Description
Enabling certificate verification between the CloudBees CD (CloudBees Flow) Server and Agent processes when communicating over SSL.
Solution
The following solution describes how to make the agent accept connections from hosts that present a certificate signed by a private certificate authority (CA) only.
Assuming the following directories are set up to point to wherever the CloudBees CD (CloudBees Flow) server is actually installed:
set PROGDIR=c:\Program Files\Electric Cloud\ElectricCommander
set DATADIR=c:\Documents and Settings\All Users\Application Data\Electric Cloud\ElectricCommander
set CADIR=%TEMP%\ssl-ca
PATH=%PROGDIR%\bin;%PROGDIR%\jre\bin;%PATH%
Create a certificate authority
- Copy ssl-ca.conf into %CADIR%
Update the values in the root_ca_distinguished_name section in ssl-ca.conf
to reflect the organization’s name.
-
Initialize the CA
cd %CADIR% mkdir crl newcerts private touch index echo 01>serial openssl req -nodes -config ssl-ca.conf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM openssl x509 -in ca-cert.pem -out ca-cert.der -outform der
If “touch” is not available, just create an empty index file. To do this from the Windows command prompt:
fsutil file createnew junk 0
Configure the server for certificate verification
-
Generate a new self-signed server certificate
cd %DATADIR%\server\conf del keystore keytool -genkey -keystore keystore -storepass
This code prompts for a number of values that must be set to values appropriate for the organization.
For example:What is your first and last name? [Unknown]: chronic3.electric-cloud.com # This should be the server host What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Electric Cloud What is the name of your City or Locality? [Unknown]: Menlo Park What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=chronic3.electric-cloud.com, OU=Unknown, O=Electric Cloud, L=Menlo Park, ST=CA, C=US correct? [no]: yes Enter key password for (RETURN if same as keystore password):
-
Sign the server certificate with the CA key
keytool -certreq -keystore keystore -storepass >server.csr cd %CADIR% openssl ca -batch -config ssl-ca.conf -in "%PROGDIR%\server\conf\server.csr" -out "%PROGDIR%\server\conf\server.pem" cd %PROGDIR%\server\conf openssl x509 -in server.pem -out server.der -outform der
-
Import the CA certificate and signed server certificate into the keystore
keytool -import -keystore keystore -storepass -file %CADIR%\ca-cert.der -trustcacerts -alias cacert keytool -import -keystore keystore -storepass -file server.der
-
Restart the server
Configure the agent for certificate verification
-
Add the private CA certificate to the trusted CA list for the agent
copy ca-cert.pem "%DATADIR%\conf\agent_trust.crt"
-
Enable certificate verification in the agent
Edit%DATADIR%\conf\agent.conf
to contain (update paths as necessary):keyFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.key certFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.crt verifyPeer = true caFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent_trust.crt
- Restart the agent
0 Comments