JenLib Slave using JNLP requires security request
We are using Jenkins to manage the automated GUI in different virtual machines. OS is Win7 / 64 and other Windows flavors. Virtual machines connect to Jenkins Master using the JNLP method. Switching to other connections is not possible because jobs must be run by GUI programs.
Due to increased security requirements, Java now issues a dialog to confirm Jenkins Remoting Agent execution. This obviously ruins the automatic test execution. This dialog is displayed once every 24 hours. Increasing this time period to a year would also solve our problem.
The details above mention different aspects, for example Application-linked file (JNLP) is not digitally signed
We have tried different Java versions (7u67, Java 8u11 and 8u20) and different security settings.
Jenkins is latest stable version 1.565.1 (tried an updated and recently installed version). An attempt was given by the latest Jenkins 1.576 on a fresh install too.
Is this problem solvable on our side or only on Jenkins's side? Any ideas for solving this problem?
source to share
The solution to this problem is to use a set of deployment rules . The main difficulty lies in creating and storing certificates in the right place.
This is step by step to solve the above problem
-
Install Java SDK (v7)
-
Create a self-signed CA, valid for 50 years:
"C:\Program Files\Java\jre7\bin\keytool.exe" -genkeypair -alias selfsigned -keyalg RSA -keypass changeit -keystore identity.jks -storepass changeit -startdate "2000/01/01 00:00:00" -validity 18262 -keysize 2048
-
To retrieve the certificate from the keystore, use the following command:
"C:\Program Files\Java\jre7\bin\keytool.exe" -exportcert -alias selfsigned -file Our_CA.cer -keystore identity.jks -storepass changeit
-
Created ruleset.xml file as ANSI file (for example, use Notepad ++):
<ruleset version="1.0+"> <rule> <id location="http://url.to.web.server" /> <action permission="run" /> </rule> <rule> <id /> <!-- The last rule is the default policy and the id should be blank. --> <action permission="default" /> </rule> </ruleset>
-
Converting ruleset.xml file to jar file:
"C:\Program Files\Java\jdk1.7.0_67\bin\jar.exe" -cvf DeploymentRuleSet.jar ruleset.xml
-
Sign the jar DeploymentRuleSet.jar
"C:\Program Files\Java\jdk1.7.0_67\bin\jarsigner.exe" -keystore "identity.jks" -signedjar "DeploymentRuleSet.jar" DeploymentRuleSet.jar selfsigned verify jar: "C:\Program Files\Java\jdk1.7.0_67\bin\jarsigner.exe" -verify -keystore "identity.jks" -verbose -certs DeploymentRuleSet.jar
Switch to the computer where the JNLP application should run
-
Copy signed DeploymentRuleSet.jar to C: \ Windows \ Sun \ Java \ Deployment
The folder must be created on Win7 / 32.
-
Cleanup C: \ Users \\ AppData \ LocalLow \ Sun and C: \ Jenkins-Slave \
Delete entire folder
C:\Users\<user name>\AppData\LocalLow\Sun
(and Oracle) Delete all files inC:\Jenkins-Slave\
except for the StartJenkinsSlave package -
Run Configure Java, enable Security tab
Check the View Active Deployment Rule Set link. The link must show the content of ruleset.xml.
-
Import Self Signed Certificate as Trusted Certificate and Subscriber Certificate
On the Security tab, launch Certificate Management and import the previously exported Our_CA.cer certificate file two times. Import it as a trusted certificate and a Singer CA certificate.
Certificate Management -> Certificate Type: Trusted Certificate / Gesch ützte Zertifikate, Import AND Certificate Type: CA Signature / CA Signaturegeber, Import
source to share