Tool Name | Description |
---|---|
A command-line tool used to manage the CloudBees Flow Certificate Authority (CA) and the certificates configured in CloudBees Flow Server and CloudBees Flow Agent installations. |
|
A command-line tool that can change configuration values for any locally installed CloudBees Flow server, web, agent, or repository service. |
|
A "wrapper" program that can be used to start another program from a CloudBees Flow job step—the "started" program will run as a daemon process. The CloudBees Flow agent uses the facilities of the underlying operating system to make sure the process runs in a separate process group on a UNIX-based system, or outside of the normal "Windows Job" grouping in a Windows system. In either case, the CloudBees Flow agent does not treat the process as one it should wait for or one it should try to "kill" if CloudBees Flow needs to abort the step. |
|
A driver script with built-in support for SSH. Every major operation can be overridden by defining a Perl function in the Proxy Customization field on the New Proxy Resource panel, available from the Resources page. |
|
When CloudBees Flow agents (on platforms other than Linux or Windows) run steps that create log files in a workspace the CloudBees Flow web server cannot access (through Linux or Windows agents), use ecremotefilecopy to recreate job logs so they are visible on those CloudBees Flow agents, which then enables the web server to retrieve and render those log files. |
|
A command-line tool that imports your CloudBees Flow database configuration information into your ZooKeeper server. |
|
A command-line tool that displays information on the running CloudBees Flow server cluster from ZooKeeper. |
eccert
A command-line tool used to manage the CloudBees Flow Certificate Authority (CA) and the certificates configured in CloudBees Flow Server and CloudBees Flow Agent installations.
Do not use eccert
as sudo
, which would change the ownership of the configuration files (such as the keystore file) to the root user. These files must be owned by the user who starts the CloudBees Flow services.
Commands
|
Add a server CA certificate to the agent’s keystore. |
|
Retrieve the contents of the current certificate revocation list. |
|
Initialize the agent keystore with a new public/private key pair. Generates the agent certificate signing request. If run on the server host, the certificate will automatically be signed by the server CA, and the CA certificate and the signed agent certificate are installed in the agent’s keystore. If run on a non-server host, the signing request is left in the agent directory. If CA Cert is provided, the CA certificate is installed in the agent’s keystore. |
Use the local server CA to sign the agent certificate. |
|
Connect to a remote CloudBees Flow server to sign the agent certificate. |
|
Replace any existing keystore. |
|
Use the specified name as the common name (CN) in the agent certificate subject. This is normally the fully qualified domain name used by clients to connect to the agent. |
|
Use the specified list of entries (comma or space separated) as the |
|
|
Initialize the server CA. Creates a new CA key and certificate. |
|
Initialize the server keystore. Creates and signs the server certificate. Installs the CA certificate and the signed server certificate into the server’s keystore. |
Replace any existing keystore. |
|
Use the specified name as the common name (CN) in the server certificate subject. This is normally the fully qualified domain name used by clients to connect to the server. |
|
Use the specified list of entries (comma or space separated) as the |
|
|
Display certificate information for agent and/or server keystores or the CA certificate index. If no options are specified, both the agent and server keystores are listed. |
List the contents of the agent keystore. |
|
List the contents of the server keystore. |
|
List the contents of the CA issued certificates index. |
|
Display additional details. |
|
|
Refresh the certificate revocation list from the CloudBees Flow server. |
|
Revoke a previously issued certificate by index. |
|
Sign the certificate signing request provided in file |
|
Install a previously signed certificate crt into the agent’s keystore. |
Examples
Example 1: Configure an agent to talk to any server (untrusted mode)
This example generates a new self-signed certificate for the agent and recreates the keystore with no trusted authorities.
$ eccert initAgent -force
Generating keys
Generating certificate request
cname=<myAgent.example.com
san=<dns:myAgent.example.com
Example 2: Configure an agent to accept connections only from a single remote CloudBees Flow server
This example generates a new certificate for the agent that is signed by the remove server’s certificate authority and installs the signed certificate and its associated trust chain in the agent’s keystore. After this point, the agent will only accept requests from the specified server and will be used as a trusted resource by the server.
$ ectool --server myserver login admin pw
$ eccert --server myserver initAgent -remote
Generating certificate request
cname=<myAgent.example.com
san=<dns:myAgent.example.com
Asking server 'myserver' to sign certificate
Importing 'CA:myserver.example.com' certificate
Importing 'jetty' certificate
Example 3: Configure a CloudBees Flow server with additional host names in the certificate
This example regenerates the CloudBees Flow Server Certificate, the specified common name, and alternate subject names to allow trusted connections with multiple external dns
names.
$ eccert initServer --force --cname "myServer.example.com" --altNames "myServer,server2.example.com"
Generating keys
Generating certificate request
cname=<myserver.example.com
san=<dns:myserver,dns:server2.example.com
Signing server certificate
Importing 'CA:myserver.example.com' certificate
Importing 'jetty' certificate
ecconfigure
A command-line tool for changing values in configuration files for any locally-installed CloudBees Flow server, web server, repository server, or agent. ecconfigure
is an easier way to configure CloudBees Flow settings than manually editing configuration files.
