Specify the Master password in a file on the respective Agent in the directory
<agent_data>/config/private- File name:
private.conf Specify the Master that will authenticate with the Agent by its JobScheduler ID and password. For example, for two Masters with JobScheduler ID
scheduler_4444andscheduler_5555this file would look like this assuming that the Master password ismyjobscheduler4444:Code Block jobscheduler.agent.auth.users { scheduler_4444 = "plain:myjobscheduler4444" scheduler_5555 = "sha512:9184ddcaa87eb2f95c32f12741035c1e55cef93f7834905f926c4bc419fbc5613e2e141d39fb05d0ec7c66c9bd9e4c8b95b74598e0107f863b7f2bd942a9aea0" }- For each entry the JobScheduler ID is used as key, the value (in double quotes) includes the hash algorithm followed by a colon and the hashed password.
- Using
plainfor the hash alogrithm requires a plain text password to be specified. Use of plain text passwords is not recommended as they could be visible to jobs running on that Agent. - Using
sha512for the hash alogithm requires a password that is hashed with the respective algorithm. A number of command line utilitiies to create a sha512 hash from a plain text password can easily be found.
- Using
- File name:
...
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0" encoding="ISO-8859-1"?> <process_class max_processes="30" remote_scheduler="https://my_agent:44445"/> |
...
Caveat
- For releases before
the problemDisplay feature availability StartingFromRelease 1.10.7
occurs. Consider to apply the workaround as specified from the issue.Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JS-1675
...