KBEC-00084 - Configuring agents to allow connections from one CloudBees CD (CloudBees Flow) server only

Description

Enabling certificate verification between the CloudBees CD (CloudBees Flow) Server and Agent processes when communicating over SSL.

Solution

The following solution describes how to make the agent accept connections from hosts that present a certificate signed by a private certificate authority (CA) only.

Assuming the following directories are set up to point to wherever the CloudBees CD (CloudBees Flow) server is actually installed:


set PROGDIR=c:\Program Files\Electric Cloud\ElectricCommander
set DATADIR=c:\Documents and Settings\All Users\Application Data\Electric Cloud\ElectricCommander
set CADIR=%TEMP%\ssl-ca
PATH=%PROGDIR%\bin;%PROGDIR%\jre\bin;%PATH%

Create a certificate authority

Update the values in the root_ca_distinguished_name section in ssl-ca.conf to reflect the organization’s name.

  • Initialize the CA

    
cd %CADIR%
mkdir crl newcerts private
touch index
echo 01>serial
openssl req -nodes -config ssl-ca.conf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
openssl x509 -in ca-cert.pem -out ca-cert.der -outform der

    If “touch” is not available, just create an empty index file. To do this from the Windows command prompt:

    
fsutil file createnew junk 0

Configure the server for certificate verification

  • Generate a new self-signed server certificate

    
cd %DATADIR%\server\conf
del keystore
keytool -genkey -keystore keystore -storepass

    This code prompts for a number of values that must be set to values appropriate for the organization.
    For example:

    
What is your first and last name?
  [Unknown]:  chronic3.electric-cloud.com       # This should be the server host
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:  Electric Cloud
What is the name of your City or Locality?
  [Unknown]:  Menlo Park
What is the name of your State or Province?
  [Unknown]:  CA
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=chronic3.electric-cloud.com, OU=Unknown, O=Electric Cloud, L=Menlo Park, ST=CA, C=US correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):

  • Sign the server certificate with the CA key

    
keytool -certreq -keystore keystore -storepass  >server.csr
cd %CADIR%
openssl ca -batch -config ssl-ca.conf -in "%PROGDIR%\server\conf\server.csr" -out "%PROGDIR%\server\conf\server.pem"
cd %PROGDIR%\server\conf
openssl x509 -in server.pem -out server.der -outform der

  • Import the CA certificate and signed server certificate into the keystore

    
keytool -import -keystore keystore -storepass  -file %CADIR%\ca-cert.der -trustcacerts -alias cacert
keytool -import -keystore keystore -storepass  -file server.der

  • Restart the server

Configure the agent for certificate verification

  • Add the private CA certificate to the trusted CA list for the agent

    
copy ca-cert.pem "%DATADIR%\conf\agent_trust.crt"

  • Enable certificate verification in the agent
    Edit %DATADIR%\conf\agent.conf to contain (update paths as necessary):

    
keyFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.key
certFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.crt
verifyPeer = true
caFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent_trust.crt
  • Restart the agent
Was this article helpful?
0 out of 0 found this helpful

Have more questions?

0 Comments

Please sign in to leave a comment.