Installation on Kubernetes (PREVIEW)
Introduction
Special-case installations
Installer options
Server topology best practices
Pre-installation checklist
Default installation directories
IntroductionExpress serverAdvanced serverExpress agentExpress Agent-onlyAdvanced Agent-onlyDevOps Insight Server
IntroductionExpress serverAdvanced serverExpress AgentExpress Agent-only (standalone)Advanced Agent-only (standalone)DevOps Insight server installation
IntroductionSilent install overviewSilent install argumentsLinux installation examplesWindows installation examplesLinux repository server installation exampleWindows repository server installation exampleWindows or Linux DevOps Insight server installation example
IntroductionUNIX agent interactive command-lineUNIX agent unattended
IntroductionPrerequisitesPermissionsInstalling via the web interfaceInstalling via the API
Moving the artifact repository in Linux
Moving the artifact repository in Windows
Connecting Flow to a Microsoft SQL server
Installing the MySQL JDBC driver
IntroductionUninstalling CloudBees Flow on Linux, Unix, or macOSUninstalling CloudBees Flow on WindowsUninstalling the CloudBees Flow DevOps Insight Server on LinuxUninstalling the CloudBees Flow DevOps Insight Server on Windows
Signing in to Flow
IntroductionThe Default Zone and Gateways to Remote ZonesApplying an Enterprise License KeyExternal Database ConfigurationConfiguring CloudBees Flow to Use an Alternate DatabaseConfiguring Server and Agent Services Autostart for Non-Root/Non-sudo Linux InstallationsUniversal Access to the Plugins DirectoryConfiguring Single Sign-OnEnvironment Proxy Server ConfigurationIncreasing File Descriptors on LinuxAdjusting Swappiness on LinuxSetting Variables on Windows Agent MachinesConfiguring Kibana to Work With DevOps Insight
IntroductionArchitecture of a CloudBees Flow ClusterResource, agent, and procedure considerationsSoftware for clusteringDependencies for clusteringConfiguring clusteringSeparating agents from flow serversPreparing your cluster resourcesInstalling and configuring a load balancerInstalling zooKeeperConfiguring a multi-zookeeper clusterInstalling Flow softwareConfiguring repository serversConfiguring machines to operate in clustered modeRunning a cluster in single-server modeAdding the configuration to zookeeperUploading configuration files to zookeeperGetting Information on the Flow server cluster from zookeeperAdding a node to an existing clusterConfiguring web server propertiesConfiguring repository server propertiesConfiguring Flow agentsConfiguring the cluster workspaceConfiguring Flow repositoriesAdding trusted agents to clustersVerifying Flow servicesAccessing Flow with clusteringHealth check for the Flow clusterAdditional Ways to improve a clusterInstalling the DevOps Insight server in cluster modeDisaster recovery
IntroductionCloudBees Flow server backupsRestoring a Flow ServerSwitching to an alternate databaseSwitching to the built-in databaseMaintaining DevOps Insight server dataApache web server or agent certificatesUsing chkconfigStarting and stopping servers and agents manuallyCollecting Flow logsWeb interface online help system
IntroductionCloudBees Flow ArchitectureRoadmap to CloudBees FlowPlugins and Cloudbees Field-Contributed SolutionsGuided Tutorials
IntroductionSigning in to CloudBees FlowHome PagePersonasAccess ControlMy Work DashboardObject List LayoutObject SchedulesPaginationSearching and FilteringHierarchy MenuProperty BrowserProjects in CloudBees FlowObject Tags
IntroductionApplications and ProcessesEnvironmentsCreating or Editing a Project in the Deploy Web UIParametersMaster ComponentsMaster Component ExamplesMaster Components List UIArtifact StagingRollbackManaging Application or Microservice DependenciesManual Steps and TasksProcess BranchingProperty Reference Use CaseSnapshotsInventory TrackingEnvironment InventoryMicroservice Deployment Using ContainersDeployment PackagesDeployment StrategiesDeployment ExamplesAutomated Environment DiscoveryEnvironment ReservationsFull-Stack Dependency ViewConfiguration Drift
IntroductionGuidelines for Modeling and Deploying Applications in CloudBees FlowExamples: Modeling and Deploying ApplicationsExample: Manual Step with Runtime ParametersAttaching Credentials to Application and Component ProcessesPlugin Process StepsAdding Process Steps
IntroductionModeling Dynamic EnvironmentsDeploying Applications with Provisioned Cloud ResourcesRetiring Dynamic EnvironmentsDynamic Environment Example with Amazon and ChefDeveloper Task: Creating Custom Plugins
