...
- On the JobScheduler Agent server create the Java Keystore using the Keytools from your Java JRE or import a certificate that your received from your certificate authority:
- Generate the Java Keystore with the private key and certificate for the Agent and export the certificate to a second Keystore that is later on used by the Master or use the attached script keygen.sh to perform this task.
Example for use of self-signed certificate
Code Block language bash title Example for use of self-signed certificate: generate Agent private key and export Agent public certificate # generate Agent private key with alias name "agent-https" in a keystore (private-https.p12) # use the fully qualified hostname (FQDN) and name of your organization for the distinguished name keytool -genkey -alias "agent-https" -dname "CN=hostname,O=organization" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "AGENT_DATA/config/private/private-https.p12" -storepass jobscheduler -storetype PKCS12 # export the Agent public certificate to a file in PEM format (agent-https.crt) keytool -exportcert -rfc -noprompt -file "agent-https.crt" -alias "agent-https" -keystore "AGENT_DATA/config/private/private-https.p12" -storepass jobscheduler -storetype PKCS12
Example for use of CA signed certificate
Code Block language bash title Example for use of CA signed certificate: export Agent private key and Agent public certificate # should your Agent private key and certificate by provided with a .jks keystore (keypair.jks) then temporarily convert the keystore to pkcs12 (keystore.p12) # for later use with openssl, assuming the alias name of the Agent private key is "agent-https" # keytool -importkeystore -srckeystore keypair.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias agent-https # assuming your Agent private key from a pkcs12 keystore (keystore.p12), store the Agent private key to a .key file in PEM format (agent-https.key) openssl pkcs12 -in keystore.p12 -nocerts -out agent-https.key # concatenate CA root certificate and CA intermediate certificates to a single CA Bundle certificate file (ca-bundle.crt) cat RootCACertificate.crt > ca-bundle.crt cat CACertificate.crt >> ca-bundle.crt # Export Agent private key (agent-https.key), Agent certificate in PEM format (agent-https.crt) and CA Bundle in PEM format (ca-bundle.crt) to a new keystore # assume the fully qualified hostname (FQDN) of the Agent to be agent.example.com openssl pkcs12 -export -in agent-https.crt -inkey agent-https.key -chain -CAfile ca-bundle.crt -name agent.example.com -out agent-https.p12 # should you require use of a .jks keystore type then convert the pkcs12 keystore assuming the alias name of the Agent private key to be "agent-https" # keytool -importkeystore -srckeystore agent-https.p12 -srcstoretype PKCS12 -destkeystore agent-https.jks -deststoretype JKS -srcalias agent-https
- If not otherwise configured then JobScheduler Agent and Master by default use the password
jobscheduler
for the respective Keystore. - if you choose an individual password for the Agent Keystore then adjust the following properties in the
<agent_data>/
config/private/private.conf
configuration file:- Explanations
jobscheduler.agent.webserver.https.keystore.file
is used for the path to the Keystorejobscheduler.agent.webserver.https.keystore.password
is used for the Keystore passwordjobscheduler.agent.webserver.https.keystore.key-password
is used for the password of your private HTTPS certificate
Example
Code Block language text title Example for private.conf file with keystore specification jobscheduler.agent.webserver.https.keystore { file = "C:/ProgramData/sos-berlin.com/jobscheduler/agent110/config/private/private-https.jks" # Backslashes are written twice (as in JSON notation): # file = "\\\\other-computer\\share\\my-keystore.jks" password = "secret" key-password = "secret" }
- Explanations
- For the Master the Keystore that contains the Agents' public certificate is expected with the password
jobscheduler
.
- Generate the Java Keystore with the private key and certificate for the Agent and export the certificate to a second Keystore that is later on used by the Master or use the attached script keygen.sh to perform this task.
- On the JobScheduler Agent server store the Keystore with the private key in the directory
<agent_data>/config/private
- Default file name:
private-https.jks
- Default file name:
- On the JobScheduler Master server store the Truststore with the public certificate of the Agent in the directory
<master_data>/config
- Default file name:
agent-https.jks
Display feature availability StartingFromRelease 1.13.3 The location, type and password of the Master truststore Truststore can be specified:
Code Block title Example for specification of Master truststore Truststore with Agent public certificates jobscheduler.master.agents.https.keystore { file = "/var/sos-berlin.com/jobscheduler/apmaccs_4444/config/agent-https.p12" # Backslashes are written twice (as in JSON notation): # file = "\\\\other-computer\\share\\my-keystore.jks" password = "secret" key-password = "secret" }
Example for import of an Agent public certificate to a Master truststore Truststore in pkcs12 format:
Code Block title Example for import of Agent public certificate to a pkcs12 Master truststoreTruststore # import Agent public certificate to a keystore (agent-https.p12) by specifying the Agent private key file (agent-https.key) and alias name (agent-https) keytool -importcert -noprompt -file "agent-https.key" -alias "agent-https" -keystore "SCHEDULER_DATA/config/agent-https.p12" -storepass jobscheduler -storetype PKCS12 -trustcacerts
Example for import of an Agent public certificate to a Master truststore Truststore in jks format :
Default(specifying the default values for location, type and password
of the Truststore are as follows):
Code Block title Example for import of Agent public certificate to a jks Master truststore # import Agent public certificate to a keystore (agent-https.p12) by specifying the Agent private key file (agent-https.key) and alias name (agent-https) keytool -importcert -noprompt -file "agent-https.key" -alias "agent-https" -keystore "SCHEDULER_DATA/config/agent-https.jks" -storepass jobscheduler -trustcacerts
- Default file name:
Step 2: Set up authentication between Master and Agent
...