Configure CloudBees CI (CloudBees Core) with Google’s Cloud Identity Secure LDAP

Article ID:360018132372
3 minute readKnowledge base


  • How do I setup CloudBees Core to work with Google’s Cloud Identity secure LDAP?



Add CloudBees Core as a LDAP Client in Cloud Identity

1 . Follow the steps on Google’s Cloud Identity Help site to add CloudBees Core as a client. Download the client certificate and private key. Record the access credentials.

Add the Client Certificate

2 . Convert the client certificate and private key to PKCS 12 format with openssl.

openssl pkcs12 -export -in <client-cert>.crt -inkey <private-key>.key -out <pkcs12>.p12

3 . Connect to your Kubernetes cluster that is hosting your CloudBees Core Operations Center. Follow your Kubernetes service provider instructions for authenticating and connecting to your cluster.

4 . Copy the resulting PKCS 12 file to the CloudBees Core Operations Center pod.

cp <pkcs12>.p12 <namespace>/<cloudbees-operation-center-pod>:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12


cp ~/Google_2021_10_03_19352/Google_2021_10_03_19352.p12 goog-sec-ldap/cloudbees-core-1-cjoc-0:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12

5 . Start a shell on the CloudBees Core Operations Center (CJOC) pod.

kubectl exec -it <cjoc-pod> -n <namespace> -- /bin/bash


kubectl exec -it cloudbees-core-1-cjoc-0 -n goog-sec-ldap -- /bin/bash

6 . Determine the JENKINS_HOME.


This is typically /var/jenkins_home.

7 . Change directory to JENKINS_HOME.


8 . Use keytool to create a new keystore and import your client cert and private key.

keytool -importkeystore -srckeystore <pkcs12>.p12 -srcstoretype PKCS12 -destkeystore keystore.jks


keytool -importkeystore -srckeystore Google_2021_10_03_19352.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

Add the Cloud Identity LDAP Server Certificate

9 . In order to add the Cloud Identity server certificate, we need to add it to a custom keystore. If one already exists use that. Otherwise, create a new custom keystore.

cp $JAVA_HOME/jre/lib/security/cacerts $CUSTOM_KEYSTORE

10 . Use keytool to get the Cloud Identity LDAP server certificate and the add the contents to a file.

keytool -printcert -rfc -sslServer

11 . Copy your Cloud Identity LDAP server certificate to JENKINS_HOME.

12 . Import your certificate into the custom keystore.

$JAVA_HOME/bin/keytool -keystore $JENKINS_HOME/.keystore/cacerts \ -import -alias <an alias name> -file <LDAP server certificate>

Configure the CloudBees Core to Use the New Keystores

13 . You will now need to set CloudBees Core to use the new keystores. Exit the bash shell to return to your terminal.

14 . Using kubectl, add the following additional Java arguments by modifying the CJOC statefulset.

15 . List your statefulsets.

kubectl get statefulsets -n <namespace>


kubectl get statefulsets -n goog-sec-ldap
NAME                    AGE
cloudbees-core-1-cjoc   1h

16 . Now edit the CJOC statefulset.

kubectl edit statefulset <cjoc statefulset> -n <namespace>


kubectl edit statefulset cloudbees-core-1-cjoc -n goog-sec-ldap

17 . Under the JAVA_OPTS environment variable, add the following.$JENKINS_HOME/.keystore/cacerts<password><password>


- name: JAVA_OPTS
  value: -XshowSettings:vm

Restart the CloudBees Core Operations Center (CJOC) Pod

18 . Delete the cjoc pod to restart it.

kubectl delete pod <cjoc pod> -n=<namespace>


kubectl delete pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap

19 . Validate that the new cjoc pod is using the new Java options.

kubectl get pod <cjoc pod> -n=<namespace> -o yaml


kubectl get pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap -o yaml

Configure LDAP

20 . Log into CloudBees Core and go to Manage Jenkins.

21 . Go to Configure Global Security.

22 . Under Security Realm, select LDAP.

23 . Enter ldaps:// for the server.

24 . Under advanced configuration, enter the root DN.

24 . Add additional user or group values as required by your LDAP configuration.

25 . Add the access credentials to the Manager DN and password.

26 Test a LDAP user and save the configuration.

Tested product/plugin versions

  • CloudBees Core

  • LDAP Plugin 1.2.0

  • Google Cloud Identity Secure LDAP 11/8/2018 Release