IntroductionPipeline stages and gatesPipeline access controlPipeline tasksEntry and exit gatesPipeline conditionsPipeline start and end stages and stage skippingWait dependenciesEvent-based triggers Pipeline UI
IntroductionDefining gate approvalsPipeline objects and conditionsPipeline stage summaryCredentials in pipelinesRunning pipelinesViewing pipeline runsTroubleshooting pipelines
IntroductionExample: Creating a manual task in a pipelineExample: plugin pipeline tasksExample: integrating test automation in release pipelinesExample: leveraging test data management and service virtualization in release pipelines
IntroductionRelease ConceptsRelease Planning, Scheduling, and TrackingRelease and Environment Reservations CalendarVisibility and Status of Release PipelinesRelease DefinitionRelease DashboardPlanned Versus Actual ViewPath to Production ViewRelease SummaryRunning and Ending Releases
Data Retention
IntroductionPerformance consequences of change trackingEstimating database growthBest practices for change trackingConfiguring change trackingSearching the change historyViewing the change historyModifying what you see in the change historyReverting changes to a tracked object and its tracked contentsExporting a previous state of a tracked object and its tracked contents
Self-Service Catalogs
IntroductionSetting Email NotificationsSelecting and Editing Email Messages for Application or Microservice Processes
Plugin list
Introduction
Build-Test Automation
IntroductionScenario 1 - Creating a simple procedureScenario 2 - Creating a procedure that uses an SCMScenario 3 - Notification, scheduling, and reportingScenario 4 - Multi-agent build and test
IntroductionAutomation Platform Home PageCustomizing the Automation Platform UIConfiguring CloudBees FlowUsing Cloudbees Flow in Your EnvironmentCloudBees Flow Installed Tools
IntroductionAccess ControlDefining entriesPrivileges - create new or edit existing privilegesArtifactsArtifact detailsCreate new or edit existing artifactArtifact versionsArtifact version detailsEdit an existing artifact versionRepositoriesCreate new or edit existing repositoriesEmail configurationsCreate new or edit existing email configurationsEmail NotifiersProcedure DetailsCreate new or edit existing procedureCreate new or edit existing stepPublish Artifact Version stepRetrieve Artifact Version stepSend Email stepNew Extract Preflight Sources stepParameter - create new or edit existing parameterProjectsCreate new or edit existing projectProject DetailsRun ProcedureCreate new or edit existing scheduleCreate new or edit existing credentialProperty - create new or edit existing propertyNested Property SheetReportsCreate a new reportSearching and FilteringSearch ResultsSource Control ConfigurationsCreate new or edit existing configurationsUsersUsers and GroupsCreate new or edit existing local userUser DetailsEdit User SettingsGroupsCreate new or edit existing groupGroup DetailsDirectory ProvidersCreate new or edit existing directory providersSingle Sign-OnTest Directory ProviderWorkflowsWorkflow Definition - create new or edit exiting workflow definitionWorkflow Definition DetailsRun WorkflowWorkflow DetailsWorkflow LogTransition WorkflowWorkspacesWorkspace - create new or edit existing workspaceWorkspace fileDatabase ConfigurationDefect Tracking ConfigurationsDefect Tracking - create new or edit existing configurationDefect Tracking ReportsEvent LogHome PageJob ConfigurationShortcutsJobs Quick ViewNew ReportJobsJob Step DetailsLicensesView LicenseImport LicensePlugin ManagerResources/PoolsResource PoolsResource Pool - create new or edit existing poolResource Pool DetailsZonesGatewaysServerSettings - edit existing property settings
IntroductionAccess ControlArtifact ManagementAuthenticating Users for LDAP and Active DirectoryAuto-DiscoveryDefect TrackingElectricSentryJob Step Execution EnvironmentPreflight BuildsPropertiesPostprocessorsReportsWorkflow OverviewWorkspaces and Disk Space Management
IntroductionAdding a Link to a JobCalling a SubprocedureChecking the Outcome of Preceding StepsConditional ExecutionCustom Parameter LayoutsEmail NotificationsExecuting Tasks on All Resources in a PoolFactory ProceduresPostp ExtensionPublishing and Retrieving an ArtifactReserving a Resource for the Job Step DurationRunning Steps in ParallelStep Timeouts and Steps That Always RunStoring and Retrieving Properties in a JobWorking with Properties Stored in a Procedure
Using Special Characters in Object Names

