KBEC-00217 - CloudBees CD (CloudBees Flow) server SSL configuration

Problem

This article describes how to replace the server certificate if it fails the security scan.

Description

There are three relevant configuration entries in the server/conf/commander.properties file:

COMMANDER_HTTPS_PORT=8443
COMMANDER_KEYSTORE=conf/keystore
COMMANDER_KEYSTORE_PASSWORD=abcdef▼

COMMANDER_HTTPS_PORT configures the SSL port.
COMMANDER_KEYSTORE is the location of the java keystore where the Commander HTTP server finds its host certificate
COMMANDER_KEYSTORE_PASSWORD is the password to the keystore

Solution

Follow these steps to generate and inject a self-signed certificate for 1 year.

1) Back up the keystore file.

2) Delete the original key.

atumarkin@ATUMARKIN /cygdrive/c/ProgramData/Electric Cloud/ElectricCommander/conf

$ "c:/Program Files/Electric Cloud/ElectricCommander/jre/bin/keytool" -delete -alias jetty -keystore keystore -keypass passkey
Enter keystore password: abcdef

3) Generate and inject a new certificate.

atumarkin@ATUMARKIN /cygdrive/c/ProgramData/Electric Cloud/ElectricCommander/conf

$ "c:/Program Files/Electric Cloud/ElectricCommander/jre/bin/keytool" -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 365
Enter keystore password: abcdef
What is your first and last name?
 [Unknown]: localhost
What is the name of your organizational unit?
 [Unknown]:
What is the name of your organization?
 [Unknown]:
What is the name of your City or Locality?
 [Unknown]:
What is the name of your State or Province?
 [Unknown]:
What is the two-letter country code for this unit?
 [Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct
?
 [no]: yes

Enter key password for
 (RETURN if same as keystore password):

4) Restart the server.

Your new certificate will look something like this:

atumarkin@ATUMARKIN /cygdrive/c/ProgramData/Electric Cloud/ElectricCommander/conf

$ "c:/Program Files/Electric Cloud/ElectricCommander/jre/bin/keytool" -list -v -keystore keystore -keypass passkey
Enter keystore password: abcdef

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: jetty
Creation date: Jan 31, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 4f28603f
Valid from: Tue Jan 31 13:42:23 PST 2012 until: Wed Jan 30 13:42:23 PST 2013
Certificate fingerprints:
 MD5: 38:50:CD:29:8C:16:3A:78:29:0F:45:56:E0:CA:42:D9
 SHA1: 9B:A3:E4:EA:A7:C0:3A:ED:BF:63:24:18:F0:08:78:22:59:85:BC:8A
 Signature algorithm name: MD5withRSA
 Version: 3


*******************************************
*******************************************

References

Background on configuring a java keystore: https://eclipse.dev/jetty/documentation/jetty-11/operations-guide/index.html#og-keystore
- Discusses how to generate and import a key into the keystore (self-signed)
Background on the java keytool and keystore: https://download.oracle.com/javase/1.5.0/docs/tooldocs/windows/keytool.html
- More information on how to generate a keyrequest, sign it with an external PKI, etc.