Subversion Plugin HTTPS Kerberos authentication

Similar documents
HP Operations Orchestration Software

TIBCO Spotfire Connecting to a Kerberized Data Source

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Single Sign On (SSO) with Polarion 17.3

Kerberos and Active Directory symmetric cryptography in practice COSC412

Configuring Kerberos based SSO in Weblogic Application server Environment

Pentaho, Linux, and Microsoft Active Directory Authentication with Kerberos

SAS Grid Manager and Kerberos Authentication

Document Type: Best Practice

How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

SAS Event Stream Processing 4.3: Security

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

HP Operations Orchestration Software

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

Comodo Certificate Manager

KillTest *KIJGT 3WCNKV[ $GVVGT 5GTXKEG Q&A NZZV ]]] QORRZKYZ IUS =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX

Continuous Integration, Continuous Deployment and Continuous Testing by HP Codar using ALM and Jenkins

BLUEPRINT TEAM REPOSITORY. For Requirements Center & Requirements Center Test Definition

Installation and Configuration Guide Simba Technologies Inc.

StreamServe Persuasion SP4 StreamStudio

SAS Viya 3.3 Administration: Authentication

Pyramid 2018 Kerberos Guide Guidelines and best practices for how deploy Pyramid 2018 with Kerberos

Deployment Scenario: WebSphere Portal Mashup integration and page builder

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Kerberos and NFS4 on Linux. isginf Workshop

HDP Security Audit 3. Managing Auditing. Date of Publish:

Enabling Microsoft Outlook Calendar Notifications for Meetings Scheduled from the Cisco Unified MeetingPlace End-User Web Interface

Using Shared Accounts in Kerberized Hadoop Clusters with SAS : How Can I Do That?

RSA Identity Governance and Lifecycle Collector Data Sheet for Zendesk

Novell Kerberos Login Method for NMASTM

Installation and Configuration Guide Simba Technologies Inc.

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

SPNegoLoginModule configuration for multi-forest scenarios with SUN JDK

SAS Viya 3.4 Administration: Authentication

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Active Directory Attacks and Detection

SAS 9.4 on Microsoft Windows: Unleashing Kerberos on Apache Hadoop

OpenAM Single Sign-On

Understanding the Local KDC

Entrust Connector (econnector) Venafi Trust Protection Platform

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Quintiles JReview Customer Access Guide. Version Number: 11. Document Version:

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

OpenAM Single Sign-On

Registration and Renewal procedure for Belfius Certificate

Quick Start Guide. CollabNet Subversion Connector to HP Quality Center

Import Data Connection from an SAP Universe

Installing and Configuring Cisco Unified Real-Time Monitoring Tool

Cloudera ODBC Driver for Impala

Configuring Kerberos

Installation and Configuration Guide Simba Technologies Inc.

Windows AD Single Sign On

Important Notice Cloudera, Inc. All rights reserved.

Exam Name: IBM Certified System Administrator - WebSphere Application Server Network Deployment V7.0

MIT Kerberos & Red Hat

Kerberos MIT protocol

HP Operations Orchestration Software

Teradata ODBC Driver for Presto. Installation and Configuration Guide

Information Security CS 526

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Network Security Essentials

Cisco Unified Serviceability

Client 2. Authentication 5

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry.

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

Automation Anywhere Enterprise 10 LTS

Polarion Enterprise Setup 17.2

Installer Apache Manually Windows Server Bit

Cloudera ODBC Driver for Apache Hive

Installing the DITA CMS Eclipse Client

BlackBerry Enterprise Server for Microsoft Office 365. Version: 1.0. Administration Guide

Installation and Configuration Guide Simba Technologies Inc.

