You can set up authentication and encryption based on Transport Layer Security (TLS) for communication between eMake and agents on Linux platforms. Authentication is bidirectional and mandatory if configured by either side—in other words, both eMake and the agent must provide credentials to the other party in the connection. If either party fails to provide credentials, if the credentials are invalid, or if the credentials are not acceptable for any reason, the connection between eMake and the agent is ended.
Both the eMake and the agent’s side of the connection configures the following attributes:
-
A certificate that identifies the principal—eMake or agent
-
A private key for the principal
-
A certificate authority chain that is used to verify the peer’s certificate
-
The list of common names and organizational units permitted to connect to the principal
The principal’s certificate and private key are from a single combined user-supplied PEM file; the certificate authority chain is taken from a single CA bundle file in PEM format. You provide the list of accepted common names (CNs) and organizational units (OUs) via a command-line argument.
Configuring eMake for TLS
Following are the eMake
command line options for enabling TLS. If you use TLS for eMake, you must configure all agent machines as well. For details about configuring agent machines, see Configuring agents for TLS.
Command-Line Option | Description |
---|---|
--emake-ssl-cacert=< path_to_PEM_file > |
Path to the certificate authority bundle file. For example, |
--emake-ssl-keystore=< path_to_PEM_file > |
Path to the combined certificate and keystore file used to identify eMake to agents. For example, |
-emake-ssl-allow=< acl > |
List of common names or organizational units (or both) that eMake will accept in agent certificates and thus permitted to connect to the agents, where |
Configuring agents for TLS
Following are the settings that specify the TLS command-line arguments to runagent
. If you use TLS for agents, you must configure eMake as well. For details about configuring eMake, see Configuring eMake for TLS.
The list of TLS options may be specified during installation as the Security Options
input or later using the ecconfig -security
command. If the the options are specified with ecconfig
, the agent service must be restarted after the options are modified.
Option | Description |
---|---|
-emakesecurity ssl |
(Required) Indicates that the agents on this machine will use SSL. |
-sslcacert < path_to_PEM_file > |
Path to your certificate authority bundle file. This file contains root and intermediate certificates that are needed to complete the end-entity certificate chain. This file must be in PEM format. |
-sslkeystore < path_to_PEM_file > |
Path to your agent-side combined certificate and keystore file to be used to identify eMake to agents. This file must be in PEM format. |
-sslallow < acl > |
List of common names or organizational units (or both) that eMake will accept in agent certificates and thus permitted to connect to the agents, where |
Here is an example of using `ecconfig` to set up agent to eMake TLS communication.
sudo ecconfig -security "-emakesecurity ssl -sslcacert cacert.pem -sslkeystore server-combined.pem -sslallow cn=eric,ou=accelerator"
You can use ecconfig
without options to check the values. Once the options are modified, the agent service must be started.
On Linux:
sudo /etc/init.d/ecagent restart
On Windows, open the Services control panel, select the CloudBees Build Acceleration Agent service, and choose Restart.