Scope
- The connection to JobScheduler Universal Agent can be secured by HTTPS
- This article describes the steps required to set up secure HTTPS communication without the need of using a reverse proxy (for this use case see JobScheduler Universal Agent - connecting via HTTPS through a proxy)
- The article describes as well how the authentication between Master and Agent works
Prerequisites
The only prerequisite is to have the Java keytools installed in your Java JRE. It is highly probable that this is already installed with your JRE.
How to set the Secure Agent
Step 1: Create Java Keystore (private and public keys)
- Create Java Keystore using Keytools from your Java JRE. You can use the following script in order to generate them: https://github.com/sos-berlin/scheduler-engine/blob/master/engine-agent/src/main/resources/com/sos/scheduler/engine/agent/test/generate-self-signed-ssl-certificate-test-keystore.sh
- Store the private key for the Agent under
<agent_data>/config/private
- Filename:
private-https.jks
- Filename:
- Store the trusted certificate for the Master under
<master_data>/config
- Filename: agent-https.jks
Step 2: Set authentication between Master and Agent
- Set Master password in a file on the Master under
<master_data>/config/private
- Filename:
private.conf
The file look like this:
jobscheduler.master.credentials.password = "myjobscheduler4444"
- Filename:
- Specify the Master password in a file on the Agent under
<agent_data>/config/private
- Filename:
private.conf
Specify the Master that will try to communicate with the Agent through the JobScheduler ID. For example, for a Master with ID "scheduler_4444" this file would look as follows:
jobscheduler.agent.auth.users { scheduler_4444 = "plain:myjobscheduler4444" }
- Filename:
Step 3: Start the HTTPS Agent
- Start the Agent with the corresponding parameters:
- Example (using port 44445 for HTTPS):
<agent_data>/bin/jobscheduler_agent -https-port=44445
- Example (using port 44445 for HTTPS):
- The HTTP port will still be always used, even though the Agent is started for communicating over HTTPS. If no HTTP port is indicated when starting the Agent, the default port will be used.
- HTTPS has to be indicated when starting agent through the parameter
-https-port
- Agent gets a data directory for configuration and working files if indicated. In that case, has to be indicated when starting agent through the parameter -data-directory
Step 4: Create a Process Class for remote execution using HTTPS
- Create a Process Class for a job chain or a job
- Set the Agent where the remote execution using HTTPS has to be carried out
- Example:
<?xml version="1.0" encoding="ISO-8859-1"?> <process_class max_processes="30" remote_scheduler="https://my_agent:44445"/>
Change Management References