IBM Security Access Manager Version December Release information

Spring Security Kerberos - Reference Documentation

Managing External Identity Sources

OneView Installation

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2017 R1 Update Rollup 1

Installing AX Server with PostgreSQL (multi-server)

INUVIKA TECHNICAL GUIDE

Import Data Connection to an SAP ERP System

System Requirements. PREEvision. System requirements and deployment scenarios Version 7.0 English

Import Data Connection to an SAP BW System

Coveo Platform 7.0. Oracle UCM Connector Guide

Setting Up Identity Management

Securing the Oracle BDA - 1

Installing. Version for use with SAP NetWeaver AS for ABAP

Cloudera ODBC Driver for Apache Hive Version

Installing the DITA CMS Eclipse Client

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Version Installation Guide. 1 Bocada Installation Guide

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

DoD Common Access Card Authentication. Feature Description

TEAMWORK SYSTEM. version user guide

MULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL. 31 January 2017

Create Import Data Connection to SAP BPC MS

C examcollection.premium.58q

Migrating vrealize Automation 6.2 to 7.2

Live Data Connection to SAP Universes

Oracle Data Integrator 12c: Integration and Administration

Transcription:

Subversion Plugin HTTPS Kerberos authentication Introduction Prerequisites Configure the Oracle JRE with Java Cryptography Extension (JCE) Server certificates Prepare and test the domain account Linux Windows - domain member Windows - standalone Setup of the Java Kerberos configuration file Linux and Windows standalone client: Windows domain client: Configure the master/slave Configure your Jenkins job Troubleshooting Some hints Introduction If the Subversion SCM of your build needs access to a repository on a Web server which is configured to accept only a Kerberos authentication. Typically servers in a company network using the domain accounts to grant the access to the hosted resources. This setup was tested with a MS Active Directory 2008 R2 but should also work with other Directory servers. As Web front-end an Apache 2.4 with mod_auth_kerb 5.4 on Linux was used. The Jenkins slaves were running on Windows 10 and Linux - the required configuration you ll find below. For Windows two different setups are explained: a slave which is member of a domain and a standalone slave without domain membership. The second configuration is about the same as for Linux. Prerequisites A working Jenkins instance - has been tested on Linux RHEL 7 and Open SUSE 42 with Jenkins 2.32.3 Subversion plugin 2.7.2 has been tested Oracle JRE 1.8 with JCE installed - details below Kerberos V5 installation and configuration on the master or slave were the jobs with Subversion will run - only MIT Kerberos has been tested on Linux, for Windows no dedicated setup is required A domain account that has access to your Subversion server/repository For testing a native Subversion 1.8 client is recommended Configure the Oracle JRE with Java Cryptography Extension (JCE) Oracles Java runtime does not include encryption algorithms required by Kerberos due to U.S. export regulations. You must download the JCE extension and install it manually. Follow the instructions in the package which are the same for Linux and Windows. The same applies to the JRE/JDK from IBM and the Open JDK, downloads are available. Server certificates For HTTPS communication the Apache server is using a certificate. Make sure that the Certificate Authority (CA) of the server certificates is trusted by Java. As an alternative add the CA in the Subversion servers, parameter: ssl-authority-files. Prepare and test the domain account Important: The password for the domain account should never expire/changed, otherwise a keytab must be re-created. Linux That the domain account is not compromised because the credentials are saved in clear text somewhere in the file system Kerberos is using a keytab file. In this file the domain credentials are stored encrypted. The keytab can be created by your domain administrator. When you have the password for the account you also can create the keytab by yourself. Here is the procedure:

$ ktutil ktutil: addent -password -p JenkinsAccount@DOMAIN.ORG -e RC4-HMAC -k 1 Password for JenkinsAccount@DOMAIN.ORG: xxxxxx ktutil: wkt JenkinsAccount.keytab ktutil: q Let s have a look to the content of the keytab: $ klist -kte JenkinsAccount.keytab Keytab name: FILE: JenkinsAccount.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 03/18/2017 18:38:28 JenkinsAccount@DOMAIN.ORG (arcfour-hmac) Use the keytab file to test the authentication, run the following command: $ kinit -kt JenkinsAccount.keytab JenkinsAccount@DOMAIN.ORG When the run was successful (no output) let s have a look to the created TGT: $ klist Ticket cache: DIR::/run/user/1000/krb5cc/tkt Default principal: JenkinsAccount@DOMAIN.ORG Valid starting Expires Service principal 03/19/2017 15:59:30 03/20/2017 01:59:30 krbtgt/domain.org@domain.org renew until 03/20/2017 15:59:30 Test the access to the Subversion repository with a native Subversion client. If no TGT is available run: $ kinit -kt JenkinsAccount.keytab JenkinsAccount@DOMAIN.ORG Try to get the repository info: $ svn info https://svn.organization.org/repos/helloworld/trunk Path: trunk URL: https://svn.organization.org/repos/helloworld/trunk Relative URL: ^/trunk Repository Root: https://svn.organization.org/repos/helloworld Repository UUID: bd8deff7-301f-404f-b90d-11f05c129706 Revision: 309 Node Kind: directory Last Changed Author: JenkinsAccount@DOMAIN.ORG Last Changed Rev: 309 Last Changed Date: 2016-11-13 18:52:10 +0100 (Sun, 13 Nov 2016)

