Search code examples
ssljenkinsopensslatlassian-crowd

Jenkins 2 and Atlassian Crowd (crowd2 Plugin) Integration with two-way SSL

I am trying to connect Jenkins(version 2.121.2) running on AWS to an on-premise Atlassian Crowd Server (version 3.1.2) using Jenkin's crowd 2 Plugin. The Crowd server requires two-way SSL authentication.

Steps followed:

  1. Import the Certificate chain of the Crowd server in to Java Trust store located at $JAVA_HOME/jre/lib/security/cacerts, so Jenkins trusts Crowd Server.

  2. Create a keystore(JKS) with the private key and certificate for Client authentication in jenkins.

  3. Modify jenkins startup parameters (/etc/default/jenkins) to use the Trust store and Keystore. I have tried both the variations as below.

Variation 1: 

JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true 
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit 
-Djavax.net.ssl.keyStore=/var/lib/jenkins/identity.jks
-Djavax.net.ssl.keyStorePassword=changeit"

Variation 2:

# JVM Arguments
JAVA_ARGS="-Djavax.net.debug=ssl -Djava.awt.headless=true 
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts 
-Djavax.net.ssl.trustStorePassword=changeit"


# Jenkins arguments
JENKINS_ARGS="--webroot=/var/cache/$NAME/war 
--httpPort=$HTTPS_PORT 
--httpsKeyStore=/var/lib/jenkins/identity.jks 
--httpsKeyStorePassword=changeit"

After filling up the details in the plugin configuration section in jenkins and trying to establish a connection, I receive a hand_shake failure in jenkins log. Information from the log,

  1. The Server Hello passes, and provides a list of CA's that it trusts which shows the Atlassian crowd server. During jenkins startup, I can also see that it adds the certificate as trusted.

  2. But when jenkins is responding to the verification from Crowd, it is not sending the client key/certificate from keystore. An excerpt of the log can be seen below.

CN=cloud.company.com, OU=OUnit, O=Org, L=City, ST=State, C=Country
ServerHelloDone 
Warning: no suitable certificate found - continuing 
without client authentication
Certificate chain <Empty>

I am not sure if this is possible using the Crowd2 Plugin or If I am doing something wrong. I had a look at this issue , but there is no definitive answer if this is possible or not.

Any help/direction is greatly appreciated.

Solution

  • So, The problem was due to Crowd 2 Jenkins Plugin. Version 2 of the plugin was recently released 3 months ago and I was using this. But, after downgrading the plugin to version 1.8, I was able to authenticate with the Crowd Server.