Pulling the Agent Image

...

docker image pull sosberlin/js7:agent-2-0-0-SNAPSHOT

Running the Agent Container

After pulling the Agent image you can run the container with a number of options like this:

#!/bin/sh

docker run -dit --rm \
      --user="$(id -u $USER):$(id -g $USER)" \
      --hostname=js7-agent-primary \
      --network=js7 \
      --publish=16445:4445 \
      --env="RUN_JS_JAVA_OPTIONS=-Xmx256m" \
      --mount="type=volume,src=js7-agent-primary-config,dst=/var/sos-berlin.com/js7/agent/var_4445/config" \
      --mount="type=volume,src=js7-agent-primary-logs,dst=/var/sos-berlin.com/js7/agent/var_4445/logs" \
      --mount="type=volume,src=js7-agent-primary-state,dst=/var/sos-berlin.com/js7/agent/var_4445/state" \
      --name js7-agent-primary \
      sosberlin/js7:agent-2-0-0-SNAPSHOT

Explanations:

...

# example to map volumes to directories on the Docker host prior to running the Agent container
mkdir -p /home/sos/js7/js7-agent-primary/config /home/sos/js7/js7-agent-primary/logs /home/sos/js7/js7-agent-primary/state
docker volume create --driver local --opt o=bind --opt type=none --opt device="/home/sos/js7/js7-agent-primary/config" js7-agent-primary-config
docker volume create --driver local --opt o=bind --opt type=none --opt device="/home/sos/js7/js7-agent-primary/logs" js7-agent-primary-logs
docker volume create --driver local --opt o=bind --opt type=none --opt device="/home/sos/js7/js7-agent-primary/state" js7-agent-primary-state

Configuring the Agent

Consider that it is not required to configure an Agent - it runs out-of-the-box. Zero configuration includes that

...

• deployment of objects with digital signatures that can be used to restrict and to verify who deploys a given object such as a workflow.
• HTTPS connections that encrypt communication and that include mutual authentication by certificates without use of passwords.

Compliance: Use of Signing Certificates

Agents accept deployments for a number of objects such as workflows from a Controller only if such objects are digitally signed.

...

• If X.509 private keys are used for signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective private key has to be in place with the Agent.
• If PGP private keys are used for signing of objects then the public key matching the signing key has to be in place with the Agent.
• The Agent expects certificates/public keys from the following locations:
  • X.509 Certificates
    • Location
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-x509-keys
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-x509-keys
    • The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension .pem.
    • Consider that instead of individual certificates per signing key the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
  • PGP Public Keys
    • Location
      • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-pgp-keys
      • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-pgp-keys
    • PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension .asc.
    • Consider that for each PGP private key that is used for signing the corresponding public key has to be available with the Agent.
  • By default the Agent ships with an X.509 certificate of SOS that matches the default signing key available with the JOC Cockpit root account.
• In order to add individual certificates/public keys add the respective files to the above location corresponding the key type. To revoke certificates/public keys accordingly remove the respective files from the above location matching the key type.
• The above locations for certificates/public keys can be accessed from the Docker volume specified with the --mount option for the Agent's container directory /var/sos-berlin.com/js7/agent/var_4445/config. The locations for X.509 certificates and PGP public keys are available from sub-directories.

Security: Use with HTTPS Connections

The Agent by default is prepared for connections by Controller instances using the HTTP and the HTTPS protocols. 

In order to activate HTTPS consider the following prerequisites.

Provide Keystore, Truststore and Configuration for Mutual Authentication

Connections to Agents are established from Controller instances. If the HTTPS protocol is used then in addition to securing the communication channel the Agent requires mutual authentication.

Agent Keystore and Truststore

• The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usages.
• The Agent is provided
  • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
  • a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller instance's certificate.
• Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
  • Keystore
    • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-keystore.p12
    • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-keystore.p12
  • Truststore
    • Windows: C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-truststore.p12
    • Unix: /var/sos-berlin.com/js7/agent/var_4445/config/private/https-truststore.p12

Agent Configuration

• The Agent's private.conf configuration file has to be added the following configuration items. For details see JS7 - Agent Configuration FilesItems
  • Mutual Authentication

    • Code Block
      language bash title Agent Configuration for Mutual Authentication linenumbers true
      js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary Controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=js7-controller-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=js7-controller-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } }

    • This setting specifies the distinguished names that are available from the subjects of Controller instance certificates. Consider that the common name (CN) attribute specifies the hostname of a Controller instance. The configuration authenticates a given Controller instance as the distinguished name is unique for a server certificate and therefore replaces use of passwords.
  • Keystore and truststore locations:

    • Code Block
      language bash title Agent Configuration for Keystore and Truststore Locations linenumbers true
      js7 { web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password=jobscheduler store-password=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password=jobscheduler } ] } } }

    • The above configuration items specify the locations of keystore and truststore.
    • Consider optional use of a key password and store password for keystores and of a store password for truststores.

Run the Agent Container for HTTPS Connections

The following additional arguments are required for HTTPS connections:

...