KBEC-00084 - Configuring agents to allow connections from one CloudBees CD (CloudBees Flow) server only

Article ID:360033194431
4 minute readKnowledge base

Description

Enabling certificate verification between the CloudBees CD (CloudBees Flow) Server and Agent processes when communicating over SSL.

Solution

The following solution describes how to make the agent accept connections from hosts that present a certificate signed by a private certificate authority (CA) only.

Assuming the following directories are set up to point to wherever the CloudBees CD (CloudBees Flow) server is actually installed:

set PROGDIR=c:\Program Files\Electric Cloud\ElectricCommander
set DATADIR=c:\Documents and Settings\All Users\Application Data\Electric Cloud\ElectricCommander
set CADIR=%TEMP%\ssl-ca
PATH=%PROGDIR%\bin;%PROGDIR%\jre\bin;%PATH%

Create a certificate authority

  • Copy ssl-ca.conf into %CADIR%:

# $Id: openssl.cnf,v 1.2 2004/01/22 19:27:32 jmates Exp $
#
# OpenSSL configuration file for custom Certificate Authority. Use a
# different openssl.cnf file to generate certificate signing requests;
# this one is for use only in Certificate Authority operations (csr ->
# cert, cert revocation, revocation list generation).
#
# Be sure to customize this file prior to use, e.g. the commonName and
# other options under the root_ca_distinguished_name section.

HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = .
# unsed at present, and my limited certs can be kept in current dir
#certs          = $dir/certs
new_certs_dir   = $dir/newcerts
crl_dir         = $dir/crl
database        = $dir/index

certificate     = $dir/ca-cert.pem
serial          = $dir/serial
crl             = $dir/ca-crl.pem
private_key     = $dir/private/ca-key.pem
RANDFILE        = $dir/private/.rand

x509_extensions = usr_cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default
cert_opt        = ca_default

default_crl_days= 30
default_days    = 365
# if need to be compatible with older software, use weaker md5
default_md      = sha1
# MSIE may need following set to yes?
preserve        = no

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_anything

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = ./private/ca-key.pem
default_md              = sha1

prompt                  = no
distinguished_name      = root_ca_distinguished_name

x509_extensions = v3_ca

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req

[ root_ca_distinguished_name ]
commonName = EC CA
countryName = US
stateOrProvinceName = California
localityName = Mountain View
0.organizationName = Electric Cloud
emailAddress = sandman@electric-cloud.com

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

nsCaRevocationUrl               = https://www.sial.org/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA

# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

Update the values in the root_ca_distinguished_name section in ssl-ca.conf to reflect the organization’s name.

  • Initialize the CA

      cd %CADIR%
  mkdir crl newcerts private
  touch index
  echo 01>serial
  openssl req -nodes -config ssl-ca.conf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
  openssl x509 -in ca-cert.pem -out ca-cert.der -outform der

    If "touch" is not available, just create an empty index file. To do this from the Windows command prompt:

      fsutil file createnew junk 0

Configure the server for certificate verification

  • Generate a new self-signed server certificate

      cd %DATADIR%\server\conf
  del keystore
  keytool -genkey -keystore keystore -storepass

    This code prompts for a number of values that must be set to values appropriate for the organization.
    For example:

      What is your first and last name?
    [Unknown]:  chronic3.electric-cloud.com       # This should be the server host
  What is the name of your organizational unit?
    [Unknown]:
  What is the name of your organization?
    [Unknown]:  Electric Cloud
  What is the name of your City or Locality?
    [Unknown]:  Menlo Park
  What is the name of your State or Province?
    [Unknown]:  CA
  What is the two-letter country code for this unit?
    [Unknown]:  US
  Is CN=chronic3.electric-cloud.com, OU=Unknown, O=Electric Cloud, L=Menlo Park, ST=CA, C=US correct?
    [no]:  yes

  Enter key password for
          (RETURN if same as keystore password):

  • Sign the server certificate with the CA key

      keytool -certreq -keystore keystore -storepass  >server.csr
  cd %CADIR%
  openssl ca -batch -config ssl-ca.conf -in "%PROGDIR%\server\conf\server.csr" -out "%PROGDIR%\server\conf\server.pem"
  cd %PROGDIR%\server\conf
  openssl x509 -in server.pem -out server.der -outform der

  • Import the CA certificate and signed server certificate into the keystore

      keytool -import -keystore keystore -storepass  -file %CADIR%\ca-cert.der -trustcacerts -alias cacert
  keytool -import -keystore keystore -storepass  -file server.der

  • Restart the server

Configure the agent for certificate verification

  • Add the private CA certificate to the trusted CA list for the agent

      copy ca-cert.pem "%DATADIR%\conf\agent_trust.crt"

  • Enable certificate verification in the agent
    Edit %DATADIR%\conf\agent.conf to contain (update paths as necessary):

      keyFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.key
  certFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.crt
  verifyPeer = true
  caFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent_trust.crt

  • Restart the agent