JobScheduler Universal Agent - connecting via HTTPS through a proxy

The information from this article is valid, however, starting from the following releases HTTPS for a Master-Agent connection can be used without use of a proxy as explained with the JobScheduler Universal Agent - HTTPS Agent and Master Authentication article:

FEATURE AVAILABILITY STARTING FROM RELEASE 1.10.5

FEATURE AVAILABILITY STARTING FROM RELEASE 1.11

Scope

The connection to JobScheduler Universal Agent can be secured by HTTPS. For the required Architecture see JobScheduler Universal Agent - Secure HTTPS communication.
This article describes the steps required to set up secure HTTPS communication.

Prerequisites

You will have to install one of the following software components for configuring your reverse proxy:

httpd
nginx

Get a TLS Certificate

A TLS certificate can be acquired by

buying a TLS certificate
creating a self-signed certificate

Configure a reverse proxy

JobScheduler Universal Agent itself does not provide configuration options to encrypt it's communication by HTTPS. The recommended solution is to run a reverse proxy on the same host but under a different user.

The reverse proxy needs to be configured to

only accept HTTPS connections
use the above TLS certificate
proxy all HTTPS requests by to localhost on the Agent port using HTTP

Sample Apache 2.2 configuration for HTTPS on Port 24445

 <VirtualHost *:24445>
 
  ProxyPass / http://localhost:4445/
  ProxyPassReverse / http://localhost:4445/
 
  # Enable/Disable SSL for this virtual host.
  SSLEngine on
 
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/agent_host.crt
  SSLCertificateKeyFile /etc/pki/tls/private/agent_host.key
 
</VirtualHost>

This is the configurate for the file ssl.conf that is usually stored usually under /etc/httpd/conf.d

Sample nginx configuration for HTTPS on Port 34445

server {
    listen       34445;
 
    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/agent_host.crt;
    ssl_certificate_key  /etc/pki/tls/private/agent_host.key;
 
    ssl_protocols  TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
 
    location / {
        proxy_pass http://localhost:4445/;
    }
}

This is the configurate for the file nginx.conf that is usually stored usually under /etc/nginx

Import the self-signed certificate into the Java Truststore of JobScheduler Master

This step is not required if the TLS certificate was bought from a trusted certificate authority.

Copy the certificate file (e.g. agent_host.crt) to your JobScheduler Master host
Locate the JVM that JobScheduler Master is using
- If you are uncertain, search the scheduler.log file for jvm.dll (Windows) or LD_LIBRARY_PATH (Unix). This will list the path of your Java installation (JRE or JDK).
Run the Java keytool from that Java installation to import the certificate

Importing the self signed certificate with the Java keytool

 <path_to_java_keytool>/keytool -importcert -keystore <path_to_java_for_scheduler>/lib/security/cacerts -alias agent_host -file <path_to_certificate>/agent_host.crt -storepass changeit

Java keytool is usually under the bin folder for Java. in that case you search for the Java that you are using for the JobScheduler Master.

See also: https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a

Configure JobScheduler Master to use the reverse proxy

The proxy URL along with the HTTPS keyword is configured in the process class for the Agent:

Process class definition with HTTPS

<process_class  max_processes="20" remote_scheduler="https://agent_host:24445"/>

References

Space shortcuts

Page tree