Page History
Table of Contents |
---|
Introduction
This article explains configuration items available for Standalone Agents, Director Agents and Subagents in a JS7 - Agent Cluster.
- An Agent makes use of two configuration files:
- the
agent.conf
general configuration file which is found in the following locations:- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var\config\agent.conf
- Unix
/var/sos-berlin.com/js7/agent/var/config/agent.conf
- Windows:
- the
private.conf
security configuration file which is found in the following locations:- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var\config\private.conf
- Unix:
/var/sos-berlin.com/js7/agent/var/config/private/private.conf
- Windows:
- The configuration format makes use of Typesafe Config, see the JS7 - Configuration Format article.
- Restart the Agent instance to apply changes to any configuration files.
- the
- For HTTPS configuration refer to the JS7 - Configuration Templates article.
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
# Allow http connections without authentication js7.web.server.auth.public = true |
js7 | web | server | |||
---|---|---|---|---|---|
auth | public | true | false |
- This setting specifies public access to an Agent if incoming HTTP connections are to be used. If used with a value
true
then authentication is not applied. - Default:
true
...
- This setting applies to the use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller
element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of Controller instances. - The
distinguished-names
element identifies the Controller instance's Client Authentication certificate. The certificate acts as a replacement for a password.- The Agent configuration specifies the distinguished names of the Controller instances that access the Agent by use of a Client Authentication certificate. For a Standalone Controller there is a single distinguished name, for a Controller Cluster each instance's distinguished name is specified.
- Except for whitespace between attributes the precise sequence and values as available from the certificate's subject have to match this property value.
- Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Controller instance's host.
The following command can be used to read the distinguished name from a certificate file:
Code Block title Example for OpenSSL command to read a certificate's distinguished name # read distinguished name from the a Controller instance's certificate file (.crt) openssl x509 -in centostestcontroller-secondaryprimary.crt -noout -nameopt RFC2253 -subject # output is returned with a prefix "subject= " or similar that is not part of the distinguished name # subject= DNQ=SOS CA,CN=directorcontroller-2-0-secondaryprimary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE
...
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # User accounts for https connections users { # Controller ID for connections by primary/secondary Controller instance Controller { password="plain:secret" # password="sha512:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2" } } } } |
Explanation:
- This setting applies to use of an Agent with a Standalone Controller or with a Controller Cluster.
- Note that the
Controller
element name is an example that has to be replaced by the Controller ID which is specified with the same value during installation of both cluster Controller instances. - This setting specifies the
password
indicated with the Controller instance'sjs7.auth.agents
configuration item. Passwords should be quoted.- The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.
- The password can be specified as plain text preceded by
Director Agent Configuration
- There are a number of ways to create sha512 hash values from passwords.
- One possible solution includes using:
echo -n "secret" | openssl dgst -sha512
Director Agent Configuration
The following configuration applies to use of a Director Agent in a JS7 - Agent Cluster.
...
- This setting applies to use of the Subagent component within a Director Agent instance in a JS7 - Agent Cluster.
- Note that the
subagent-id
element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For theprivate.conf
file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - The
permissions
element should be used as indicated. - The
distinguished-names
element identifies the pairing Director Agent instance's Client Authentication certificate. The certificate acts as a replacement for a password.- Except for whitespace between attributes the precise sequence and values as available from the certificate's subject have to match this property value.
- Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.
The following command can be used to read the distinguished name from a certificate file:
Code Block title Example for OpenSSL command to read a certificate's distinguished name # read distinguished name from the pairing Director Agent instance's certificate file (.crt) openssl x509 -in centostestdirector-secondary.crt -noout -nameopt RFC2253 -subject # output is returned with a prefix "subject= " or similar that is not part of the distinguished name # subject= DNQ=SOS CA,CN=director-2-0-secondary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE
...
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # User accounts for https connections users { # Subagent ID of pairing Director Agent instance subagent-id { permissions = [ AgentDirector ] password="plain:secret" # password="sha512:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2" } } } } |
Explanation:
- This setting applies to use of a Subagent within a Director Agent instance in an JS7 - Agent Cluster.
- Note that the
subagent-id
element name is an example that has to be replaced by the Subagent ID of the pairing Director Agent instance which is specified during configuration of the Agent Cluster. This is not the Agent Cluster ID. For theprivate.conf
file of a Primary Director Agent instance this setting holds the Subagent ID of the Secondary Director Agent instance and vice versa. - The
permissions
element should be used as indicated. - The
password
element specifies the password indicated with the pairing Director Agent instance'sjs7.auth.subagents
configuration item. Passwords should be quoted.- The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.- There are a number of ways to create sha512 hash values from passwords.
