Table of Contents |
---|
Info | ||||||||
---|---|---|---|---|---|---|---|---|
The information from this article is valid, however, starting from the following releases HTTPS for a Master-Agent connection can be used without use of a proxy as explained with the JobScheduler Universal Agent - HTTPS Agent and Master Authentication article:
|
Scope
- The connection to JobScheduler Universal Agent can be secured by HTTPS. For the required Architecture see JobScheduler Universal Agent - Secure HTTPS communication.
- This
...
- article describes the steps required to set up secure HTTPS communication.
...
Prerequisites
You will have to install one of the following software components for configuring your reverse proxy:
httpd
nginx
Get a TLS Certificate
A TLS certificate can be acquired by
- buying a TLS certificate
- creating a self-signed certificate
Configure a reverse proxy
JobScheduler Universal Agent itself does not provide configuration options to encrypt it's communication by HTTPS. The recommended solution is to run a reverse proxy on the same host but under a different user.
...
- only accept HTTPS connections
- use the above TLS certificate
- proxy all HTTPS requests by to localhost on the Agent port using HTTP
...
Code Block | ||||
---|---|---|---|---|
| ||||
<VirtualHost *:24445> ProxyPass / http://localhost:4445/ ProxyPassReverse / http://localhost:4445/ # Enable/Disable SSL for this virtual host. SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/agent_host.crt SSLCertificateKeyFile /etc/pki/tls/private/agent_host.key </VirtualHost> |
Info |
---|
This is the configurate for the file |
Code Block | ||
---|---|---|
| ||
server {
listen 34445;
ssl on;
ssl_certificate /etc/pki/tls/certs/agent_host.crt;
ssl_certificate_key /etc/pki/tls/private/agent_host.key;
ssl_protocols TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:4445/;
}
} |
Info |
---|
This is the configurate for the file |
Import the self-signed certificate into the
...
Java Truststore of JobScheduler Master
This step is not required if the TLS certificate was bought from a trusted certificate authority.
- Copy the certificate file (e.g. agent_host.crt) to your JobScheduler Master host
- Locate the jvm JVM that JobScheduler Master is using
- If you are uncertain, search the
scheduler.log
file for "jvm.dll
" (Windows) orLD_LIBRARY_PATH
(Unix). This will list the path of your Java installation (jvm JRE or jreJDK).
- If you are uncertain, search the
- Run the java Java keytool from that java Java installation to import the certificate
Code Block | ||||
---|---|---|---|---|
| ||||
<path_to_java_keytool>/keytool | keytool -importcert -keystore <java<path_to_java_for_scheduler>/lib/security/cacerts -alias agent_host -file <path_to_certificate>/agent_host.crt -storepass changeit |
Info |
---|
|
Configure JobScheduler Master to use the reverse
...
proxy
The proxy URL along with the https HTTPS keyword must be is configured in the process class for the Agent:
Code Block | ||||
---|---|---|---|---|
| ||||
<process_class max_processes="20" remote_scheduler="https://agent_host:24445"/> |
References
- JobScheduler Universal Agent - Secure HTTPS communication
- Common pitfalls when setting up HTTPS communication to an Agent