You can set up Agents in JAMS to use TLS 1.2 to have a secure connection with the JAMS Scheduler. TLS involves using x509 certificates to validate the authenticity of servers before connecting to them.
This article describes the steps for Windows Agents, Linux Agents, and high-availability environments.
Starting with JAMS 7.6, the JAMS Web Client no longer needs to be installed as part of this process. Ensure the JAMS Scheduler and Agent have both been upgraded to 7.6 or higher. If you are using a version prior to JAMS 7.6, install the JAMS Web Client and specify the URL for the REST API in the /SERVER fields rather than the JAMS Server name.
NOTE: The steps below are for environments where the Agents use an outgoing connection from the JAMS Scheduler.
Before You Begin
Ensure you have the following:
- The name of the machine where the Agent is installed.
- Credentials in JAMS that have access to add or update Agents.
Setting up the Certificate Authority
You can have JAMS generate a certificate authority (CA). The CA created by JAMS is self-signed, but it is not used for anything except additional JAMS certificates. On Windows, the local machine certificate store is used to hold the certificates. On Linux, JAMS AgentD has its own storage for certificates.
Creating the Certificate Authority on the JAMS Server
Follow the steps below to create the CA, store it in the server certificate store, and make it the default on the JAMS Server.
- On the JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator. A command prompt window is displayed.
- Run the command below.
CREATE ROOT CA /STOREKEY /MAKEDEFAULT
- Wait until you see a message displaying “New self-signed certificate”. The CA will be named “JAMS Local Self-Signed Root CA”.
Setting up a Default Executor Connector Certificate
- In JAMSRegister, run the command below.
CREATE EXEC CONNECTOR CERT /STORECERT /MAKEDEFAULT
- Wait until you see a message that displays “New certificate".
You can now follow the steps in the sections below to set up a Windows Agent, Linux Agent, or a secondary server in a high-availability environment.
Setting up a Windows Agent
After you request the certificate using the command below, the only way to communicate with this Agent will be by using TLS, due to running /NOALLOWSSPI and /NOALLOWNONE. No other connections to this Agent will succeed until the Executor Connector is configured.
NOTE: The commands below are not case-sensitive.
- On the Windows Agent, go to: <JAMS Install Folder>\MVPSI\JAMS\Agent\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Update the AGENTNAME and SERVER options and run the command below. The AGENTNAME is optional. The machine name will be used by default if a value is not entered.
UPDATE AGENT LISTENER /REQCERT /SERVER="<Enter the name of the JAMS Server>" /NOALLOWSSPI /NOALLOWNONE /AGENTNAME=<Enter the name of the Agent>
- Wait until you see a message displaying “Requested Certificate”.
- On the JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Update the AGENTNAME and SERVER options and run the command below.
ADD EXECUTOR CONNECTOR /USECERT /AGENTNAME=<Enter the name of the Agent>
/SERVER="<Enter the name of the JAMS Server>" /NOALLOWNONE /NOALLOWSSPIOption Description USECERT This option uses the default executor connector certificate setup for the server. AGENTNAME Enter the Agent Name that is listed in JAMS, if the Agent has already been created. The Agent Name must match the Agent Name in step 3, which is the machine name by default. SERVER Enter the name of the JAMS Server. If you are using a version prior to JAMS 7.6, enter the URL of the REST API. You also need to add the /PROMPT to the command above and enter the password for the JAMS REST API. NOALLOWNONE This option requires a secure connection using TLS. NOALLOWSSPI This option disables Active Directory for authentication. USER If the Agent is in a different domain or the user running JAMSRegister on a remote Agent does not have access to modify the specified Agent in JAMS, you can add /USER=”<Enter a user in the JAMS Server Domain>” and /PROMPT. This lets you authenticate with the JAMS Server as a user that can make the necessary changes to the Agent in JAMS. PROMPT This option prompts you to enter your JAMS Credentials for accessing the JAMS Server as the user specified with the USER option. This may be your normal JAMS Credentials, if you have access to the Server. This Credential must also have access to add or update Agents.
- Wait until you see a message displaying “Executor Connector ADDED”.
Verifying the Agent State in JAMS
After you complete the previous step, do the following to verify the Agent is online:
- Open the JAMS Client.
- Click Agents in the Shortcuts menu.
- On the Agents Definitions screen, double-click the Agent.
- On the Agent dialog, click the State tab.
- Verify the state is Online.
- If the Agent state is Unauthenticated, disable and re-enable the Agent in JAMS.
