KBEC-00377 - Enabling HTTPS Secure Callbacks from an ISPW Server to the CloudBees CD (CloudBees Flow) Server for the EC-ISPW Plugin

This document describes how to copy the public key of a self-signed CA certificate from the CloudBees CD (CloudBees Flow) server and install it into a Compuware ISPW server so that ISPW can make secure HTPPS callbacks to the CloudBees CD (CloudBees Flow) server. The CloudBees CD (CloudBees Flow) server uses the EC-ISPW plugin to trigger ISPW operations by calling the REST interface of an ISPW server. Several of the available operations are asynchronous: The REST call returns as soon as the operation initiates successfully, and then the ISPW server makes a callback when the operation finishes.

By default, the CloudBees CD (CloudBees Flow) EC-ISPW plugin configures these web callbacks to call back to the setProperty REST interface of the CloudBees CD (CloudBees Flow) server. When a callback occurs, the ISPW server acts as a REST client to the CloudBees CD (CloudBees Flow) server, which means that it needs to supply credentials to log in to CloudBees CD (CloudBees Flow). So that these credentials travel securely across an untrusted network, the ISPW-to-CloudBees CD (CloudBees Flow) web requests are made via HTTPS to port 8443 (by default) of the CloudBees CD (CloudBees Flow) server.

By default, the CloudBees CD (CloudBees Flow) server uses a self-signed certificate for HTTPS on port 8443. So that the ISPW server can open the HTTPS connection to this port, it must have the CloudBees CD (CloudBees Flow) server self-signed certificate’s public key installed as a trusted certificate authority.

Checking the CloudBees CD (CloudBees Flow) Server Certificate

For this procedure, you will need the password for your CloudBees CD (CloudBees Flow) keystore. The default password is abcdef.

  1. Go to your CloudBees CD (CloudBees Flow) server’s configuration folder.

  2. (Windows) By default, this folder is:

    C:\ProgramData\Electric Cloud\ElectricCommander\conf
    
  • (UNIX) By default, this folder is:

    /opt/electriccloud/electriccommander/conf
    
  • Query the contents of the Java keystore file by entering one of the following commands.

  • (Windows) Enter:

    "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -list -v -keystore keystore -keypass passkey
    
  • (UNIX) Enter:

    /opt/electriccloud/electriccommander/jre/bin/keytool -list -v -keystore keystore -keypass passkey
    
  • Examine the output for lines similar to the following:

Alias name: jetty
Creation date: ??? ??, ????
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
  1. Confirm that the certificate chain length is 1 and that all entries on the Owner: and Issuer: lines match.

If both are not the case, then your CloudBees CD (CloudBees Flow) server is not configured in the standard way with a self-signed certificate. Instead, you must follow the certificate issuer chain to the public root certificate of your certificate authority and export or otherwise obtain it (unless it is a commercial certificate authority that is already trusted by the ISPW server).

  1. Confirm that:

  2. The CN value from the Owner: line (shown as ???.??.??.?? above) is a valid IP address, hostname, or fully-qualified domain name that the ISPW server can use to reach the CloudBees CD (CloudBees Flow) server.

    If this is not the case, you must either provide the CloudBees CD (CloudBees Flow) server with a new certificate (see http://docs.electric-cloud.com/eflow_doc/6_2/Install/Mobile/Advanced/Content/Install%20Guide/troubleshooting/5ecCertificates.htm) or modify your network setup to match the value.

  3. The CN value from the Owner: line matches the CloudBees CD (CloudBees Flow) Administration server setting named Server IP address (which could be either an IP address, a hostname, or a fully-qualified domain name).

    If this is not the case, change the value of Server IP address to match. You can view or change this setting by opening the Automating Platform at https:///commander and clicking Administration > Server > Settings.

Exporting the CloudBees CD (CloudBees Flow) Server Certificate Public Key from the Keystore

For this procedure, you will need the password for your CloudBees CD (CloudBees Flow) keystore again.

  1. Export the CloudBees CD (CloudBees Flow) server certificate by entering one of the following commands.

  2. (Windows) Enter:

    "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt -v
    
  • (UNIX) Enter:

    /opt/electriccloud/electriccommander/jre/bin/keytool -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt –v
    
  • Copy the electricflow.crt file to your ISPW server.

Setting up Compuware ISPW for Outbound HTTPS

Compuware’s ISPW makes its web callbacks via Compuware Enterprise Services (CES). For outbound HTTPS traffic, CES uses the Java keystore determined by the $JAVA_HOME path. $JAVA_HOME is defined with the other environment variables on the STDENV DD statement of the Job Control Language (JCL).

The keystore (cacerts) is in the $JAVA_HOME/lib/security directory, and the default password is changeit.

  1. On the ISPW server, set your path so you can run the keytool commands by entering:
export PATH=$JAVA_HOME/bin:$PATH
  1. Import the certificate public key that you copied from the CloudBees CD (CloudBees Flow) server by entering:
keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit

For example, enter:

UVWXYZ0:/Z21F/usr/lpp/java/J8.0_64/lib/security: >keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit

Output similar to the following appears:

Owner: CN=123.45.67.89, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=123.45.67.89, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 2111e237
Valid from: 10/10/17 6:52 PM until: 10/8/27 6:52 PM
Certificate fingerprints:
         MD5: 55:7D:E6:1C:1F:91:8A:CB:99:A8:C3:76:94:66:BB:E4
         SHA1: 71:D9:F9:AE:41:59:36:81:88:89:95:E4:F2:26:61:16:AC:4B:23:2A
         SHA256: C1:97:4E:A4:9E:FD:43:9A:EA:01:05:D7:9A:4E:71:67:C8:CE:23:A0:BC:18:30:B1:70:CB:FB:44:04:2A:F8:FF
         Signature algorithm name: SHA256withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: f6 45 fe 47 f7 cc 9f e7 81 b9 ce 6c 37 c7 d9 db .E.G.......l7...
0010: 6b dd 9b 62                                        k..b
]
]
Trust this certificate? [no]: yes
  1. When you are prompted whether to trust the certificate, reply with yes.

Have more questions?

0 Comments

Please sign in to leave a comment.