Configuring Single Sign-On

8 minute read

Single sign-on (SSO) allows a user to sign on with one set of credentials and gain access to multiple applications and services. SSO increases security and provides a better user experience for customers, employees, and partners by reducing the number of required accounts and passwords and providing simpler access to all the applications and services they need.

You can integrate CloudBees Flow with enterprise SSO using either Kerberos or Security Assertion Markup Language 2.0 (SAML 2.0), so that users are not presented with the CloudBees Flow sign-in screen when they want to take action in CloudBees Flow. SSO improves the end user experience, so that users do not need to remember multiple credentials or sign in multiple times. SSO also improves overall enterprise security, because most SSO solutions support features such as multifactor authentication and stricter password policies.

SSO setup is recommended for occasional CloudBees Flow users (that is, users who do not regularly spend long periods of time in CloudBees Flow). These end users typically use CloudBees Flow to start or check progress of releases, pipelines, or deployments, approve gates or complete manual tasks, look at dashboards, and so on.

Configuring Single Sign-On Using Kerberos

Kerberos is a network authentication protocol that works on the basis of tickets to allow nodes communicating over a nonsecure network to prove their identity to one another in a secure manner. Kerberos provides mutual authentication—both the user and the server verify each other’s identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication. Kerberos uses UDP port 88 by default.

Kerberos Single Sign-On Prerequisites

Before you configure single sign-on with Kerberos, make sure that:

  • Kerberos software is installed and configured on the server and client nodes.

  • Your system administrator has set up one or more Kerberos Key Distribution Centers (KDCs), and that each KDC is accessible from every node in your environment.

  • Kerberos client software is installed on all hosts that are involved in Kerberos authentication.

    This software is required to communicate with the KDC server but is not included in CloudBees Flow. A valid Kerberos configuration (such as a krb5.conf file) that includes information for how to connect to the KDC, realm, and domain must be provided for the client.

    Note that Windows clients have Kerberos authentication built into the authentication process, so there is no need for additional software.

Example Data for Kerberos Configuration

Component Value

Active Directory domain

 
example.com

Kerberos realm

 
example.com

CloudBees Flow web server service

 
efwebserver.example.com

CloudBees Flow web server Service Principal Name

 
HTTP/efwebserver.example.com@example.com

CloudBees Flow web server service account

 
efweb-krbsvc

CloudBees Flow server service

 
efserver.example.com

CloudBees Flow server Service Principal Name

 
HTTP/efserver.example.com@example.com

CloudBees Flow server service account

 
efserver-krbsvc

End-user account

 
bob

Configuring Kerberos with Active Directory

Before setting up your CloudBees Flow servers and CloudBees Flow web servers with single sign-on, Kerberos principals that are required for authentication must be configured with Active Directory. Administrator privileges are needed for the following procedures.

Creating an End-User Account in the Active Directory Domain

To create this account:

  1. Log into the domain controller as administrator.

  2. Create an account with a username (for example, bob ) and a password.

    An organization typically already has its end user set up in Active Directory.

Creating Service Accounts in the Active Directory Domain

Service accounts are used to run the services for the CloudBees Flow server and the CloudBees Flow web server. See Example Data for Kerberos Configuration above. You can run both services under the same account.

To set up these service accounts:

  1. Login to the domain controller as administrator.

  2. Create a user with a username and a password.

    Select the User cannot change password and Password never expires check boxes.

Configuring Service Accounts for Kerberos Delegation

Kerberos delegation allows an application (in this case, CloudBees Flow services) to reuse the end-user credentials to access resources hosted on a different server. Delegation is not enabled by default in Active Directory. This means that service accounts for the CloudBees Flow web server and server services need to be set up and trusted for delegation.

