This document describes how to copy the public key of a self-signed CA certificate from the CloudBees CD (CloudBees Flow) server and install it into a Compuware ISPW server so that ISPW can make secure HTPPS callbacks to the CloudBees CD (CloudBees Flow) server. The CloudBees CD (CloudBees Flow) server uses the EC-ISPW plugin to trigger ISPW operations by calling the REST interface of an ISPW server. Several of the available operations are asynchronous: The REST call returns as soon as the operation initiates successfully, and then the ISPW server makes a callback when the operation finishes.
By default, the CloudBees CD (CloudBees Flow) EC-ISPW plugin configures these web callbacks to call back to the setProperty
REST interface of the CloudBees CD (CloudBees Flow) server. When a callback occurs, the ISPW server acts as a REST client to the CloudBees CD (CloudBees Flow) server, which means that it needs to supply credentials to log in to CloudBees CD (CloudBees Flow). So that these credentials travel securely across an untrusted network, the ISPW-to-CloudBees CD (CloudBees Flow) web requests are made via HTTPS to port 8443 (by default) of the CloudBees CD (CloudBees Flow) server.
By default, the CloudBees CD (CloudBees Flow) server uses a self-signed certificate for HTTPS on port 8443. So that the ISPW server can open the HTTPS connection to this port, it must have the CloudBees CD (CloudBees Flow) server self-signed certificate’s public key installed as a trusted certificate authority.
Checking the CloudBees CD (CloudBees Flow) Server Certificate
For this procedure, you will need the password for your CloudBees CD (CloudBees Flow) keystore. The default password is abcdef
.
-
Go to your CloudBees CD (CloudBees Flow) server’s configuration folder.
-
(Windows) By default, this folder is:
C:\ProgramData\Electric Cloud\ElectricCommander\conf
-
-
(UNIX) By default, this folder is:
/opt/electriccloud/electriccommander/conf
-
Query the contents of the Java keystore file by entering one of the following commands.
-
-
(Windows) Enter:
"C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -list -v -keystore keystore -keypass passkey
-
(UNIX) Enter:
/opt/electriccloud/electriccommander/jre/bin/keytool -list -v -keystore keystore -keypass passkey
-
Examine the output for lines similar to the following:
-
Alias name: jetty Creation date: ??? ??, ???? Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=???.??.??.??, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
-
Confirm that the certificate chain length is 1 and that all entries on the
Owner:
andIssuer:
lines match.
If both are not the case, then your CloudBees CD (CloudBees Flow) server is not configured in the standard way with a self-signed certificate. Instead, you must follow the certificate issuer chain to the public root certificate of your certificate authority and export or otherwise obtain it (unless it is a commercial certificate authority that is already trusted by the ISPW server).
-
Confirm that:
-
The
CN
value from theOwner:
line (shown as ???.??.??.?? above) is a valid IP address, hostname, or fully-qualified domain name that the ISPW server can use to reach the CloudBees CD (CloudBees Flow) server.If this is not the case, you must either provide the CloudBees CD (CloudBees Flow) server with a new certificate or modify your network setup to match the value.
-
The
CN
value from theOwner:
line matches the CloudBees CD (CloudBees Flow) Administration server setting named Server IP address (which could be either an IP address, a hostname, or a fully-qualified domain name).If this is not the case, change the value of Server IP address to match. You can view or change this setting by opening the Automating Platform at
https://yourCDServer/commander
and clicking Administration > Server > Settings.
-
Exporting the CloudBees CD (CloudBees Flow) Server Certificate Public Key from the Keystore
For this procedure, you will need the password for your CloudBees CD (CloudBees Flow) keystore again.
-
Export the CloudBees CD (CloudBees Flow) server certificate by entering one of the following commands.
-
(Windows) Enter:
"C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\keytool" -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt -v
-
-
(UNIX) Enter:
/opt/electriccloud/electriccommander/jre/bin/keytool -keystore keystore -keypass passkey -alias jetty -export -rfc -file electricflow.crt –v
-
Copy the
electricflow.crt
file to your ISPW server.
-
Setting up Compuware ISPW for Outbound HTTPS
Compuware’s ISPW makes its web callbacks via Compuware Enterprise Services (CES). For outbound HTTPS traffic, CES uses the Java keystore determined by the $JAVA_HOME
path. $JAVA_HOME
is defined with the other environment variables on the STDENV DD
statement of the Job Control Language (JCL).
The keystore (cacerts) is in the $JAVA_HOME/lib/security directory
, and the default password is changeit
.
-
On the ISPW server, set your path so you can run the
keytool
commands by entering:
export PATH=$JAVA_HOME/bin:$PATH
-
Import the certificate public key that you copied from the CloudBees CD (CloudBees Flow) server by entering:
keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit
For example, enter:
UVWXYZ0:/Z21F/usr/lpp/java/J8.0_64/lib/security: >keytool -import -alias electricflow -file electricflow.crt -keystore cacerts -storepass changeit
Output similar to the following appears:
Owner: CN=123.45.67.89, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=123.45.67.89, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 2111e237 Valid from: 10/10/17 6:52 PM until: 10/8/27 6:52 PM Certificate fingerprints: MD5: 55:7D:E6:1C:1F:91:8A:CB:99:A8:C3:76:94:66:BB:E4 SHA1: 71:D9:F9:AE:41:59:36:81:88:89:95:E4:F2:26:61:16:AC:4B:23:2A SHA256: C1:97:4E:A4:9E:FD:43:9A:EA:01:05:D7:9A:4E:71:67:C8:CE:23:A0:BC:18:30:B1:70:CB:FB:44:04:2A:F8:FF Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: f6 45 fe 47 f7 cc 9f e7 81 b9 ce 6c 37 c7 d9 db .E.G.......l7... 0010: 6b dd 9b 62 k..b ] ] Trust this certificate? [no]: yes
-
When you are prompted whether to trust the certificate, reply with
yes
.