You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

The connection to JobScheduler Universal Agent can be secured by HTTPS. For the required Architecture see JobScheduler Universal Agent - Secure HTTPS communication.

This Article describes the steps required to set up secure HTTPS communication.

Prerequisites

  • You would need to install httpd for configuring HTTPS connections on your server
  • You would need to install nginx for configuring your reverse proxy

Get a TLS Certificate

A TLS certificate can be acquired by

  • buying a TLS certificate
  • creating a self-signed certificate

Configure a reverse proxy

JobScheduler Universal Agent itself does not provide configuration options to encrypt it's communication by HTTPS. The recommended solution is to run a reverse proxy on the same host but under a different user.

The reverse proxy needs to be configured to

  • only accept HTTPS connections
  • use the above TLS certificate
  • proxy all HTTPS requests by to localhost on the Agent port using HTTP

Sample Apache 2.2 configuration for HTTPS on Port 24445
 <VirtualHost *:24445>
 
  ProxyPass / http://localhost:4445/
  ProxyPassReverse / http://localhost:4445/
 
  # Enable/Disable SSL for this virtual host.
  SSLEngine on
 
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/agent_host.crt
  SSLCertificateKeyFile /etc/pki/tls/private/agent_host.key
 
</VirtualHost>

This is the configurate for the file ssl.conf that is usually stored usually under /etc/httpd/conf.d

Sample nginx configuration for HTTPS on Port 34445
server {
    listen       34445;
 
    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/agent_host.crt;
    ssl_certificate_key  /etc/pki/tls/private/agent_host.key;
 
    ssl_protocols  TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
 
    location / {
        proxy_pass http://localhost:4445/;
    }
}

This is the configurate for the file nginx.conf that is usually stored usually under /etc/nginx

Import the self-signed certificate into the Java Truststore of JobScheduler Master

This step is not required if the TLS certificate was bought from a trusted certificate authority.

  • Copy the certificate file (e.g. agent_host.crt) to your JobScheduler Master host
  • Locate the JVM that JobScheduler Master is using
    • If you are uncertain, search the scheduler.log file for jvm.dll (Windows) or LD_LIBRARY_PATH (Unix). This will list the path of your Java installation (JRE or JDK).
  • Run the Java keytool from that Java installation to import the certificate
Importing the self signed certificate with the Java keytool
 keytool -importcert -keystore <java_for_scheduler>/lib/security/cacerts -alias agent_host -file agent_host.crt -storepass changeit

See also: https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a

Configure JobScheduler Master to use the reverse proxy

The proxy URL along with the HTTPS keyword is configured in the process class for the Agent:

Process class definition with HTTPS
<process_class  max_processes="20" remote_scheduler="https://agent_host:24445"/>
  • No labels