Introduction
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionPre-installation requirementsInstallingVerifying Docker imagesUninstalling
IntroductionSystem requirementsVerifying Docker imagesInstalling operations centerInstalling client controllersVerifying build componentsVerifying WAR files
IntroductionHA (active/active) fundamentalsInstallation on modern cloud platforms (active/active)Installation on traditional platforms (active/active)HA (active/active) considerationsSpecific High Availability (active/passive) installation for CloudBees CI on traditional platforms
IntroductionWhat is FIPS and FIPS 140 compliance?Install CloudBees CI on modern cloud platforms in FIPS modeCAP plugin support in a FIPS 140-2 environmentConfigure the Apache™ Ant plugin for FIPS complianceConfigure the Pipeline Maven API plugin for FIPS complianceKnown FIPS incompatibilities with CloudBees CI on modern cloud platformsJenkins core: FIPS 140-2 compliant artifacts with caveatsJenkins core: Non-compliant classes and libraries
Introduction
IntroductionPipeline termsPipeline project typesCloudBees Pipeline benefits
IntroductionUsing Pipeline development utilitiesDetermining plugin compatibilityPipeline best practices
IntroductionPrerequisitesCreating your first PipelineSelecting agentsCreating Pipelines in SCMCreating Pipelines in Web UIUsing Pipeline as Code
IntroductionConfig Adv ScriptedConfig Build StageConfig Deploy StageConfig Optional Step ArgsConfig Test StageCreating JenkinsfileCustomizing ParametersHandling FailuresString InterpolationUsing Multiple AgentsWorking With The EnvReusing Configuration Files
IntroductionManaging artifactsTracing artifactsTriggering jobs with a simple webhookRestoring filesVisualizing PipelineInserting checkpointsSecuring PipelinesConfiguring Pipelines with user-scoped credentialsUsing Pipeline PoliciesSpecifying a matrix of one or more dimensionsConverting a Freestyle project to a Declarative PipelinePipeline builds and HA (active/active)
IntroductionRestarting aborted buildsLong-running buildsSkip next buildConsolidated Build View pluginCloudBees Quiet Start pluginCloudBees Template pluginCloudBees Workspace Caching
IntroductionTrigger a job with a notification event using Cross Team CollaborationEnable external notification events with external HTTP endpointsCluster-wide copy artifactsCluster-wide job triggers
IntroductionSetting up a Pipeline Template CatalogDefining Pipeline Template CatalogsSetting Up A Pipeline TemplateUsing parameters in template.yamlManaging multibranch Pipeline options in template.yamlManaging Pipeline Template Catalogs in bulkExample full Maven/Java app Jenkinsfile
IntroductionUsing Declarative Pipeline syntaxUsing Scripted Pipeline syntax
IntroductionBranch SourceBitbucketGitBranch Property StrategyExamples
CloudBees Docker Build and Publish pluginCloudBees Docker TraceabilityDocker Pipeline pluginCloudBees Docker Hub/Registry Notification plugin
Introduction
Introduction
IntroductionGetting startedNavigating the operations centerProvisioning managed controllers in multiple Kubernetes clustersProvisioning agents in a separate Kubernetes cluster from a managed controllerProvisioning a controller in a different namespace than the operations centerProvisioning a controller in a different OpenShift project than the operations centerManaging controllersManage controllers in specific Kubernetes namespacesMigrating an existing managed controller to High Availability (HA)Managing agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsChanging NFS storage locationQuiet startMove/Copy/PromoteCluster operationsInbound agentsUsing KanikoUsing Buildkit (docker buildx)Sidecar injector for self-signed certificates on KubernetesSidecar injector for self-signed certificates on OpenShiftUsing auto-scaling nodes on EKSUsing auto-scaling nodes on GKECloudBees Amazon Web Services Deploy EngineAmazon Web Services CLI PluginCloud Foundry CLI PluginIntegrate OpenShift CLIServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText pluginController Lifecycle Notifications Plugin
IntroductionGetting startedNavigating the operations centerManaging client controllersMigrating from High Availability (active/passive) to High Availability (active/active) on CloudBees CI on traditional platformsManaging agentsShared agentsShared configurationShared cloud configurationTrigger restrictionsQuiet startMove/Copy/PromoteCluster operationsJava web start agentsServiceNow integrationCreating projects based on GitHub repository structureUsing GitHub App authenticationCreate Multibranch Projects and Organization Folders with large repositoriesWikiText plugin
Introduction
Trust model
Pod Security Admission
Centrally managing security for controllers
Cyberark Credential Provider Plugin
HashiCorp Vault Plugin
Enabling advanced use cases: cross controller triggers and bulk operations
Restricting access and delegating administration with Role-Based Access Control
Creating secure folders with Role-Based Access Control Auto Configurer
Restricting job triggers
Setting up operations center access controls
Setting up access controls on connected controllers
Testing the SSH connection to an agent
Configuring restricted credentials with the CloudBees Restricted Credentials plugin
Folders
Folders Plus
Injecting secrets into builds
Managing build agents with Nodes Plus plugin
Extended security settings
Enhanced credentials masking
Understanding Beekeeper security warnings
Preventing unauthorized interaction between builds
Security recommendations
Using single sign-on (SSO)
CloudBees CI integration with Microsoft Entra ID
operations center specific permissions
Authentication mapping
Example configurations
Delegating administration
Data collection for the CloudBees Analytics Plugin
External secrets management
Replacing an expired certificate
List of URLs that need access
Blocking access to URL patterns using the CloudBees Request Filter Plugin
Serving resources from Jenkins
Verifying Helm Charts Published with a Signature
Introduction
Introduction$JENKINS_HOME directoryBest practices for backup and restoreBack up $JENKINS_HOME manuallyRestore $JENKINS_HOME manuallyRestore credentialsConfigure backups using the CloudBees Backup pluginSchedule backups in the CloudBees Backup pluginRestore backups created with the CloudBees Backup pluginBackup and restore on KubernetesBackup and restore on AWSBackup and restore Kubernetes clusters using VeleroRun backups using cluster operations
IntroductionConfiguring multiple client controllers with the Jenkins CLI toolConfigure an alias for the Jenkins CLI toolConfiguring Jenkins CLI tool with non-TrustStore TLS certificates
CloudBees Inactive Items Plugin
Jenkins Health Advisor by CloudBees
CloudBees Pull Request Builder for GitHub plugin
Count and monitor user licenses with the CloudBees User Activity Monitoring plugin
CloudBees CI Catalog Plugin - Catalog tool
Introduction
CasC fundamentals
CasC requirements
CasC permissions
IntroductionGetting startedCreating a bundleConfiguring the operations center on modern platformsConfiguring the operations center on traditional platformsRetrieving bundles using SCMUpdating a bundleBundle update timing for the operations centerViewing the operations center update logCreating itemsConfiguring RBACDetermining plugin compatibilityTroubleshooting
IntroductionGetting startedCreating a bundleAdding controller bundles to the operations centerUpdating a bundleBundle update timing for controllersViewing the controller update logConfiguring bundle availabilitySetting up a managed controllerSetting up a client controllerCreating itemsConfiguring RBACDetermining plugin compatibilityAdvanced topicsTroubleshooting
Plugin management with CasC
CasC CLI commands
CasC HTTP API
Support policies