Windows - domain member For the slave on a domain computer just try to login to the build machine. Run a svn info to check the access to the repository and that the certificate is accepted. TGT accessibility By default, Windows does not allow the session key of a TGT to be accessed. Please add the following registry key on the client side, so that the session key for TGT is accessible and Java can use it to acquire additional service tickets. When this is not compliant with the security regulation of your company configure the build client in the same way like the standalone client. For Windows XP and Windows 2000, the registry key and value should be: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01 For Windows 2003 and Windows Vista, the registry key and value should be: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Paramet ers Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01 Windows - standalone The keytab should be created by the domain admin. Run the following commands to test the validity of the file. Both programs are part of the Java Runtime, do not use the klist program of Windows. > klist -kt C:\Jenkins\etc\JenkinsAccount.keytab Key tab: C:\Jenkins\etc\JenkinsAccount.keytab, 1 entry found. [1] Service principal: JenkinsAccount@DOMAIN.ORG KVNO: 1 > kinit -t C:\Jenkins\etc\JenkinsAccount.keytab JenkinsAccount@DOMAIN.ORG New ticket is stored in cache file C:\Users\Jenkins\krb5cc_Jenkins Setup of the Java Kerberos configuration file Java needs some settings that Kerberos authentication works and they are placed in a file, e.g. JenkinsAccount.conf and this is the content. Linux and Windows standalone client:

com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.krb5loginmodule required usekeytab=true keytab="/home/jenkins/etc/jenkinsaccount.keytab" principal="jenkinsaccount@domain.org" debug=false ; }; You must replace the path for the keytab file and the name for the principal. On Windows use a path like this: C:/Jenkins/etc/JenkinsAccount.keytab. Additional parameters should be not required. Windows domain client: com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.krb5loginmodule required renewtgt=true donotprompt=true refreshkrb5config=true useticketcache=true debug=false ; }; Configure the master/slave The following parameters must be added to the JRE configuration: -Djava.security.krb5.conf=/where-ever/krb5.conf -Dsun.security.krb5.debug=false -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=/home/jenkins/etc/JenkinsAccount.conf On Linux the first parameter is only required when the file is in another location than the default of your system. For Windows it must be specified all the time. The debug parameter is optional, set to true for troubleshooting. Replace the path of the last parameter by your file name. For the Jenkins master these parameters must be added to the Jenkins configuration. For a slave add them to the JVM Options under Advanced in the node configuration page. Restart the master/slave. Configure your Jenkins job Under Source Code Management -> Subversion add just the URL of your repository and leave the credential empty. Note for master: when you move the text pointer out of the text field, you will immediately see a red error message, in case your configuration does not work. Note for slave: the authentication test every time will return an error. It looks like that this test is initiated on the master and not on the slave. Just run a job on the slave and check the log.

Troubleshooting First make sure that the Kerberos authentication is woking with a native Subversion client. The client needs no special configuration. On Linux use only a client which is part of the distribution. Third party clients normally do not support Kerberos, e.g. CollabNet Linux packages. You may try turning on debugging - use the debug parameter in the Java configuration file and sun.security.krb5.debug. Disable both after the issue is solved - the log files will grow rapidly. For a job running on the master check the Jenkins log file. For jobs running on a slave check the log of the slave and of the job. Some hints This setup works only when all jobs on the master or on a slave are using the same domain account for Subversion access. When different accounts are required it should be applicable to configure a slave for each domain account, even on the same computer. On a master this is not possible. This setup has not been tested on a Jenkins master running on Windows. This setup has not been tested with VisualSVN.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback