Scope
- The connection to JobScheduler Universal Agent can be secured by HTTPS.
- This article describes the steps required to set up secure HTTPS communication without the need of using a reverse proxy (for this use case see JobScheduler Universal Agent - connecting via HTTPS through a proxy).
Prerequisites
The only prerequisite is to have the Java keytools installed with your Java JRE.
Set up a secure connection to the Agent
Step 1: Create the Java Keystore
- Create the Java Keystore using the Keytools from your Java JRE.
- Generate the Java Keystore with the private key and certificate for the Agent and export the certificate to a second Keystore that is later on used by the Master or use the attached script keygen.sh to perform this task.
- If not otherwise configured then JobScheduler Agent and Master by default use the password
jobschedulerfor the respective Keystore. - if you choose an individual password for the Agent Keystore then adjust the following properties in the
<agent_data>/config/private/private.confconfiguration file:- Explanations
jobscheduler.agent.webserver.https.keystore.fileis used for the path to the Keystorejobscheduler.agent.webserver.https.keystore.passwordis used for the Keystore passwordjobscheduler.agent.webserver.https.keystore.key-passwordis used for the password of your private HTTPS certificate
Example
Sample private.conf filejobscheduler.agent.webserver.https.keystore { file = "C:/ProgramData/sos-berlin.com/jobscheduler/agent110/config/private/private-https.jks" # Backslashes are written twice (as in JSON notation): # file = "\\\\other-computer\\share\\my-keystore.jks" password = "secret" key-password = "secret" }
- Explanations
- For the Master the Keystore that contains the Agents' public trusted certifacte is expected with the password
jobscheduler.
- For the Agent store the Keystore with the private key in the directory
<agent_data>/config/private- Filename:
private-https.jks
- Filename:
- For the Master store the Keystore with the trusted certificate of the Agent in
<master_data>/config- Filename:
agent-https.jks
- Filename:
Step 2: Set up authentication between Master and Agent
- Set Master password in a file on the Master under
<master_data>/config/private- Filename:
private.conf The file look like this:
jobscheduler.master.credentials.password = "myjobscheduler4444"
- Filename:
- Specify the Master password in a file on the Agent under
<agent_data>/config/private- Filename:
private.conf Specify the Master that will try to communicate with the Agent through the JobScheduler ID. For example, for a Master with ID "scheduler_4444" this file would look as follows:
jobscheduler.agent.auth.users { scheduler_4444 = "plain:myjobscheduler4444" }
- Filename:
Step 3: Start the HTTPS Agent
- Start the Agent with the corresponding parameters:
- Example (using port 44445 for HTTPS):
<agent_data>/bin/jobscheduler_agent -https-port=44445
- Example (using port 44445 for HTTPS):
- The HTTP port will still be always used, even though the Agent is started for communicating over HTTPS. If no HTTP port is indicated when starting the Agent, the default port will be used.
- HTTPS has to be indicated when starting agent through the parameter
-https-port - Agent gets a data directory for configuration and working files if indicated. In that case, has to be indicated when starting agent through the parameter -data-directory
Step 4: Create a Process Class for remote execution using HTTPS
- Create a Process Class for a job chain or a job.
- Add the Agent URL for remote execution using the HTTPS protocol.
- Assign the process class to the job chain or job.
- Example:
<?xml version="1.0" encoding="ISO-8859-1"?> <process_class max_processes="30" remote_scheduler="https://my_agent:44445"/>
Caveats
- For releases before FEATURE AVAILABILITY STARTING FROM RELEASE 1.10.7 the problem JS-1675 - Getting issue details... STATUS occurs. Consider to apply the workaround as specified from the issue.
Change Management References