You can set up Agents in JAMS to use TLS 1.2 to have a secure connection with the JAMS Scheduler. TLS involves using x509 certificates to validate the authenticity of servers before connecting to them.
This article describes the steps for Windows Agents, Linux Agents, and high-availability environments.
NOTE: The steps below are for environments where the Agents use an outgoing connection from the JAMS Scheduler.
Before You Begin
Ensure you have the following:
- The name of the machine where the Agent is installed.
- Credentials in JAMS that have access to add or update Agents.
- The JAMS Web Client/REST API installed on the JAMS Server and its URL (http://<ipaddress>/JAMS ). This lets you download the certificate directly from the Agent.
Setting up the Certificate Authority
You can have JAMS generate a certificate authority (CA). The CA created by JAMS is self-signed, but it is not used for anything except additional JAMS certificates. On Windows, the local machine certificate store is used to hold the certificates. On Linux, JAMS AgentD has its own storage for certificates.
Creating the Certificate Authority on the JAMS Server
Follow the steps below to create the CA, store it in the server certificate store, and make it the default on the JAMS Server.
- On the JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator. A command prompt window is displayed.
- Run the command below.
CREATE ROOT CA /STOREKEY /MAKEDEFAULT
- Wait until you see a message displaying “New self-signed certificate”. The CA will be named “JAMS Local Self-Signed Root CA”.
Setting up a Default Executor Connector Certificate
- In JAMSRegister, run the command below.
CREATE EXEC CONNECTOR CERT /STORECERT /MAKEDEFAULT
- Wait until you see a message that displays “New certificate".
You can now follow the steps in the sections below to set up a Windows Agent, Linux Agent, or a secondary server in a high-availability environment.
Setting up a Windows Agent
After you request the certificate using the command below, the only way to communicate with this Agent will be by using TLS, due to running /NOALLOWSSPI and /NOALLOWNONE. No other connections to this Agent will succeed until the Executor Connector is configured.
NOTE: The commands below are not case-sensitive.
- On the Windows Agent, go to: <JAMS Install Folder>\MVPSI\JAMS\Agent\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Update the AGENTNAME and SERVER options and run the command below. The AGENTNAME is optional. The machine name will be used by default if a value is not entered.
UPDATE AGENT LISTENER /REQCERT /SERVER="<Enter the REST URL>" /PROMPT /NOALLOWSSPI /NOALLOWNONE /AGENTNAME=<Enter the name of the Agent>
- Enter your user password for the JAMS REST API.
- Wait until you see a message displaying “Requested Certificate”.
- On the JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Update the AGENTNAME and SERVER options and run the command below.
ADD EXECUTOR CONNECTOR /USECERT /AGENTNAME=<Enter the name of the Agent>
/SERVER="<Enter the REST URL>" /PROMPT /NOALLOWNONE /NOALLOWSSPIOption Description USECERT Uses the default executor connector certificate setup for the server.
AGENTNAME Enter the Agent Name that is listed in JAMS, if the Agent has already been created. The Agent Name must match the Agent Name in step 3, which is the machine name by default. SERVER Enter the URL of the JAMS REST API (http://<ipaddress>/JAMS ). PROMPT Prompts you to enter your JAMS Credentials for accessing the JAMS REST API. This may be your normal JAMS Credentials, if you have access to the API.
This Credential must also have access to add or update Agents.NOALLOWNONE Requires a secure connection using TLS. NOALLOWSSPI Disables Active Directory for authentication. - Wait until you see a message displaying “Executor Connector ADDED”.
Verifying the Agent State in JAMS
After you complete the previous step, do the following to verify the Agent is online:
- Open the JAMS Client.
- Click Agents in the Shortcut menu.
- On the Agents Definitions screen, double-click the Agent.
- On the Agent dialog, click the State tab.
- Verify the state is Online.
- If the Agent state is Unauthenticated, disable and re-enable the Agent in JAMS.
Setting up a Linux Agent
Before you set up the Linux Agent Listener, ensure the Agent is setup in JAMS and the Agent Platform is set to Linux.
NOTE: The commands below are case-sensitive.