CAP plugin support in a FIPS 140-2 environment

9 minute read

When installing CloudBees CI on modern cloud platforms in FIPS-mode, only FIPS 140-2 compliant CloudBees Assurance Program (CAP) plugins are also installed. Non-CAP plugins cannot be installed on a FIPS 140-2 compliant instance of CloudBees CI.

The Beekeeper Upgrade Assistant is FIPS 140-2 compliant and should be used to manage and upgrade the plugins in your FIPS 140-2 compliant CloudBees CI instance.

While most CAP plugins are FIPS 140-2 compliant there are some CAP plugins that are supported with limitations or not supported at all.

Compliant CAP plugins with caveats

The following table lists the CAP plugins that are FIPS 140-2 compliant but have caveats. The plugins may contain code or libraries that are not FIPS 140-2 compliant.

For example, a plugin may contain a dependency on a library and that library contains code that is not FIPS 140-2 compliant. If the plugin calls the non-compliant parts of the library, then the plugin is not considered FIPS 140-2 compliant. However, if the plugin does not call the non-compliant parts of the library, the plugin itself is still considered FIPS 140-2 compliant. Any script or pipeline using the plugin classes or the libraries contained in the plugin must avoid those non-compliant parts.

Table 1. FIPS 140-2 compliant plugins with caveats
Plugin name Known incompatibilities

The plugin code does not add any compliance limitations, but it does provide access to other plugins and libraries that have known limitations:

This plugin uses the pmd-core library, which defines a JDBC connection URL including credentials. The JBDC driver must be configured to use TLS.

The Ant plugin can execute any task, including the Java Task, which can be configured with arbitrary parameters. The plugin’s code runs inside the Jenkins agent’s JVM and the plugin’s code is FIPS 140-2 compliant. Refer to Configure the Apache™ Ant plugin for FIPS compliance to learn how to configure Ant within an agent.

The Ant plugin typically executes Ant builds in build.xml. Therefore, any operation executed within an Ant task may not be FIPS compliant (for example, Mail Task can define a password and an insecure URL). Verify that the tasks executed inside any ant build are FIPS compliant.

The Apache HttpComponents Client 4.x API plugin provides a shared dependency on the httpcomponents-client, httpcomponents-core, and httpcomponents-asyncclient components of the Apache HttpComponents project.

