TLS: Agent-to-JCP vs. Agent-to-Agent (FT)
search cancel

TLS: Agent-to-JCP vs. Agent-to-Agent (FT)

book

Article ID: 282445

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

When talking about TLS in Automic

  • What are the differences between Agent-to-JCP and Agent-to-Agent connections?
  • What exactly is the difference between the files found in trustedCertFolder and agentSecurityFolder
  • Which parameters in the Agent's and AE's configuration files are involved?

Environment

Automic v21 and higher

Resolution

In short:

  • Agent-to-JCP communication uses server authentication and a CA or self-signed certificate
  • Agent-to-Agent communication uses mutual TLS (server and client authentication) based on a root certificate generated by the JWP.

A detailed explanation can be found at the bottom of this article, below these 3 slides that explain the high-level concepts and mechanisms:

 

 

The long story:

Agent-to-JCP communication

Parameters and files:

  • JCP uses the following files and passwords defined in ucsrv.ini > [TLS]-section:
    • keyStore: location of the key store containing the server certificate, either CA or self-signed
    • keyStorePassword: password to access the Keystore
    • keyPassword: password to access the key
    • keyAlias: name of the key in the Keystore 
  • Agent, AWI (or other client)
    • Agent:
      • trustedCertFolder defines the folder that contains the trust certificate. This parameter can remain empty if an official CA authority signed the JCP certificate and the Agent server has the CA root certificate in its system folders. It is used during the first connection.
      • agentSecurityFolder (usually .../bin/security/) contains the certificates  
      • The file <agent>.pem contains the Agent's private key and is generated during the first connection together with its password in keyPassword
    • AWI:
      • The parameter <connections trustedCertFolder="<certificate_folder>"> in uc4config.xml contains the trust certificate to connect to the JCP in case of a self-signed cert

Agent-to-Agent 

The files  <agent>.cert, and <agent>_ca.pem, in agentSecurityFolder are used for mutual TLS to encrypt the communication between Agents during File Transfer. The JWP creates these internal certificates based on the AE's internally generated root certificate found in <AE>/bin/ae-cert-management/

  • The fie <agent>.cert is the trust certificate 
  • The file <agent>_ca.pem contains the internal CA root certificate that signs <agent>.cert

In some file transfers a file name <remote_agent>_ca.pem appears in the ../security/ folder of the Agent. This happens if the system has JWPs running on multiple AE nodes: Each AE node will thus have its own root certificate in <AE>/bin/ae-cert-management. The Agent1 can only trust the Agent2 if it has the certificate signed by an internal certificate it knows. So if Agent2's certificate was signed by the JWP of another node as its own, the AE also sends the internal root certificate that signed Agent2's <agent>.cert.

Powered by Wolken Software