Description
Enabling certificate verification between the CloudBees CD (CloudBees Flow) Server and Agent processes when communicating over SSL.
Solution
The following solution describes how to make the agent accept connections from hosts that present a certificate signed by a private certificate authority (CA) only.
Assuming the following directories are set up to point to wherever the CloudBees CD (CloudBees Flow) server is actually installed:
set PROGDIR=c:\Program Files\Electric Cloud\ElectricCommander set DATADIR=c:\Documents and Settings\All Users\Application Data\Electric Cloud\ElectricCommander set CADIR=%TEMP%\ssl-ca PATH=%PROGDIR%\bin;%PROGDIR%\jre\bin;%PATH%
Create a certificate authority
-
Copy
ssl-ca.conf
into%CADIR%
:
# $Id: openssl.cnf,v 1.2 2004/01/22 19:27:32 jmates Exp $ # # OpenSSL configuration file for custom Certificate Authority. Use a # different openssl.cnf file to generate certificate signing requests; # this one is for use only in Certificate Authority operations (csr -> # cert, cert revocation, revocation list generation). # # Be sure to customize this file prior to use, e.g. the commonName and # other options under the root_ca_distinguished_name section. HOME = . RANDFILE = $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . # unsed at present, and my limited certs can be kept in current dir #certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database = $dir/index certificate = $dir/ca-cert.pem serial = $dir/serial crl = $dir/ca-crl.pem private_key = $dir/private/ca-key.pem RANDFILE = $dir/private/.rand x509_extensions = usr_cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default cert_opt = ca_default default_crl_days= 30 default_days = 365 # if need to be compatible with older software, use weaker md5 default_md = sha1 # MSIE may need following set to yes? preserve = no # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = ./private/ca-key.pem default_md = sha1 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = v3_ca # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req [ root_ca_distinguished_name ] commonName = EC CA countryName = US stateOrProvinceName = California localityName = Mountain View 0.organizationName = Electric Cloud emailAddress = sandman@electric-cloud.com [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always nsCaRevocationUrl = https://www.sial.org/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always
Update the values in the root_ca_distinguished_name section in ssl-ca.conf
to reflect the organization’s name.
-
Initialize the CA
cd %CADIR% mkdir crl newcerts private touch index echo 01>serial openssl req -nodes -config ssl-ca.conf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM openssl x509 -in ca-cert.pem -out ca-cert.der -outform der
If "touch" is not available, just create an empty index file. To do this from the Windows command prompt:
fsutil file createnew junk 0
Configure the server for certificate verification
-
Generate a new self-signed server certificate
cd %DATADIR%\server\conf del keystore keytool -genkey -keystore keystore -storepass
This code prompts for a number of values that must be set to values appropriate for the organization.
For example:What is your first and last name? [Unknown]: chronic3.electric-cloud.com # This should be the server host What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Electric Cloud What is the name of your City or Locality? [Unknown]: Menlo Park What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=chronic3.electric-cloud.com, OU=Unknown, O=Electric Cloud, L=Menlo Park, ST=CA, C=US correct? [no]: yes Enter key password for (RETURN if same as keystore password):
-
Sign the server certificate with the CA key
keytool -certreq -keystore keystore -storepass >server.csr cd %CADIR% openssl ca -batch -config ssl-ca.conf -in "%PROGDIR%\server\conf\server.csr" -out "%PROGDIR%\server\conf\server.pem" cd %PROGDIR%\server\conf openssl x509 -in server.pem -out server.der -outform der
-
Import the CA certificate and signed server certificate into the keystore
keytool -import -keystore keystore -storepass -file %CADIR%\ca-cert.der -trustcacerts -alias cacert keytool -import -keystore keystore -storepass -file server.der
-
Restart the server
Configure the agent for certificate verification
-
Add the private CA certificate to the trusted CA list for the agent
copy ca-cert.pem "%DATADIR%\conf\agent_trust.crt"
-
Enable certificate verification in the agent
Edit%DATADIR%\conf\agent.conf
to contain (update paths as necessary):keyFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.key certFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent.crt verifyPeer = true caFile = c:/Documents and Settings/All Users/Application Data/Electric Cloud/ElectricCommander/conf/agent_trust.crt
-
Restart the agent