The connection to JobScheduler Universal Agent can be secured by HTTPS. For the required Architecture see JobScheduler Universal Agent - Secure HTTPS communication.
This Article describes the steps required to set up secure HTTPS communication.
Prerequisites
- You would need to install
httpd
for configuring HTTPS connections on your server - You would need to install
nginx
for configuring your reverse proxy
Get a TLS Certificate
A TLS certificate can be acquired by
- buying a TLS certificate
- creating a self-signed certificate
Configure a reverse proxy
JobScheduler Universal Agent itself does not provide configuration options to encrypt it's communication by HTTPS. The recommended solution is to run a reverse proxy on the same host but under a different user.
The reverse proxy needs to be configured to
- only accept HTTPS connections
- use the above TLS certificate
- proxy all HTTPS requests by to localhost on the Agent port using HTTP
<VirtualHost *:24445> ProxyPass / http://localhost:4445/ ProxyPassReverse / http://localhost:4445/ # Enable/Disable SSL for this virtual host. SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/agent_host.crt SSLCertificateKeyFile /etc/pki/tls/private/agent_host.key </VirtualHost>
This is the configurate for the file ssl.conf
that is usually stored usually under /etc/httpd/conf.d
server { listen 34445; ssl on; ssl_certificate /etc/pki/tls/certs/agent_host.crt; ssl_certificate_key /etc/pki/tls/private/agent_host.key; ssl_protocols TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { proxy_pass http://localhost:4445/; } }
This is the configurate for the file nginx.conf
that is usually stored usually under /etc/nginx
Import the self-signed certificate into the Java Truststore of JobScheduler Master
This step is not required if the TLS certificate was bought from a trusted certificate authority.
- Copy the certificate file (e.g. agent_host.crt) to your JobScheduler Master host
- Locate the JVM that JobScheduler Master is using
- If you are uncertain, search the
scheduler.log
file forjvm.dll
(Windows) orLD_LIBRARY_PATH
(Unix). This will list the path of your Java installation (JRE or JDK).
- If you are uncertain, search the
- Run the Java keytool from that Java installation to import the certificate
keytool -importcert -keystore <java_for_scheduler>/lib/security/cacerts -alias agent_host -file agent_host.crt -storepass changeit
See also: https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a
Configure JobScheduler Master to use the reverse proxy
The proxy URL along with the HTTPS keyword is configured in the process class for the Agent:
<process_class max_processes="20" remote_scheduler="https://agent_host:24445"/>