Setting up a Linux Agent
Before you set up the Linux Agent Listener, ensure the Agent is setup in JAMS and the Agent Platform is set to Linux.
NOTE: The commands below are case-sensitive.
- On the JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Update the AGENTNAME option and run the command below. This creates an Agent Listener certificate on Windows and exports it, with the private key, as a PEM file with the complete certificate chain. You will be prompted to enter a private key password.
CREATE AGENT LISTENER CERT /NOSTORECERT /FILENAME=agentcert.pem /PROMPT
/AGENTNAME=<Enter the name of the Agent> /PEM /CHAIN - Copy the .PEM file to the Linux machine.
- On the Agent machine, run the jams-register configuration command as the same user as jams-agentd, which is usually as root.
- Run the command below to import the .PEM file.
jams-register -I agentcert.pem -q
- Enter the private key password that was used in step 3.
- Run the command below to configure the listener to use the thumbprint (-t thumbprint) and turn off the ability to connect without authentication (-d none).
jams-register -L -t <thumbprint> -d none
- Run the command below to restart JAMS agentd.
jams-agentd –F
- On the JAMS Server, ensure JAMSRegister is open.
- Update the AGENTNAME and SERVER options and run the command below.
ADD EXECUTOR CONNECTOR /USECERT /AGENTNAME=<Enter the name of the Agent> /SERVER="<Enter the name of the JAMS Server>" /NOALLOWNONE /NOALLOWSSPI /PLATFORM="Linux"
Option Description USECERT This option uses the default executor connector certificate setup for the server. AGENTNAME Enter the Agent Name that is listed in JAMS, if the Agent has already been created. SERVER Enter the name of the JAMS Server. If you are using a version prior to JAMS 7.6, enter the URL of the REST API. You also need to add the /PROMPT to the command above and enter the password for the JAMS REST API. NOALLOWNONE This option requires a secure connection using TLS. NOALLOWSSPI This option disables Active Directory for authentication. USER If the Agent is in a different domain or the user running JAMSRegister on a remote Agent does not have access to modify the specified Agent in JAMS, you can add /USER=”< Enter a user in the JAMS Server Domain>” and /PROMPT. This lets you authenticate with the JAMS Server as a user that can make the necessary changes to the Agent in JAMS. PROMPT This option prompts you to enter the password for the certificate. It is also used to prompt you to enter your JAMS Credentials for accessing the JAMS Server as the user specified with the USER option. This may be your normal JAMS Credentials, if you have access to the Server. This Credential must also have access to add or update Agents. PLATFORM By default, the PLATFORM value is set to Windows. For Linux Agents, you must enter Linux.
Verifying the Agent State in JAMS
After you complete the previous step, do the following to verify the Agent is online:
- Open the JAMS Client.
- Click Agents in the Shortcuts menu.
- On the Agents Definitions screen, double-click the Agent.
- On the Agent dialog, click the State tab.
- Verify the state is Online.
- If the Agent state is Unauthenticated, disable and re-enable the Agent in JAMS.
Setting up Secure Communication to a Secondary Server in a High Availability Environment
Once the primary JAMS Server is setup for secure communication using TLS, complete the steps below to secure communication between an Agent and the secondary JAMS Server.
NOTE: The commands below are not case-sensitive.
- On the primary JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Run the command below to get the Default Root CA Thumbprint and the Default Executor Connector Thumbprint, which are needed in the steps below.
LIST EXEC CONFIG
- Run the command below to export the CA. It will display the thumbprint of the certificate that is exported, which will match the Default Root CA Thumbprint from step 3.
EXPORT ROOT CA /FILENAME=root.pfx /PROMPT
- Enter a password to store the private key. This is referred to as the root key password and will be used in another step.
- Run the command below to export the executor connector certificate. Enter the Default Executor Connector Thumbprint from step 3.
EXPORT EXEC CERT /FILENAME=exec.pfx /PROMPT /THUMBPRINT=<Default Executor Connector Thumbprint>
- Enter a password to store the private key. This is the exec key password.
- Copy both files to the secondary JAMS Server.
- On the secondary JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Run the command below to import the certificate.
IMPORT ROOT CA /FILENAME=root.pfx /PROMPT /MAKEDEFAULT /STOREKEY
- Enter the root key password.
- Run the command below to import the executor certificate.
IMPORT EXEC CERT /FILENAME=exec.pfx /PROMPT /MAKEDEFAULT
- Enter the exec key password.
The TLS connection will be used when the secondary JAMS Server is the active server.
Related Article
Disabling JAMS Server to Agent Authentication Using JAMS Version 7
Comments