How to disable CJOC authorization in PSE


  • Changes to Identity Management Provider have locked out access to CJOC
  • No access to CJOC


  • CloudBees Private SaaS Edition (PSE)


Authentication for CJOC can be removed, if needed, by editing the config.xml file. However, in PSE additional steps are needed to ensure that changes are saved and restart is handled correctly.


1) Connect to CJOC

PSE 1.2.0 and later

Run bees-pse run ssh-into-tenant TENANT_ID to get a shell into the CJOC or master container.

PSE <1.2.0

First, run bees-pse run list-applications to find out in which worker host the container is running. In the following example it would be worker-2 for CJOC:

$ bees-pse run list-applications
castle.jce : worker-2
elasticsearch.jce : worker-2
castle.jce : worker-3
cjoc.jce : worker-2
castle.jce : worker-1

Then ssh into the worker with

dna connect worker-2

At this point we can get a shell into the container.

sudo docker exec -ti $(sudo docker ps -f label=com.cloudbees.pse.tenant=TENANT_ID -q) bash

2) Disable Security

  • stop Jenkins (the easiest way to do this is to kill the servlet container.)
  • Go to $JENKINS_HOME in the file system and find config.xml file.
  • Open this file in the editor.
  • Look for the <useSecurity>true</useSecurity> element in this file.
  • Replace true with false
  • Remove the elements authorizationStrategy and securityRealm

3) Force a snapshot

4) Restart CJOC

  • Access Marathon and verify that snapshot job has completed in storage
  • Restart the CJOC worker in Marathon
Have more questions? Submit a request


Please sign in to leave a comment.