Setting up Two Way SSSL HTTPS communication with Autosys 24.1 + Scheduler and agent in a Dev environment
search cancel

Setting up Two Way SSSL HTTPS communication with Autosys 24.1 + Scheduler and agent in a Dev environment

book

Article ID: 412750

calendar_today

Updated On:

Products

Autosys Workload Automation Workload Automation Agent

Issue/Introduction

This document provides details steps to setup AutoSys 24.1.0 or higher scheduler and agent  with two way SSL handshake HTTPS communication

Environment

AutoSys 24.1.0 +

Resolution

This is a document to help set up Autosys 24.1+ Scheduler and Agent to use TWO-WAY SSL HTTPS certificates using 
The Certificate generation tools are provided on the Autosys 24.1.0+ ISO 

Provide two systems for use in this example
1) Create a 24.1.0 + Scheduler machine
2) Create a 24.1.0 + Agent machine

Remote Agent machine initial setup
1) Download the Autosys 24.1.0+ ISO and transfer it to the Agent machine
2) Install the Agent setup to use TCP only first to validate the setup with the scheduler before moving to HTTPS
NOTE:
    1. In this example, we used the ./modules/Agent/setup.bin to install the agent
    2. Used an agent name of HTTPS_AGENT rather than the default WA_AGENT
3) Set up the Java environment for root and the user you SSH into the machine with
    export JAVA_HOME=/opt/CA/WorkloadAutomationAE/SystemAgent/HTTPS_AGENT/wla_jre
    export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:$JAVA_HOME/bin/
    echo "export JAVA_HOME=/opt/java/jdk" >> ~/.bashrc
    echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:$JAVA_HOME/bin/" >> ~/.bashrc
4) Create a Certificate directory
    mkdir /opt/CA/WorkloadAutomationAE/TLSCerts/
    mkdir /opt/CA/WorkloadAutomationAE/TLSCerts/Agent
5) Add the machine definition to the scheduler and run a test job to validate the Agent Scheduler setup.

Scheduler Setup for HTTPS
1) Set up the Java environment for the autosys user and root
    export JAVA_HOME=/opt/CA/WorkloadAutomationAE/jre
    export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:$JAVA_HOME/bin/
    echo "export JAVA_HOME=/opt/java/jdk" >> ~/.bashrc
    echo "export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:$JAVA_HOME/bin/" >> ~/.bashrc
4) Create a Certificate directory
    mkdir /opt/CA/WorkloadAutomationAE/TLSCerts/
    mkdir /opt/CA/WorkloadAutomationAE/TLSCerts/Agent
    mkdir /opt/CA/WorkloadAutomationAE/TLSCerts/Manager
NOTE: We will be installing a secondary HTTPS Agent on the scheduler.

5) Copy the TLSCertificates directory to the WorkloadAutomationAE
    cp -r /tmp/labforge/autosys/modules/TLSCertificates /opt/CA/WorkloadAutomationAE/TLSCertificates
6) Edit the /opt/CA/WorkloadAutomationAE/TLSCertificates/cert-config.properties for the manager setup

7) Make the following suggested changes
- set the generate root CA to true
GENERATE_ROOT_CA=true
- set the manager hostname
MGR_HOSTNAME=<Scheduler-Hostname>
- set the manager FQDN (user both internal and external DNS names
MGR_FQDN=<Scheduler-Hostname>.<DOMAIN>.com
- Set the manager IP address
MGR_IP=127.0.0.1,<XXX.XXX.XXX.XXX>
- Set the agent host name 
(Note: this example first run will be used for the second HTTPS agent installed on the scheduler)
AGENT_HOSTNAME=<Scheduler-Hostname>
- Set the Agent FQDN ( This is for the local agent)
AGENT_FQDN=<Scheduler-Hostname>.<DOMAIN>.com
- Set the agent IP address
AGENT_IP=127.0.0.1,<XXX.XXX.XXX.XXX>

8) Save and exit
9) Run the manager certificate generation
(NOTE: all passwords are changeit)
java -jar ManagerCertificateGenerator.jar

10) Copy the manager certs to the final destination
    cp -p /opt/CA/WorkloadAutomationAE/TLSCertificates/manager-generated-certs-20251001-101448/*.* /opt/CA/WorkloadAutomationAE/TLSCerts/Manager
    (NOTE: the manager-generated-certs- folder name will be changed as the last two parts are date and time stamps)

11) Edit the /opt/CA/WorkloadAutomationAE/TLSCertificates/cert-config.properties for the local agent setup
- set the generate root CA to false
GENERATE_ROOT_CA=false
- set the existing root cert location
EXISTING_ROOT_CA_PATH=./manager-generated-certs-20251001-101448/internalRootCA.p12
(Note: the manager directory name will change based on the date and time created)
12) Run the agent certificate generator 
(NOTE: all passwords are changeit)
java -jar AgentCertificateGenerator.jar

13) Copy the agent Certs to the final destination
    cp -p /opt/CA/WorkloadAutomationAE/TLSCertificates/agent-generated-certs-20251001-102710/*.* /opt/CA/WorkloadAutomationAE/TLSCerts/Agent
    (NOTE: the agent-generated-certs- folder name will be changed as the last two parts are date and time stamps)
    
Install Secondary HTTPS agent on the primary scheduler.
1) Use the agent installed to install a TCP secondary agent on the primary scheduler
(NOTE: used an agent name of HTTPS_AGENT rather than the default WA_AGENT)
2) Add the agent to the Scheduler and validate that the agent can run jobs.

