Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Info

The information from this article is valid, however, starting from the following releases HTTPS for a Master-Agent connection can be used without use of a proxy as explained with the JobScheduler Universal Agent - HTTPS Agent and Master Authentication article:

Display feature availability
StartingFromRelease1.10.5

Display feature availability
StartingFromRelease1.11

Scope

...

  • article describes the steps required to set up secure HTTPS communication.

...

Prerequisites

You will have to install one of the following software components for configuring your reverse proxy:

  • httpd
  • nginx

Get a TLS Certificate

A TLS certificate can be acquired by

  • buying a TLS certificate
  • creating a self-signed certificate

Configure a reverse proxy

JobScheduler Universal Agent itself does not provide configuration options to encrypt it's communication by HTTPS. The recommended solution is to run a reverse proxy on the same host but under a different user.

...

  • only accept HTTPS connections
  • use the above TLS certificate
  • proxy all HTTPS requests by to localhost on the Agent port using HTTP

...



Code Block
languagetext
titleSample Apache 2.2 configuration for HTTPS on Port 24445
 <VirtualHost *:24445>
 
  ProxyPass / http://localhost:4445/
  ProxyPassReverse / http://localhost:4445/
 
  # Enable/Disable SSL for this virtual host.
  SSLEngine on
 
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/agent_host.crt
  SSLCertificateKeyFile /etc/pki/tls/private/agent_host.key
 
</VirtualHost>
Info

This is the configurate for the file ssl.conf that is usually stored usually under /etc/httpd/conf.d

Code Block
titleSample nginx configuration for HTTPS on Port 34445
server {
    listen       34445;
 
    ssl                  on;
    ssl_certificate      /etc/pki/tls/certs/agent_host.crt;
    ssl_certificate_key  /etc/pki/tls/private/agent_host.key;
 
    ssl_protocols  TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
 
    location / {
        proxy_pass http://localhost:4445/;
    }
}
Info

This is the configurate for the file nginx.conf that is usually stored usually under /etc/nginx

Import the self-signed certificate into the

...

Java Truststore of JobScheduler Master

This step is not required if the TLS certificate was bought from a trusted certificate authority.

  • Copy the certificate file (e.g. agent_host.crt) to your JobScheduler Master host
  • Locate the jvm JVM that JobScheduler Master is using
    • If you are uncertain, search the scheduler.log file for "jvm.dll" (Windows) or LD_LIBRARY_PATH (Unix). This will list the path of your Java installation (jvm JRE or jreJDK).
  • Run the java Java keytool from that java Java installation to import the certificate

Code Block
languagetext
titleImporting the self signed certificate with the Java keytool
 <path_to_java_keytool>/keytool
 keytool -importcert -keystore <java<path_to_java_for_scheduler>/lib/security/cacerts -alias agent_host -file <path_to_certificate>/agent_host.crt -storepass changeit
Info
  • Java keytool is usually under the bin folder for Java. in that case you search for the Java that you are using for the JobScheduler Master.

Configure JobScheduler Master to use the reverse

...

proxy

The proxy URL along with the https HTTPS keyword must be is configured in the process class for the Agent:

Code Block
languagexml
titleProcess class definition with HTTPS
<process_class  max_processes="20" remote_scheduler="https://agent_host:24445"/>

References