For FIPS 140-2 compliance, artifacts built upon the Apache HttpComponents Client 4.x API plugin should only use TLS 1.2 or 1.3 and FIPS-approved cyphers. When the CloudBees CI environment is in FIPS mode, do not use http URLs when including credentials in requests.

The Apache HttpComponents Client 5.x API plugin provides a shared dependency on the httpclient5 and related lower-level libraries in httpcore5.

For FIPS 140-2 compliance, plugins using the Apache HttpComponents Client 5.x API should only use TLS 1.2 or 1.3 and FIPS-approved ciphers. When the CloudBees CI environment is in FIPS mode, do not use http URLs when including credentials in requests.

This plugin is compliant when it uses TLS to cypher communications:

  • In the UI, go to Manage Jenkins  System  Artifact Management for Builds to configure the following setting:

    • Define the Use Insecure HTTP as false so the plugin cannot use insecure HTTP connections with the useHTTP parameter.

    • Optionally, define a Custom Endpoint for the S3 bucket URL. That URL will use the protocol defined by the useHTTP parameter.

The plugin also provides access to the AWS Global Configuration and Apache HttpComponents Client 4.x API plugins, so the same caveats apply.

Additionally, the plugin provides access to the Javax WS RS API or the Apache Tika Core libraries, which can only be used if SSL/TLS is properly configured and the cyphering algorithm is compliant.

This plugin has a dependency on the AWS SDK for Java - Core (aws-java-sdk-core) library which is FIPS 140-2 compliant with a caveat for the following:

  • All the credentials, keys, IDs, etc. are loaded from the location in the properties files.

This plugin has also a dependency on Apache HttpComponents Client 4.x API which is also FIPS 140-2 compliant with caveats.

This plugin is only a wrapper, and the code is FIPS 140-2 compliant. It also specifies custom endpoints for EC2. Because this plugin defaults to HTTPS, custom endpoints may use plain HTTP connections. When using this plugin with a custom endpoint, be sure to use TLS for FIPS compliance.

The Amazon Web Services SDK::EC2 plugin also provides access to the Amazon Web Services SDK::Minimal plugin and the caveats from that plugin apply to this plugin in regard to credentials stored in files.

This plugin makes use of the AWS SDK for Java - Core (aws-java-sdk-core) library, which is compliant with caveats. The plugin can read credentials from a file in the local file system and override default locations with the AWS_CREDENTIAL_PROFILES_FILE. When using a local file to store credentials, make sure the contents of the file are FIPS 140-2 compliant.

This plugin can define a custom endpoint by specifying the AWS_DEFAULT_PROFILE. This endpoint must be protected by TLS to be FIPS 140-2 compliant.

This plugin includes the Hazelcast library, which is FIPS 140-2 compliant with caveats.

The default cyphering and encryption algorithms and the default JKS keystore in the library are FIPS 140-2 compliant. However, they can be replaced with properties files. Make sure the new values are FIPS 140-2 compliant.

To authenticate the Openshift instance, use TLS or SSL. The password must be a minimum 14 characters.

To make this plugin FIPS 140-2 compliant, verify that the useHttp property on the Artifact Management for Builds section of the System configuration page is set to false.

This plugin provides the Commons Lang v3.x to other Jenkins plugins. The generation of random numbers is not cryptographically secure and is not FIPS 140-2 compliant.

commons-text API plugin

This plugin provides Apache Commons Text v1.x to Jenkins plugins. The generation of random strings is not cryptographically secure and is not FIPS 140-2 compliant.

This plugin permits the inclusion of files that may contain secrets. Due to the user supplied nature of the managed configuration file, there is no guarantee that any secrets entered into the file will be FIPS 140-2 compliant. Be sure to either use credentials to store secrets or that the secret entered is FIPS 140-2 compliant.

The plugin permits the inclusion of credentials by using the credentials or ssh-credentials classes that would make the plugin FIPS 140-2 compliant.

This plugin can copy the artifact from the local disk and from a remote URL. If authentication is needed, credentials need to be included in the URL itself. If using the remote URL as the source of the artifacts, the URL must use TLS or not include any credential.

The code for this plugin is FIPS 140-2 compliant. However, it includes dependencies on the Elasticsearch Reporter Feeder plugin which needs TLS to be FIPS 140-2 compliant.

If the proxy in Jenkins is configured with credentials, the plugin needs to be protected by TLS to be FIPS 140-2 compliant. Additionally, do not configure the plugin to trust all certificates.

This plugin performs an HTTP request, including any credentials obtained from the Jenkins credential store. Therefore, it needs to be wrapped inside TLS to avoid credentials leakage and to be FIPS 140-2 compliant.

This plugin includes the Elasticsearch Reporter Configuration plugin. Therefore, the same limitations regarding TLS and trusting all certificates applies.

