Agent security and communication

Agents use SSL-secured WebSocket, and HTTPS protocols to communicate with the server.

Agent overview

Agents do the actual work of deployment, which removes the task from the server. Agents are an important part of scalability in HCL DevOps Deploy (Deploy).

Although an agent is typically considered as a single process, technically an agent consists of a worker process and a monitor process. The worker process is a multithreaded process that runs the deployment work after it receives commands from the server. Work commands come from plug-in steps, which provide integration with many third-party tools. The monitor is a service that manages the worker process: starting and stopping, handling restarts, upgrades, and security, for example. After an agent is installed, it can be managed from the Deploy web application.

Agent security

All processes, including packaging, configuration, and deploying, that the Deploy server requests run on hardware that is assigned to agents. For added security, agents do not listen to ports, but open direct connections to the server instead. After an installed agent starts, the agent opens a WebSocket connection to the Deploy server based on the installation information.

Agents on networks other than the one where the server is located might need to open a firewall to establish connection. After communication is established, the agent will be visible in the Deploy web application where it can be configured. Active agents, regardless of operating system, can be upgraded with the web application.

Agent communication

Agents are installed as Web agents. Web agents use WebSocket connections and HTTPS for agent-server communication.

Web agents uses WebSocket connections for tracking agent status and notifications, and HTTPS for everything else.

The following diagram shows the main default ports that are involved in communication between agents, agent relays, and the server.
A diagram of the ports that agents, agent relays, and servers use to communicate; these are the same posts in the lists above

Stateless server-agent communication provides significant benefits to performance, security, availability, and disaster recovery. Because each agent request is self-contained, a transaction consists of an independent message, which can be synchronized to auxiliary storage as it occurs. Either endpoint, server or agent, can be stopped and restarted without repercussion, other than lost time. If communications fail midtransaction, no messages are lost. After they are reconnected, the server and agent automatically determine which messages got through and what work was completed. After an outage, the system synchronizes the endpoints and recovers affected processes. The results of work that an agent completes during the outage are communicated to the server.