We use the Nolio Agent installer binaries/scripts to install Nolio Agents on servers, e.g. nolio_agent_windows_<version>.exe on Windows and nolio_agent_linux_x64_<version>.sh on Linux.
This installer has an embedded JRE which gets installed along with the agent. Following instructions which have previously been provided by Broadcom Support we have an install process where we do the following:
- Remove the embedded JRE from the agent by deleting the jre folder
- Create symlinks in the agent installation to point to a different JRE installation on the server; jre/bin/NolioAgent -> bin/java; jre/lib/ext -> lib/ext
- Restart the agent and it will then be running using this other JRE installed on the server
This process works fine for us and we have this in place for many agents which are installed in our environment so far.
We need to configure Nolio Agents in this way to comply with the requirements of our internal legacy Java vulnerability policy. The alternative JRE that we configure Nolio Agents to run with is kept up to date on servers by an automated patching process, this ensures that Java is never more than 3 months old and drives down vulnerabilities across the estate.
However, because of the way that we operate our Nolio service in Barclays, and because of access restrictions for the team that own the Nolio service, agent installation is performed self-service by Nolio users using a Chef cookbook. As such the Nolio Agent installers are in a location for users to access, which means that they can also download the agent installer binaries/scripts and execute them on their servers. When users do this themselves they will get a Nolio Agent installed with the embedded JRE that ships with the product. In a lot of cases this is much older than the 3 month target for the Java vulnerability policy.
Therefore, what we are interested in is a binary/script for installing Nolio Agents on Linux and Windows which will install without the embedded JRE. If there is a way to pass a parameter to the installer to configure the Nolio agent to point at the other installed JRE location on the same host that would be nice, but we can also still do this post install JRE config using the Chef cookbook mechanism outlined above.
Is this something that is already available in the current Nolio Agent installer scripts/binaries? If not, is it something that can be provided?