To set up Kerberos delegation:

  1. Login to the domain controller as administrator.

  2. Open the Windows Active Directory Users and Computers tool.

  3. Find the service account that you created (for example, efweb-krbsvc ).

  4. Open user properties and navigate to the Delegation tab.

  5. Select the Trust this user for delegation to any service (Kerberos only) option.

  6. Repeat these steps for the other service account that you created (for example, efserver-krbsvc ).

Mapping the User Accounts to Service Principal Names

Kerberos service principals for the CloudBees Flow web server and CloudBees Flow server services need to be created and associated with the service user accounts in Active Directory. This operation can be performed either through the Windows Active Directory Users and Computers administrator tool or through the setspn utility.

Using Windows Active Directory Users and Computers

  1. Log into the domain controller as administrator.

  2. Open the Windows Active Directory Users and Computers tool.

  3. Find the user account that you created (for example, efweb-krbsvc ).

  4. Open user properties and navigate to the Attribute Editor.

    If the Attribute Editor does not appear in the UI, open View > Advanced Features and then enable it.

  5. Select the servicePrincipalName attribute.

  6. Enter the value HTTP/efwebserver.example.com@example.com, where efwebserver.example.com is the fully qualified domain name (FQDN) for the web server node.

    When a load balancer is used for the web server, this value should be the FQDN of the load balancer.

  7. Repeat these steps for the CloudBees Flow server to associate the user account efserver-krbsvc to the service principal HTTP/efserver.example.com@example.com.

Using the setspn Utility

The setspn utility lets you manipulate Service Principal Names (SPNs) in Active Directory.

  1. Associate the Service Principal Name for the web server to its service account by entering:

    C:\ setspn -s `HTTP/efwebserver.example.com@example.com` efweb-krbsvc

  2. Associate the Service Principal Name for the CloudBees Flow server to its service account by entering:

    C:\ setspn -s `HTTP/efserver.example.com@example.com` efserver-krbsvc

Generating a Keytab File for CloudBees Flow Services

Keytab files need to be generated for the CloudBees Flow server and CloudBees Flow web server services. A keytab file stores the encryption keys for the Kerberos Services Principals (for example, HTTP/ efwebserver.example.com@example.com for a web server). The service account’s password is used to encrypt the entries in this file.

You can also generate a keytab file by using the Automation Platform UI. For details, see Single Sign-On.

To generate keytab files for the CloudBees Flow server and CloudBees Flow web server services:

  1. Create a keytab file for the CloudBees Flow server that will store the credentials or encryption keys for its Service Principal Name ( HTTP/efserver.example.com@example.com ) that is associated with the service account ( efserver-krbsvc ).

    To create a keytab file, enter the following ktpass command on domain controller node with administrative privileges:

    C:\ ktpass -princ HTTP/efserver.example.com@example.com -mapuser EXAMPLE\efserver-krbsvc -pass password -setpass -setupn +dumpsalt -crypto all -ptype KRB5_NT_PRINCIPAL -out efserver.keytab

    The password must match the one used to create the service account for the CloudBees Flow server.

  2. Create a keytab file for the CloudBees Flow web server that will store the credentials or encryption keys for its Service Principal Name ( HTTP/efwebserver.example.com@example.com ) that is associated with the service account ( efweb-krbsvc ).

    To create a keytab file, enter the following ktpass command on the domain controller node with administrator privileges:

    C:\ ktpass -princ HTTP/efwebserver.example.com@example.com -mapuser EXAMPLE\efweb-krbsvc -pass password -setpass -setupn +dumpsalt -crypto all -ptype KRB5_NT_PRINCIPAL -out efwebserver.keytab

    The password must match the one used to create the service account for the CloudBees Flow web server.

Configuring Web Browsers for Single Sign-On

This section shows individual end users how to configure their web browsers for Kerberos. So that users can access server resources that require Kerberos authentication, their browser must be enabled to send Kerberos credentials. CloudBees Flow supports the following browsers:

  • Google Chrome

  • Microsoft Internet Explorer

  • Mozilla Firefox

Configuring Chrome for Kerberos

On Windows:

Chrome on Windows should use Internet Explorer settings. For instructions, see Internet Explorer .