- One possible solution includes using:
echo -n "secret" | openssl dgst -sha512
- The password can be specified as plain text preceded by
Anchor | ||||
---|---|---|---|---|
|
...
- This setting applies to connections from Director Agent instances to the current Subagent in a JS7 - Agent Cluster.
- Note that the
director-primary, director-secondary
element names are examples that have to be replaced by the Subagent ID of the respective Director Agent instance which is specified during configuration of the Agent Cluster. - The
permissions
element should be used as indicated. - The
distinguished-names
element identifies the Director Agent instance's Client Authentication certificate. The certificate acts as a replacement for a password.- Except for whitespace between attributes the precise sequence and values as available from the certificate's subject have to match this property value.
- Note that the common name (CN) element in the distinguished name has to match the fully qualified domain name (FQDN) of a Director Agent instance's host.
The following command can be used to read the distinguished name from a certificate file:
Code Block title Example for OpenSSL command to read a certificate's distinguished name # read distinguished name from the pairingboth Director Agent instance's certificate files (.crt) openssl x509 -in centostestdirector-secondaryprimary.crt -noout -nameopt RFC2253 -subject # output is returned with a prefix "subject= " or similar that is not part of the distinguished name # subject= DNQ=SOS CA,CN=director-2-0-secondaryprimary,OU=IT,O=SOS,L=Berlin,ST=Berlin,C=DE
...
Code Block | ||||
---|---|---|---|---|
| ||||
js7 { auth { # User accounts for https connections users { # Subagent ID of Primary Director Agent instance director-primary { permissions = [ AgentDirector ] password = "plain:secret-director-primary" # password = "sha512:308769d726e2b1e69530ac631d8ac8f26c67ae6bda1dfca41b523ac8ab7b9745a2e62750f183c9e3046e45106b402fef1ad5746365a0ccc24004776ed74a9160" } # Subagent ID of Secondary Director Agent instance director-secondary { permissions = [ AgentDirector ] password = "plain:secret-director-secondary" # password = "sha512:5419dfceee6a3081f4d3aee95a7e5cdddb078b6753db77bfbebba05e6b0140aeb11cfa59b56b07ac78389c0918652b57e3bc7aa333c94d74362d5ca7f7166888" } } } } |
...
- This setting applies to the connection from Director Agent instances to the current Subagent in an JS7 - Agent Cluster.
- Note that the
director-primary, director-secondary
element names are examples that have to be replaced by the Subagent ID of the respective Director Agent instance which is specified during configuration of the Agent Cluster. - The
permissions
element should be used as indicated. - The
password
element specifies the password indicated with the respective Director Agent instance'sjs7.auth.subagents
configuration item. Passwords should be quoted.- The password can be specified as plain text preceded by
plain:
. - The password can be specified as a hashed value preceded by
sha512:
.- There are a number of ways to create sha512 hash values from passwords.
- One possible solution includes using:
echo -n "secret-director-primary" | openssl dgst -sha512
- The password can be specified as plain text preceded by
Keystore and Truststore
Settings in this section apply to any of Standalone Agents, Director Agent instances and Subagents.
...
js7.job.execution: Job Script Termination
The following settings can be used for releases prior to 2.7.2:
js7 | job | execution | Default | |
---|---|---|---|---|
kill-with-sigterm-command | "/bin/kill", "$pid" | |||
kill-with-sigkill-command | "/bin/kill", "-KILL", "$pid" |
- The Agent can be instructed to terminate running jobs - see the JS7 - FAQ - Does JS7 reliably kill running jobsHow does JobScheduler terminate Jobs article.
- The following settings are in place to terminate running jobs by an Agent operated for a Unix OS:
- The setting
kill-with-sigterm-command
specifies the OS command executed by the Agent to forward a SIGTERM signal to the running job. - The setting
kill-with-sigkill-command
specifies the OS command executed by the Agent to forward a SIGKILL signal to the running job.
- The setting
- Both settings are specified as an array of arguments, i.e.
"/bin/kill", "-KILL", "$pid"
translates to the command:/bin/kill -KILL 99,
provided that99
is the Process ID of the running job. - This setting can be applied if the Agent is operated on an OS that makes use of a different syntax for the
kill
command.
...