IT Process Automation

  • 1.  SSL Ports

    Posted Apr 16, 2019 10:10 AM

    Having some small challenges with a configuration that has two Domain Orchestrators (behind an F5 load balancer) and one Agent on a Service Desk application server. The issue seems to be around the communication between the Agent and both nodes of the cluster.

    To clarify, we are using secure (SSL) communications and have configured PAM to use port 8443 for web (and web service) connections with a properly signed (wildcard) certificate. We can log into PAM from a browser (port 8443)and the connection is secure.

    We also understand that the communcation between PAM components is over port 443 (simplified communications) using the self-signed certificates found in c2okeystore.

    In our configuration there seems to be a behavior inconsistency between the PAM Agent and the Orchestrators. It would be useful to better understand the correct values for the following parameters found in the domain.xml file (443 vs 8443) on the Orchestrators and Agent:

    • <C2ODomainSecurePort>
    • <C2ODomainURL>https://loadbalancerAddress:port
    • <CommsV2Port>
    • <NodeCommsV2Port>
    • <NodeCommsServerPort>
    • <SecurePort>

    Any insights you can provide will be much appreciated.



  • 2.  Re: SSL Ports

    Broadcom Employee
    Posted Apr 18, 2019 08:36 AM

    Port usage documentation can be found here:

    Ports Used by CA Process Automation - CA Process Automation - 04.3.02 - CA Technologies Documentation 

     

     

    Here are the values from an internal LAB setup against an NGINX load balancer:

     

    C2ODomainSecurePort>8443</C2ODomainSecurePort>

    <NodeCommsV2Port>443</NodeCommsV2Port>

    <NodeCommsServerPort>443</NodeCommsServerPort>

    <SecurePort>8443</SecurePort>

    <C2ODomainURL>hostname:443/</C2ODomainURL>

     

    I hope this helps!



  • 3.  Re: SSL Ports

    Posted Apr 18, 2019 05:58 PM

    Hi Michael,

    Thanks for verifying that from your LAB setup. I suspect an issue with the F5 load balancer configuration. I'll have to spend more time with the network guru.

     

    Please correct me if my understanding is wrong:

    In simplified communications, the Agent maintains a connection with the Orchestrators (through the load balancer, port 443) to be informed when there is work to do. (I assume this as the Agent is not listening on any port and I see a network connection between the Agent and the load balancer. Viewed using Process Explorer.)

     

    Here is the issue I am seeing:

    • I log directly into one Orchestrator directly (without going through the load balancer).
    • I log into the other Orchestrator directly (without going through the load balancer).
    • I launch the Agent Console on the first Orchestrator and try to get the Status of the Agent.
      • It shows Active
    • I launch the Agent Console on the second Orchestrator and try to get the Status of the Agent.
      • It shows Inactive
    • I find that if I wait a while (~15 minutes) and try the second Orchestrator Agent Console to get the Status then it will show Active but the first Orchestrator will now show Inactive.

     

    I wonder if I should see two connections between the Agent and the load balancer, one for each Orchestrator.

     

    This also manifests itself with Process Operators assigned to the Agent sometimes failing with System Error "Message could not be posted to the node."

     

    Cheers,

    Lindsay