Ensure that the registry on your machine is properly set up. The recommended way to configure a policy on Windows is by using a Group Policy Object (GPO). However, on machines that are joined to an Active Directory domain, policy settings might also be stored in the registry under HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER in the following paths:

  • Software\Policies\Google\Chrome\AuthServerWhitelist = efwebserver.example.com

  • Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist = efwebserver.example.com

For details, see https://dev.chromium.org/administrators/policy-list-3#AuthServerWhitelist and https://dev.chromium.org/administrators/policy-list-3#AuthNegotiateDelegateWhitelist .

On MacOS:

To configure Chrome for Kerberos on macOS, complete the following steps. The example below is for a user named bob :

  1. Enter:

    /usr/bin/defaults write /Users/bob/Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist "efwebserver.example.com"

  2. Enter:

    /usr/bin/defaults write /Users/bob/Library/Preferences/com.google.Chrome.plist AuthServerWhitelist "efwebserver.example.com"

  3. Log out of your user account.

  4. Log back in, and run kinit bob@example.com.

    This generates a Kerberos ticket on your computer.

  5. Confirm by running the klist command.

    The list of Kerberos tickets appears.

  6. Shut down and restart Chrome.

For more information about Chrome setup for Kerberos, see https://www.jamf.com/jamf-nation/discussions/10688/chrome-and-kerberos-single-sign-on .

Following are common problems with Kerberos setup on Chrome on macOS:

  • SSO sign-in no longer works.

    Follow the steps below:

    1. Sign out of your user account and sign back in.

    2. On macOS, enter kinit bob@example.com and generate a ticket for the krbtgt account again.

    3. Ensure that the Kerberos ticket is not expired on your local machine.

      On macOS, run the klist command and see the Kerberos ticket expiry information.

  • SSO does not work on Chrome.

    Follow the steps below:

    1. Ensure that registry entries are correct as stated above.

    2. Ensure that there are no spaces before or after the name of the registry entry AuthNegotiateDelegateWhitelist.

Configuring Internet Explorer for Kerberos

To configure internet Explorer for Kerberos:

  1. Navigate to Settings  Internet Options  Security and select Custom Level.

  2. Under User Authentication  Logon, select Automatic logon only in Intranet zone.

  3. Click OK.

  4. On the Security tab, select Local Intranet, and then Sites.

  5. On the Sites popup window, select all options (this is default).

  6. Select Advanced button and add the CloudBees Flow web server FQDN to your local intranet zone.

  7. Select Add, and then Close.

Configuring Firefox for Kerberos

To configure Firefox for Kerberos:

  1. Navigate to the configuration editor.

  2. Select I accept the risk!. The list of preferences appears.

  3. Double-click the network.negotiate-auth.delegation-uris preference: enter the value for the CloudBees Flow web server FQDN. For example, enter efwebserver.example.com. This preference lists the sites for which the browser may delegate user authorization to the server.

  4. Double-click the network.negotiate-auth.trusted-uris preference: enter host or domain names (delimited by commas).

    You can use a wildcard for domain names by prefixing them with a dot. For example, .example.com. For the CloudBees Flow web server FQDN, you can provide the efwebserver.example.com value for this preference.

  5. Select OK, and then close the browser window.

Configuring CloudBees Flow for Single Sign-On in Kerberos

After single sign-on using Kerberos is installed and configured, and service accounts and Service Principal Names are created in Active Directory, you must enable it in CloudBees Flow. For details, see Single Sign-On.

End-User Login Flow for Single Sign-On in Kerberos

For information about how end users will sign in to CloudBees Flow using single sign-on with Kerberos, see Signing in to CloudBees Flow.

Configuring Single Sign-On Using SAML 2.0

SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider (such as Okta or OneLogin) and a SAML consumer (in this case, the CloudBees Flow software), named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

SAML does not require configuration that is specific to CloudBees Flow. However, you must configure CloudBees Flow itself to enable SAML, and you should also be aware of how end users will interact with the CloudBees Flow sign-in page when SAML is enabled as mentioned below.

Configuring CloudBees Flow for Single Sign-On in SAML

After single sign-on using SAML is installed and configured, you must enable it in CloudBees Flow. For details, see Single Sign-On.

End-User Sign-In Flow for Single Sign-On in SAML

For information about how end users will sign in to CloudBees Flow using single sign-on in SAML, see Signing in to CloudBees Flow.

Universal Access to the Plugins Directory
Environment Proxy Server Configuration