0

I am trying to connect Jenkins(version 2.121.2) running on AWS to an on-premise Atlassian Crowd Server (version 3.1.2) using Jenkin's crowd 2 Plugin. The Crowd server requires two-way SSL authentication.

Steps followed:

  1. Import the Certificate chain of the Crowd server in to Java Trust store located at $JAVA_HOME/jre/lib/security/cacerts, so Jenkins trusts Crowd Server.

  2. Create a keystore(JKS) with the private key and certificate for Client authentication in jenkins.

  3. Modify jenkins startup parameters (/etc/default/jenkins) to use the Trust store and Keystore. I have tried both the variations as below.

Variation 1: 

JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true 
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit 
-Djavax.net.ssl.keyStore=/var/lib/jenkins/identity.jks
-Djavax.net.ssl.keyStorePassword=changeit"

Variation 2:

# JVM Arguments
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true 
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit"


# Jenkins arguments
JENKINS_ARGS="--webroot=/var/cache/$NAME/war 
--httpPort=$HTTPS_PORT 
--httpsKeyStore=/var/lib/jenkins/identity.jks 
--httpsKeyStorePassword=changeit"

After filling up the details in the plugin configuration section in jenkins and trying to establish a connection, I receive a hand_shake failure in jenkins log. Information from the log,

  1. The Server Hello passes, and provides a list of CA's that it trusts which shows the Atlassian crowd server. During jenkins startup, I can also see that it adds the certificate as trusted.

  2. But when jenkins is responding to the verification from Crowd, it is not sending the client key/certificate from keystore. An excerpt of the log can be seen below.

CN=cloud.company.com, OU=OUnit, O=Org, L=City, ST=State, C=Country
ServerHelloDone 
Warning: no suitable certificate found - continuing 
without client authentication
Certificate chain <Empty>

I am not sure if this is possible using the Crowd2 Plugin or If I am doing something wrong. I had a look at this issue , but there is no definitive answer if this is possible or not.

Any help/direction is greatly appreciated.

tux
  • 1,730
  • 1
  • 15
  • 19
  • You haven't really posted the SSL debug log so it's hard to tell what's going on here. Plus I'm not an expert in jenkins or atlassian or their configurations. But the bottom like is that you have a client cert and a server cert. The client's truststore needs to be configured to trust the *server cert*. The server's trust store needs to be configured to trust the *client cert*. That means the atlassian side's truststore needs to include the CA that signed the *client cert*. – President James K. Polk Jul 29 '18 at 17:00
  • @JamesKPolk Forgot to mention, the crowd server is already configured to trust the client certificate. – tux Jul 29 '18 at 17:11
  • Are you sure it's configured correctly? – President James K. Polk Jul 29 '18 at 17:15
  • Yes, I verified it, by importing the certificate and private key into chrome and connecting to crowd endpoint. The connection works. I believe the problem is with jenkins configuration to use the keystore. – tux Jul 29 '18 at 17:28

1 Answers1

1

So, The problem was due to Crowd 2 Jenkins Plugin. Version 2 of the plugin was recently released 3 months ago and I was using this. But, after downgrading the plugin to version 1.8, I was able to authenticate with the Crowd Server.

tux
  • 1,730
  • 1
  • 15
  • 19