Set up the Scheduler to use SSL
1) Use Autosys_secure to create the encrypted password for your keystore /certificates
(In this example, changeit was the password used. )

2) Edit the /opt/CA/WorkloadAutomationAE/auotuser.<INSTANCE>/sslconfig.<INSTANCE>
Example:
/opt/CA/WorkloadAutomationAE/autouser.DEV/sslconfig.DEV

3) Update the root certificate path
RootCACertificatePath=/opt/CA/WorkloadAutomationAE/TLSCerts/Manager/internalRootCA.crt
4)Update the Server certificate path
ServerCertificatePath=/opt/CA/WorkloadAutomationAE/TLSCerts/Manager/manager-server.crt
5)Update the Server private Key path 
ServerPrivateKeyPath=/opt/CA/WorkloadAutomationAE/TLSCerts/Manager/manager-server.key
6) Set the encrypted Server Private Passphrase created with Autosys_secure
ServerPrivateKeyPassphrase=<Encrypted Password>
7) Leave the TLSCipherSuites empty
8) Set the ServerCertificateVerification to true
ServerCertificateVerification=true
9) Set the ClientCertificateVerification to true
ClientCertificateVerification=true
10) Set the ServerCertificateVerifyHostname to true
ServerCertificateVerifyHostname=true
11) Set the ClientCertificateVerifyHostname to true
ClientCertificateVerifyHostname=true
12) Set the client certificate path
ClientCertificatePath=/opt/CA/WorkloadAutomationAE/TLSCerts/Manager/manager-client.crt
13) Set the manager client's Private key
ClientPrivateKeyPath=/opt/CA/WorkloadAutomationAE/TLSCerts/Manager/manager-client.key
14) Set the encrypted Client Private Passphrase created with Autosys_secure
ClientPrivateKeyPassphrase=<Encrypted Password>

15) Save and exit

16) Edit the $AUTOUSER/config.<instance> file to add the HTTPS listening ports
SchedAuxiliaryHTTPSListeningPort=11443 
AppSrvAuxiliaryHTTPSListeningPort=12443

17) Save and exit
18) Restart the Autosys services

19) Check the $AUTOUSER/out/as_server and event_demo logs for startup messages such as:
as_Server Log
{10/01/2025 11:56:30]      CAUAJM_I_10176 AutoSys Application Server operational on auxiliary agent HTTPS listener port 12443.
[10/01/2025 11:56:30]      CAUAJM_I_20366 AutoSys Application Server operational on agent listener port 49159.
[10/01/2025 11:56:30]      CAUAJM_I_20367 AutoSys Application Server operational on auxiliary agent listener port 7500.
[10/01/2025 11:56:31]      CAUAJM_I_10485 CA EEM security session initialized with server <<XXX.XXX.XXX.XXX>>.
event_demo logs
[10/01/2025 11:56:45]      CAUAJM_I_10655 System is running in single server mode.  Event server:  AEDB.
[10/01/2025 11:56:48]      CAUAJM_I_10176 AutoSys Scheduler operational on auxiliary agent HTTPS listener port 11443.
[10/01/2025 11:56:48]      CAUAJM_I_20366 AutoSys Scheduler operational on agent listener port 49215.
[10/01/2025 11:56:48]      CAUAJM_I_20367 AutoSys Scheduler operational on auxiliary agent listener port 7507.

Change the Scheduler HTTPS agent to use HTTPS
1) Use the password utility to encrypt the cert and keystore password for the agent
(NOTE: In this case, we used changeit for all passwords) 
2) Edit the /opt/CA/WorkloadAutomationAE/SystemAgent/HTTPS_AGENT/agentparm.txt
3) Add the below sections:
#
# Communications
#
#communication.inputport=7521
communication.inputport=10444
communication.receiver.socket.main=https
communication.receiver.https.keystoretype=PKCS12
communication.receiver.https.keystorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/agent-server.p12
communication.receiver.https.keystorepassword=<Encrypted Password>
communication.receiver.https.truststorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/truststore.p12
communication.receiver.https.truststorepassword=<Encrypted Password>
communication.receiver.https.clientauthrequired=true
communication.receiver.https.hostnameverifier=true
communication.receiver.https.tls.protocols=TLSv1.3
communication.transmitter.https.keystoretype=PKCS12
communication.transmitter.https.keystorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/agent-client.p12
communication.transmitter.https.keystorepassword=<Encrypted Password>
communication.transmitter.https.truststorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/truststore.p12
communication.transmitter.https.truststorepassword=<Encrypted Password>
communication.transmitter.https.verify.peer.certificate=true
communication.transmitter.https.hostnameverifier=true
communication.transmitter.https.tls.protocols=TLSv1.3
4) Save and exit
5) Restart the agent