- On the JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Update the AGENTNAME option and run the command below. This creates an Agent Listener certificate on Windows and exports it, with the private key, as a PEM file with the complete certificate chain. You will be prompted to enter a private key password.
CREATE AGENT LISTENER CERT /NOSTORECERT /FILENAME=agentcert.pem /PROMPT
/AGENTNAME=<Enter the name of the Agent> /PEM /CHAIN - Copy the .PEM file to the Linux machine.
- On the Agent machine, run the jams-register configuration command as the same user as jams-agentd, which is usually as root.
- Run the command below to import the .PEM file.
jams-register -I agentcert.pem -q
- Enter the private key password that was used in step 3.
- Run the command below to configure the listener to use the thumbprint (-t thumbprint) and turn off the ability to connect without authentication (-d none).
jams-register -L -t <thumbprint> -d none
- Run the command below to restart JAMS agentd.
jams-agentd –F
- On the JAMS Server, ensure JAMSRegister is open.
- Update the AGENTNAME and SERVER options and run the command below.
ADD EXECUTOR CONNECTOR /USECERT /AGENTNAME=<Enter the name of the Agent> /SERVER="<Enter the REST URL>" /PROMPT /NOALLOWNONE /NOALLOWSSPI /PLATFORM="Linux"
Option Description USECERT Uses the default executor connector certificate setup for the server.
AGENTNAME Enter the Agent Name that is listed in JAMS, if the Agent has already been created. SERVER Enter the URL of the JAMS REST API (http://<ipaddress>/JAMS ). PROMPT Prompts you to enter your JAMS Credentials for accessing the JAMS REST API. This may be your normal JAMS Credentials, if you have access to the API. This Credential must also have access to add or update Agents. NOALLOWNONE Requires a secure connection using TLS. NOALLOWSSPI Disables Active Directory for authentication. PLATFORM By default, the PLATFORM value is set to Windows. For Linux Agents, you must enter Linux.
Verifying the Agent State in JAMS
After you complete the previous step, do the following to verify the Agent is online:
- Open the JAMS Client.
- Click Agents in the Shortcut menu.
- On the Agents Definitions screen, double-click the Agent.
- On the Agent dialog, click the State tab.
- Verify the state is Online.
- If the Agent state is Unauthenticated, disable and re-enable the Agent in JAMS.
Setting up Secure Communication to a Secondary Server in a High Availability Environment
Once the primary JAMS Server is setup for secure communication using TLS, complete the steps below to secure communication between an Agent and the secondary JAMS Server.
NOTE: The commands below are not case-sensitive.
- On the primary JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Run the command below to get the Default Root CA Thumbprint and the Default Executor Connector Thumbprint, which are needed in the steps below.
LIST EXEC CONFIG
- Run the command below to export the CA. It will display the thumbprint of the certificate that is exported, which will match the Default Root CA Thumbprint from step 3.
EXPORT ROOT CA /FILENAME=root.pfx /PROMPT
- Enter a password to store the private key. This is referred to as the root key password and will be used in another step.
- Run the command below to export the executor connector certificate. Enter the Default Executor Connector Thumbprint from step 3.
EXPORT EXEC CERT /FILENAME=exec.pfx /PROMPT /THUMBPRINT=<Default Executor Connector Thumbprint>
- Enter a password to store the private key. This is the exec key password.
- Copy both files to the secondary JAMS Server.
- On the secondary JAMS Server, go to: <JAMS Install Folder>\MVPSI\JAMS\Scheduler\.
- Right-click JAMSRegister.exe and select Run as administrator.
- Run the command below to import the certificate.
IMPORT ROOT CA /FILENAME=root.pfx /PROMPT /MAKEDEFAULT /STOREKEY
- Enter the root key password.
- Run the command below to import the executor certificate.
IMPORT EXEC CERT /FILENAME=exec.pfx /PROMPT /MAKEDEFAULT
- Enter the exec key password.
The TLS connection will be used when the secondary JAMS Server is the active server.
Related Article
Disabling JAMS Server to Agent Authentication Using JAMS Version 7
Comments