Introduction
After successfully performing JS7 - Initial Operation for the Agent from the JS7 - Dashboard users can observe the Agent being up and running.
However, when adding an order to a workflow for the Agent then the order enters the BLOCKED state (purple color) without entries being added to the JS7 - History. The below error can be found in the following log files:
controller.log
(Controller)agent.log
(Agent).
For details see JS7 - Log Files and Locations.
ERROR js7.controller.agent.AgentDriver - (my_agent) Agent rejected AttachSignedItem(Signed(JobResource(JobResource:Default,HashMap(js7YadeConfigDir -> env('JS7_YADE_CONFIG_DIR')
or
ERROR js7.controller.agent.AgentDriver - (my_agent) Agent rejected AttachOrder
Analysis
The Agent is the component in JS7 that executes workflows and that stores information about execution results and JS7 - Order State Transitions in its journal and passes results to the Controller.
The Controller and Agent have to be equipped with a certificate to verify the signatures of any deployments, for details see JS7 - Deployment. The check of a deployment's signature is performed by the Controller and by the Agent independently from the JOC Cockpit security level.
- The above error messages indicate that no certificate is in place that can be used to verify the digital signature of a deployment.
- The certificates for digital signing are included with the .
/config/trusted-x509-certificates
directory that is available with both the Controller and with the Agent. - By default JS7 Controllers and Agents ship with a certificate from the
sos*.pem
file that is available from- the Controller's .
/var/config/trusted-x509-certificates
directory, - the Agent's
./var_<port>/config/trusted-x509-certificates
directory.
- the Controller's .
After extracting the Controller or Agent from its installation .tar.gz or .zip archive users might have specified a different location for the
./var
(Controller) or./var_<port>
(Agent) directories. As a result the Controller and Agent start script will populate the newly created configuration directory with the sub-folders./config
, ./logs
,./state
and./work
. However, the./config/trusted-x509-certificates
directory will remain empty and therefore no certificate is available to verify a deployment.
Solution
Users should copy the trusted certificate from the ./config/trusted-x509-certificates
location of the original Controller or Agent .tar.gz or .zip archive to the
./var/config/trusted-x509-certificates
(Controller)./
var_<port>/config/trusted-x509-certificates
(Agent)
directories. Then restart the Controller or Agent respectively.