Agent Configuration Options
Option | Description |
---|---|
--agentAcceptQueueSize=max |
The maximum number of pending connections the agent will queue up. |
--agentArtifactCache=path |
The directory containing cached artifactVersions. |
--agentCaFile=path |
A single file containing multiple CA certificates. |
--agentCaPath=path |
A directory containing a file for every CA, where each file’s name is the CA subject name hash value. |
--agentCertFile=path |
Location of the certificate file used by the agent to support SSL connections from the server. |
--agentCrlFile=relativepath |
Relative path of the file containing the agent’s certificate revocation list for SSL. |
--agentDomainName=domain |
The domain name that the agent uses for fully-qualified names. |
--agentDuplicateDetectionListSize=size |
The size of the list of recently seen requests used in duplicate request detection. |
--agentEnableProxySettings=<1|0> |
Enable (1) or disable (0) the proxy server configuration. If enabling for the first time, --agentProxyHost and --agentProxyPort must be specified. |
--agentIdleConnectionTimeout=milliseconds |
Idle connection timeout, in milliseconds. |
--agentIdleOutboundConnectionTimeout=seconds |
Idle time after which an outbound connection is closed, in seconds. |
--agentIdlePostRunnerTimeout=seconds |
Idle time after which a PostRunner thread is terminated, in seconds. |
--agentIdleServerRequestWorkerTimeout=seconds |
Idle time after which a ServerRequestWorker thread is terminated, in seconds |
--agentIdleWorkerTimeout=seconds |
Idle time after which a Worker thread is terminated, in seconds. |
--agentInitMemory=percent |
Initial java heap size as a percentage of the total system memory. |
--agentInitMemoryMB=size |
Initial java heap size in MB. |
--agentKeyFile=path |
Location of the key file used by the agent to support SSL connections from the server. |
--agentKeystore=path |
Location of the keystore file used by the agent to support SSL connections from the server. |
--agentKeystorePassword=password |
Password used to access the agent’s keystore. |
--agentLoadProfile=<true|yes|1|false|no|0> |
Enable (1) or disable (0) loading the impersonated user’s profile for impersonation steps if on Windows. |
--agentLocalPort=port |
Port used by the Commander agent for http communication on the localhost network interface. |
--agentLogFile=path |
Path where the C++ agent log file should be written. |
--agentLogLevel=<TRACE|DEBUG|INFO|WARN|ERROR> |
Logging level used by the C++ portion of the agent. |
--agentLogMaxFiles=max |
Maximum number of log files the C++ agent will accrue. |
--agentLogMaxSize=max |
Maximum size of each log file from the C++ agent. The value may be suffixed with a unit (MB, KB, B). Without a unit, the value is interpreted as bytes. |
--agentMaxConnections=max |
Maximum number of network connections for the agent. |
--agentMaxConnectionsPerRoute=max |
Maximum number of network connections per route for the agent. |
--agentMaxHttpThreads=max |
Maximum number of threads for handling inbound requests. |
--agentMaxLoggedMessageLength=max |
Maximum message length, used when logging requests/ responses to/from the CloudBees Flow server. |
--agentMaxMemory=percent |
Maximum java heap size as a percentage of the total system memory. |
--agentMaxMemoryMB=size |
Maximum java heap size in MB. |
--agentNoProxyHosts=hosts |
Comma delimited list of hosts that should be reached directly, bypassing the proxy server. |
--agentOutboundConnectTimeout=milliseconds |
Timeout for the agent establishing outbound connections, in milliseconds. |
--agentOutboundRequestInitialRetryInterval=seconds |
Initial delay between retries for sending outbound requests to a server, in seconds. |
--agentOutboundRequestMaxRetryInterval=seconds |
Maximum delay between retries for sending outbound requests to a server, in seconds. |
--agentOutboundRequestTimeout=hours |
Timeout after which the agent gives up trying to send a request to a server, in hours. |
--agentPluginsDirectory=path |
The path used by the agent to get to the plugins directory of the CloudBees Flow server where its resource definition lies. |
--agentPort=port |
Port used by the Commander agent for https communication on any network interface. |
--agentProto=<http|https> |
Protocol used internally by the agent. |
--agentProtocol=<http|https> |
Protocol used by the agent. |
--agentProxyHost=host |
The IP address of the proxy server. |
--agentProxyPort=port |
The port of the proxy server. |
--agentServerConnectTimeout=seconds |
Socket connection timeout for outbound requests to a server, in seconds. |
--agentServerReadTimeout=seconds |
Socket read timeout for responses from a server, in seconds. |
--agentServerSessionsFile=relativepath |
Relative path to the persisted server sessions file. |
--agentTLSEnabledProtocol < protocols > |
Comma-delimited list of SSL/TLS protocols that will be allowed for agent connections using HTTPS. The possible values are any combination of The default security configurations are as follows:
We recommend removing the
|
--agentUnixShellPattern=pattern |
Windows-only: ordinarily, the agent creates script-files with CRLF line termination. But some shells on Windows require script files to be LF line-terminated, like Unix. This option sets a regular expression pattern for such shells. Defaults to a pattern that matches sh and |