-
Notifications
You must be signed in to change notification settings - Fork 1
Authentication
For Jenkins to communicate with the z/OSMF server over https, the z/OSMF server certificate needs to be imported into the Jenkins keychain. To do this the z/OSMF server certificate is exported from z/OSMF and then imported into Jenkins.
- Export the z/OSMF certificate by navigating to the Z/OSMF server GUI in a web browser and clicking the lock icon to the left of the location bar.
- Additionally, your System Programmer can provide you with the certificate.
- Open a terminal (command prompt) with administrative privileges (sudo on Mac) and navigate to the Jenkins jre/bin folder.
(C:\Program Files (x86)\Jenkins\jre\bin)
- Use the keytool to import the certificate that was exported in the prior step.
For Windows, run:
keytool -keystore ..\lib\security\cacerts -import -alias yourCertAlias -file C:\Users\IBM_ADMIN\Downloads\DevOps\MYCERT.crt -storepass changeit
For Mac, run
sudo keytool -keystore ../lib/security/cacerts -import -alias yourCertAlias -file /Users/ddgandhi/Documents/MYCERT.cer -storepass changeit
Note: Use a forward slash for Mac.
keytool -list -v -keystore ../lib/security/cacerts
When prompted for a password, enter changeit
If the certificate is added correctly, the above command will show the entry for the certificate that was imported.
Restart Jenkins by browsing to http://localhost:8080/restart
Websphere Liberty has a different approach for managing certs. It requires the certificate to be imported into the Liberty keytool.
Enable the ssl-1.0 feature in the Liberty server.xml file.
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
In SSL minimal configuration, the default location for the keystore is:
${server.config.dir}/resources/security/key.jks
- Browse to this location and use keytool to import the certificate into the Liberty keystore.
keytool -importcert -file <location of your cert file> -keystore <location of your liberty keystore> -alias yourCertAlias -storepass yourLibertyKeystorePassword
- Add this to the server.xml file.
<keyStore id="defaultKeyStore" password="yourPassword" />
See Liberty:SSL configuration attributes for more on SSL and keystores in Websphere Liberty
See Enabling SSL communication in Liberty for SSL minimal configuration in Websphere Liberty
Use the JavaSSL tool to resolve any errors.
Download the JavaSSL tool from the link below and follow the instructions.
https://erikzaadi.com/2011/09/09/connecting-jenkins-to-self-signed-certificated-servers
Steps are also included below.
java InstallCert yourServerOrIP
-
Copy the jssecacerts that got created in JavaSSL folder into $JAVA_HOME/jre/lib/security.
-
Copy the same file to your home directory and rename to .keystore
-
To test that it works, browse to JavaSSL folder and run:
keytool -list -alias yourServerAlias
where yourServerAlias is the name you should have seen in the end of the InstallCert command.
When prompted for a password, enter changeit
To test that the connection works run:
java SSLPoke yourServerOrIP
Restart Jenkins by browsing to http://localhost:8080/restart