For authentication to an external service such as the GitLab server, use TLS. The password must be a minimum of 14 characters. Any additional external service (Jira, Hipchat, etc.) must use TLS.

For authentication to an external service such as the GitLab server, use TLS. The password must be a minimum of 14 characters.

Only the OAuth 2.0 implementation is FIPS 140-2 compliant, so always use this plugin with Oauth2 OIDC providers.

For authentication to an external service such as mail servers, use TLS or SSL. The password must be a minimum of 14 characters.

For authentication to an external service such as mail servers, use TLS or SSL. The password must be a minimum of 14 characters.

For authentication to an external URL, use TLS or SSL. The password must be a minimum of 14 characters.

It is possible to not configure a Kubernetes URL in this plugin. By doing so, the URL from the kubeconfig file is used.

When no URL is configured directly in the plugin, the URL from the config file (kubeconfig) must use TLS to be FIPS 140-2 compliant.

MapDB plugin provides a shared dependency on the MapDB library so that other plugins can cooperate when using this library. MapDB allows data serialization to a file, but the files are not secured by MapDB. Therefore, if this functionality is used in a security context, it is important to ensure a FIPS compliant security solution through other means.

For authentication, use TLS or SSL. The password must be a minimum of 14 characters.

Apache MINA SSHD is a Java library that supports SSH protocols on both the client and server sides. When in FIPS mode, only the JVM security provider should be employed. In addition, only FIPS-approved algorithms validated by NIST FIPS 140-2 can be used.

Specifically, for digital signature generation, only RSA and ECDSA algorithms shall be employed in accordance with sections 14.1.2 and 14.1.3 of the aforementioned guide.

Due to FIPS 186-5 specification which indicates DSA will no longer be approved for digital signature generation, but may be used to verify signatures generated prior to the implementation date of that standard.

This plugin contains the server side SCP (secure copy) command handler and the SCP client code. It has a dependency on Mina SSHD API::Core plugin which is FIPS 140-2 compliant with a caveat. Therefore, the same caveat applies to this plugin.

The plugin code is FIPS 140-2 compliant, however NodeJS must be version 6.0.0 or above and needs to start with --enable-fips / --force-fips.

For authentication to the remote elastic search instance, use TLS or SSL. The password must be a minimum of 14 characters.

The plugin configures a URL to download a .zip or tar.gz file containing the tool. The URL accepts the pattern http://user:passw@server:port/ which means credentials can be used without using TLS.

If credentials are used, the connection must be secured with TLS.

The code for this plugin runs inside the Jenkins agent’s JVM and is FIPS 140-2 compliant. However, the feature running Maven is only compliant if the JVM used by Maven is FIPS 140-2 compliant and all encryption used by Maven is also FIPS 140-2 compliant. To configure and use the Pipeline Maven API plugin, refer to Configure the Pipeline Maven API plugin for FIPS compliance.

This plugin’s code that runs inside the Jenkins agent’s JVM is FIPS 140-2 compliant. However, the feature running Maven is only compliant if the JVM used by Maven is FIPS 140-2 compliant and all encryption used by Maven is FIPS 140-2 compliant.

Because Maven is installed by the installer, when a private key is supplied by the user, it becomes out of scope for the CloudBees CI product.

When using an Amazon S3 compatible storage system (OpenStack Swift, EMC Atmos, etc.​), the AWS region must be FIPS 140-2 compliant. Amazon provides FIPS endpoints and only those should be used. If the default region is overriden, the endpoint must be FIPS 140-2 compliant and secured using TLS.

The plugin’s code is FIPS 140-2 compliant, but it includes the Apache Commons Net library. When using this library for authentication to an external service, use TLS or SSL. The password must be a minimum of 14 characters.

Some of the tools that this plugin confgures (such as Axivion Suite) can configure the server URL and the credentials. When CloudBees CI on modern cloud platforms is in FIPS mode, ensure that TLS URLs are used for this plugin.

Unsupported CAP plugins

While most of the CAP plugins are FIPS 140-2 compliant, the following CAP plugins are not:

None of the Blue Ocean plugins are supported when CloudBees CI on modern cloud platforms is in FIPS mode.
In August 2020, the Jenkins project voted to replace the term master with controller. We have taken a pragmatic approach to cleaning these up, ensuring the least amount of downstream impact as possible. CloudBees is committed to ensuring a culture and environment of inclusiveness and acceptance - this includes ensuring the changes are not just cosmetic ones, but pervasive. As this change happens, please note that the term master has been replaced through the latest versions of the CloudBees documentation with controller (as in managed controller, client controller, team controller) except when still used in the UI or in code.
Install CloudBees CI on modern cloud platforms in FIPS mode
Configure the Apache™ Ant plugin for FIPS compliance