JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 11

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
titleRunning an Agent Container for HTTP Connections
linenumberstrue
#!/bin/sh

docker run -dit --rm \
      --user="$(id -u $USER):$(id -g $USER)" \
      --hostname=js7-agent-2-0-primary \
      --network=js7 \
      --publish=1444516445:4445 \
      --env="RUN_JS_HTTP_PORT=1444516445" \
      --env="RUN_JS_JAVA_OPTIONS=-Xmx256m" \
      --mount="type=volume,src=js7-agent-2-0-primary-config,dst=/var/sos-berlin.com/js7/agent/var_4445/config" \
      --mount="type=volume,src=js7-agent-2-0-primary-logs,dst=/var/sos-berlin.com/js7/agent/var_4445/logs" \
      --mount="type=volume,src=js7-agent-2-0-primary-state,dst=/var/sos-berlin.com/js7/agent/var_4445/state" \
      --name js7-agent-2-0-0-primary \
      sosberlin/jobscheduler:agent-2-0-0

...

  • deployment of objects, e.g. workflows and jobs, is not subject to compliance requirements such as non-repudiation.
  • HTTP connections are used that expose unencrypted communication between Controller instances and Agent. Authentication is performed by hashed passwords.

...

The Agent by default is prepared for connections by Controllers Controller instances using the HTTP and the HTTPS protocols. 

...

Agent Keystore and Truststore

  • The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usages.
  • The Agent is provided
    • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
    • a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller instance's certificate.
  • Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
    • Keystore
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-keystore.p12
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-keystore.p12
    • Truststore
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-truststore.p12
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-truststore.p12

...

  • The Agent's private.conf configuration file has to be added the following configuration items. For details see JS7 - Agent Configuration
    • Mutual Authentication
      • Code Block
        languagebash
        titleAgent Configuration for Mutual Authentication
        linenumberstrue
        js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary Controller instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=js7-controller-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=js7-controller-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
      • This setting specifies the distinguished names that are available from the subjects of Controller instance certificates. Consider that the common name (CN) attribute specifies the hostname of a Controller instance. The configuration authenticates a given Controller instance as the distinguished name is unique for a server certificate and therefore replaces use of passwords.
    • Keystore and truststore locations:
      • Code Block
        languagebash
        titleAgent Configuration for Keystore and Truststore Locations
        linenumberstrue
        js7 {
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}
      • The above configuration items specify the locations of keystore and truststore.
      • Consider optional use of a key password and store password for keystores and of a store password for truststores.

...

Code Block
languagebash
titleRun Agent Container for HTTPS Connections
linenumberstrue
#!/bin/sh

docker run -dit --rm \
      ...
      --publish=1444316443:4443 \
      --env="RUN_JS_HTTPS_PORT=1444316443" \
      ...

Explanations:

  • --publish The Agent image is prepared to accept HTTPS requests on port 4443. If the Agent is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
  • --env=RUN_JS_HTTPS_PORT The port assigned this environment variable is the same as the outside HTTP port specified with the --publish option.

...

  • When using HTTPS connections then consider to drop the HTTP port of the Agent by omitting the following above settings:
    • --publish=1444516445:4445 This mapping should be dropped in order to prevent incoming traffic to the Agent's HTTP port.
    • --env=RUN_JS_HTTP_PORT Without this setting the Agent will not listen to its HTTP port.

...