1. DSR Automated Test Suite Installation and User Guide
  2. Enhancing Security using HTTPS

5 Enhancing Security using HTTPS

With the introduction of this feature, HTTPS adds a layer of encryption that helps the user to secure connection between server and clients.

When accessing a website enabled with HTTPS, users can trust that their connection is secure, ensuring the confidentiality of their data. For Jenkins to operate over HTTPS, it requires SSL certificate.

This certificate is converted into Public-Key Cryptography Standards (PKCS) 12 industry standard format and then to JKS format, which Jenkins readily accepts. The JKS format certificate is then stored in the Jenkins path, enabling the certificate to operate over HTTPS.

Prerequisites

The user needs to obtain an SSL certificate and a key from a certificate authority.

Uploading SSL Certificate

There are two methods to upload SSL certificate for running Jenkins over HTTPS:
  • Upload SSL certificate in DSR NOAM
  • Upload SSL certificate in ATS
An SSL certificate can be obtained from a certificate authority. After obtaining the certificate, perform the following steps to upload the certificate:
  1. Log in to the DSR NOAM GUI.
  2. Navigate to Administration, then Access Control and Certificate Management.
  3. Upload the SSL certificate and key.

Configuring JKS.YAML Properties

Configure the following properties as listed below:

  • Certificate_uploaded_DSR: To select the model, enter either 1 or 0 for yes or no.
  • Certificate_uploaded_ATS: To select the model, enter either 1 or 0 for yes or no.
  • Dsrcertfilename: Provide the certificate file name located in the DSR NOAM /usr/TKLC/appworks/etc/ssl/ path. Mandatory if Certificate_uploaded_DSR is selected.
  • Dsrkeyfilename: Provide the key file name located in DSR NOAM /usr/TKLC/appworks/etc/ssl/ path. Mandatory if Certificate_uploaded_DSR is selected.
  • Atscertfilename: Provide the file name of the ATS certificate that has been uploaded. Mandatory if Certificate_uploaded_ATS is selected
  • Atskeyfilename: Provide the file name of the ATS key that has been uploaded. Mandatory if Certificate_uploaded_ATS is selected
  • Atscertstorepath: Provide the folder path where the SSL certificate and private key has been uploaded in ATS.
  • Dsrnoip: Provide the DSR NOAM IP address (if the certificate has been uploaded in DSR). Mandatory if Certificate_uploaded_DSR is selected.
  • Dsrusername: Provide the DSR NOAM CLI username (Default is "admusr"). Mandatory if Certificate_uploaded_DSR is selected.
  • Dsrpassword: Provide the DSR NOAM CLI password (Default is "Dukw1@m?") User can change the password, after which it will be encrypted again. Mandatory if Certificate_uploaded_DSR is selected.
  • httpsKeyStorePassword: Provide the password required for the certificate file (Default is "Welcome@123"). It will be stored in the encrypted form.

Figure 5-1 jks.yaml file


jks.yaml file

Running the JKS.PY File

Run the jks.py file by using the following command:
python jks.py

Note:

The user cannot select yes for both Certificate_uploaded_DSR and Certificate_uploaded_ATS at the same time.

Figure 5-2 python jks.py


python jks.py

Configuring HTTPS File

The files https_config, jks.yaml and jks.py are required for running Jenkins and must not be deleted under any circumstances.

  • httpPort: The current value of this parameter is -1, which should not be altered to run Jenkins through HTTPS.
  • httpsPort: The current value of this parameter is 8443, which should not be altered to run Jenkins through HTTPS.
  • httpsKeyStore: The current default value of this parameter is /var/lib/jenkins/jenkinsserver.jks and is advised not to be changed unless the .jks certificate file is relocated.
  • httpsKeyStorePassword: This parameter should remain the same as the password in jks.yaml file and it needs to be modified only in the jks.yaml.

Results after Running JKS.PY File

The python jks.py file generates output in 6 stages, which include:
  • Prevalidation checks
  • Checking the availability of ATS certificate and key files
  • Checking the availability of Jenkinsserver.jks file
  • Conversion to JKS format
  • Warning for PKCS 12 format
  • Restart of Jenkins

Prevalidation Checks

The console displays PRE-VALIDATION CHECK SUCCESSFUL!!! when the parameters in the model selection within the jks.yaml are in the correct format.

Figure 5-3 Prevalidation


Prevalidation

Checking the availability of ATS certificate and key files

The result specifically focuses on the certificate uploaded in the ATS model. The script checks whether the ATS uploaded certificate and key files exist in the ATS uploaded folder path provided in the jks.yaml file.

Figure 5-4 ATS certificate


ATS certificate

Checking the availability of Jenkinsserver.jks file

The script confirms the availability of the jenkinsserver.jks file and removes it from the Jenkins home path to place the newly created jks file.

Figure 5-5 Jenkinsserver.jks


Jenkinsserver.jks

Conversion to JKS format

The script generates a confirmation message indicating the creation of the jks format file:

Figure 5-6 JKS format conversion


JKS format

Note:

The console displays a warning message during the conversion to jks format, as PKCS 12 is the recommended industry standard. It can be ignored, as jks format is required for Jenkins to run over HTTPS.

Figure 5-7 Warning


Warning

Restart of Jenkins

Restarting Jenkins results in displaying the Jenkins home path.

Figure 5-8 Restart of jenkins


Restart of Jenkins

Conclusion

By configuring SSL certification, Jenkins can operate over HTTPS, ensuring secure communication between client and the Jenkins web interface. The Jenkins server is securely accessible through HTTPS port using the following URL: https://<ATS IP>:8443.

Figure 5-9 HTTPS Enabled Log in Screen


HTTPS Enabled Log in Screen