Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Problem

After successfully performing JS7 - Initial Operation for the Agent from the  JS7 - Dashboard users can , users observe the Agent as being up and running.

However, when adding an order to a workflow for the Agent then , the order enters the BLOCKED state (purple color) without entries being added to the JS7 - History. The error listed below error can be found in the following log files:

  • controller.log (Controller)
  • agent.log (Agent).

For details see see the JS7 - Log Files and Locations article.


Code Block
2021-11-23T14:44:52,853 ERROR js7.controller.agent.AgentDriver - (my_agent) Agent rejected AttachSignedItem(Signed(JobResource(JobResource:Default,HashMap(js7YadeConfigDir -> env('JS7_YADE_CONFIG_DIR')(Workflow:Simon~711c515f-b1f7-4e77-858f-0348a076d8aa {job1: Named(job1,Map(),None); end/*implicit*..., SignedString({"TYPE":"Workflow","path":"Simon","versionId":"711c515f-b1f7-4e77-858f-0348a076d8aa",...(length 307), Signature(MEUCIQDzqm7jTgv.../eAUGf43rIAcmk=)))): MessageSignedByUnknown: The message is signed with an unknown key

followed byor

Code Block
ERROR js7.controller.agent.AgentDriver - (my_agent) Agent rejected AttachOrder

Analysis

The Agent is the component in JS7 that executes workflows and that JS7 Agent executes workflows. It stores information about execution results and JS7 - Order State Transitions in its journal and passes results to the Controller.

The Controller and Agent have to be equipped with a certificate to verify the signatures of any deployments , - for details see see the JS7 - Deployment of Scheduling Objects article. The check of a deployment's signature is performed by the Controller and by the Agent independently from the JOC Cockpit security level.

  • The above error messages indicate that no certificate is in place that can which could be used to verify the digital signature of a deployment.
  • The certificates for digital signing are included with the ./config/trusted-x509-certificates directory that which is available with both the Controller and with the Agent.
  • By default JS7 Controllers and Agents ship with a certificate from the sos*.pem file that is available from:
    • the Controller's ./var/config/trusted-x509-certificates directory,
    • the Agent's ./var_<port><port>/config/trusted-x509-certificates directory.
  • After extracting the Controller or Agent from its installation .tar.gz or .zip archive users might have specified a different location for the ./var (Controller) or ./var_<port> (Agent) directories. As a result the Controller and Agent start script will populate the newly created configuration directory with the sub-folders ./config, ./logs, ./state and ./work. However, the ./config/trusted-x509-certificates directory will remain empty and therefore no certificate is will be available to verify a deployment.

Solution

Users should copy the trusted certificate from the ./config/trusted-x509-certificates location of the original Controller or Agent .tar.gz or .zip archive to the:

  • ./var/config/trusted-x509-certificates (Controller)
  • ./var_<port>/config/trusted-x509-certificates (Agent)

directories. Then restart the Controller or Agent respectivelyas appropriate.