6) Update the Scheduler local agent machine definition
- Change the protocol from TCP to HTTPS
- update the Agent URI with the proper string
https://<Scheduler-Hostname>.<DOMAIN>.com:10444/
7) Check the receiver and transmitter logs for startup messages
receiver logs
10/01/2025 13:43:24.833-0400 5 TCP/IP Controller Plugin.Thread-7.CybHttpsReceiverListener.a[:160] - Starting HTTPs listener
10/01/2025 13:43:25.129-0400 5 TCP/IP Controller Plugin.Thread-7.CybHttpsReceiverListener.a[:231] - HTTPS server started on port 10444 with TLS protocols TLSv1.3 with HostNameVerifier true

Create SSL Certs for the remote agent
1) on the manager, edit the /opt/CA/WorkloadAutomationAE/TLSCertificates/cert-config.properties

2) Make the following suggested changes
- set the generate root CA to false (Should already be set)
GENERATE_ROOT_CA=false
- set the existing root cert location (Should already be set)
EXISTING_ROOT_CA_PATH=./manager-generated-certs-20251001-101448/internalRootCA.p12
(NOTE: the manager directory name will change based on the date and time created)
- set the Agent HOSTNAME ( This is for the Remote agent)
AGENT_HOSTNAME=<Agent-Hostname>
- set the Agent FQDN ( This is for the Remote agent)
AGENT_FQDN=<Agent-Hostname>.<DOMAIN>.com
- set the agent IP address
AGENT_IP=127.0.0.1,<XXX.XXX.XXX.XXX>


3) Save and exit
4) Tar the certificate and transfer to the Remote agent machine

5) Unzip the files into the /opt/CA/WorkloadAutomationAE/TLSCerts/Agent
example:
/opt/CA/WorkloadAutomationAE/TLSCerts/Agent
[<user>@<Agent-Hostname> Agent]#
[<user>@<Agent-Hostname> Agent]# ls -la
total 36
drwxr-xr-x. 2 <user>    <Group>    176 Oct  1 14:42 .
drwxr-xr-x. 4 <user>    <Group>    117 Oct  1 14:41 ..
-rw-r--r--. 1 <user> <Group> 5092 Oct  1 14:25 agent-client.p12
-rw-r--r--. 1 <user> <Group> 1589 Oct  1 14:25 agent-server.crt
-rw-r--r--. 1 <user> <Group> 1704 Oct  1 14:25 agent-server.key
-rw-r--r--. 1 <user> <Group> 5092 Oct  1 14:25 agent-server.p12
-rw-r--r--. 1 <user> <Group> 1295 Oct  1 14:25 internalRootCA.crt
-rw-r--r--. 1 <user> <Group> 2776 Oct  1 14:25 internalRootCA.p12
-rw-r--r--. 1 <user> <Group> 1286 Oct  1 14:25 truststore.p12

6) Edit the /opt/CA/WorkloadAutomationAE/SystemAgent/HTTPS_AGENT/agentparm.txt

7) Update the following sections:
#
# Communications
#
#communication.inputport=7521
communication.inputport=10444
communication.receiver.socket.main=https
communication.receiver.https.keystoretype=PKCS12
communication.receiver.https.keystorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/agent-server.p12
communication.receiver.https.keystorepassword=<Encrypted Password>
communication.receiver.https.truststorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/truststore.p12
communication.receiver.https.truststorepassword=<Encrypted Password>
communication.receiver.https.clientauthrequired=true
communication.receiver.https.hostnameverifier=true
communication.receiver.https.tls.protocols=TLSv1.3
communication.transmitter.https.keystoretype=PKCS12
communication.transmitter.https.keystorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/agent-client.p12
communication.transmitter.https.keystorepassword=<Encrypted Password>
communication.transmitter.https.truststorefilepath=/opt/CA/WorkloadAutomationAE/TLSCerts/Agent/truststore.p12
communication.transmitter.https.truststorepassword=<Encrypted Password>
communication.transmitter.https.verify.peer.certificate=true
communication.transmitter.https.hostnameverifier=true
communication.transmitter.https.tls.protocols=TLSv1.3
8) Save and exit
9) Restart the agent

10) Update the agent machine definition
- Change the protocol from TCP to HTTPS
- update the Agent URI with the proper string
https://<Agent-Hostname>.<DOMAIN>.com:10444/

11) Check the receiver and transmitter logs for startup messages
receiver logs
10/01/2025 14:54:05.301-0400 2 main.MainThread.CybReceiverScheduler.<init>[:106] - Creating the processor pools[2]
10/01/2025 14:54:05.519-0400 5 TCP/IP Controller Plugin.Thread-7.CybHttpsReceiverListener.a[:160] - Starting HTTPs listener
10/01/2025 14:54:05.991-0400 5 TCP/IP Controller Plugin.Thread-7.CybHttpsReceiverListener.a[:231] - HTTPS server started on port 10444 with TLS protocols TLSv1.3 with HostNameVerifier true

The configuration is now complete

 

Additional Information

Powered by Wolken Software