This documentation relates to QuickBuild 13.0.x
Select here if you are using a different version

Protect QuickBuild using SSL

Added by Robin Shen, last edited by Robin Shen on Jan 01, 2023
QuickBuild Documentation

Enable https access to server

QuickBuild server by default runs on top of http protocol. Https can be enabled to encrypt passwords and data send to the server. Please follow below procedure to enable https access to QuickBuild server:

  1. Run keytool command to generate a keystore. Assume Sun JDK is installed at /path/to/jdk and you want to generate keystore to /path/to/keystore. The command will be: 
    /path/to/jdk/bin/keytool -keystore /path/to/keystore -alias QuickBuild -genkey -keyalg RSA -validity 365

    You will be prompted for some settings including the keystore password and private key password. Note when prompting for name, please use host name of QB server instead of name of the person in order to make the CN field of the DN match the server and allow the cert to pass hostname validation.

  2. Change to directory <QuickBuild server install dir>/bin and run command config.(bat|sh). In the displayed config window, enable https access, specify https port, and specify keytool path and passwords provided in step 1.

Once https is enabled, you may access QuickBuild web interface and RESTful API through https protocol. And QuickBuild agents can be configured to connect to QuickBuild server through https protocol by editing the file <agent install dir>/conf/node.properties and changing the serverUrl accordingly.

We suggest to enable http and https access to QuickBuild server at the same time. While browser and RESTful API access are forced to go through https protocol with proper firewall settings, all agents can still talk to server via http protocol, which will perform bettern than https protocol considering the short and frequent interactions between agents and server.

If connections between server and certain agents go through insecure networks, you will need to configure those agents to connect to server via https protocol, and further, you may configure those agents to run themselves on https protocol to protect incoming connections from server and other agents, as introduced in next section.

Enable https access to agents

Agent can be configured to run on top of https port so that other nodes in the grid are forced to connect to it securely. To do this:

  1. Run keytool command to generate a keystore. Assume Sun JDK is installed at /path/to/jdk and you want to generate keystore to /path/to/keystore. The command will be: 
    /path/to/jdk/bin/keytool -keystore /path/to/keystore -alias QuickBuild -genkey -keyalg RSA -validity 365

    You will be prompted for some settings including the keystore password and private key password. Note when prompting for name, please use host name of QB server instead of name of the person in order to make the CN field of the DN match the server and allow the cert to pass hostname validation.

  2. Change to directory <QuickBuild agent install dir>/bin and run command config.(bat|sh). In the displayed config window, enable https access, and specify keytool path and passwords provided in step 1.

Exclude SSL ciphers

Certain SSL ciphers can be excluded by editing file conf/ciphers.excluded of server (or agent if you are enabling SSL at agent side). QB server by default excludes below ciphers:

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA

Exclude SSL protocols (since 6.0.25)

Certain SSL protocols can be excluded by editing file conf/protocols.excluded of server (or agent if you are enabling SSL at agent side). QB server by default excludes below protocols:

SSLv3

Import external certificate

Above steps generates self-signed certificate, if you have external certificate, you may follow John Szakmeister's excellent guide to configure QuickBuild using it:

  1. First, you need to get a cert into the right format. In our case, that meant we needed to bundle the key, the public cert, and the provider's intermediate cert.
    To do this, use openssl: 
    openssl pkcs12 -export -out certificate.pfx -inkey private.key -in public.crt -certfile cacert.crt

    Make sure to type in a password when prompted, otherwise keytool will die with a divide by zero error when you go to import it into a Java keystore.

  2. Then get the new cert into a keystore, run: 
    keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 \
    -srcalias 1 -destkeystore /path/to/keystore -destalias $ALIAS \
    -deststorepass "$PASSWORD" -destkeypass "$PASSWORD"

    Here, $ALIAS is the name to assign to the cert. For QuickBuild, it needs to be called QuickBuild. $PASSWORD is the same password assigned to the export, but only the destkeypass really requires that. You could assign a different deststorepass, if you like. Note: the srcalias is actually a 1. There is no alias in a pfx file, so it just uses an index number. We put only one combined certificate in there, so the alias for it becomes 1. Also, it's not necessary to put the passwords on the command line. keytool will prompt you for them if you leave them off. It is necessary that you at least provide one. Check your work with:

    keytool -list -keystore /path/to/keystore -storepass "$PASSWORD"

    You should see the cert listed as a PrivateKeyEntry. If it's listed as a trustedCertEntry, then you've failed to include the private key.

  3. At last, tell QuickBuild to use the keystore by running "bin/config.sh" (or bin/config.bat) on windows.

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.