Jenkins not reading startup config, problems with https and jenkins - jenkins

I am trying to get Jenkins to use https I have created my JKS file and I have amended the /etc/default/jenkins file. I have set http_port=-1 and have changed the last line in the file to someting similar to :-
JENKINS_ARGS=” — httpPort=-1 — httpsPort=8443 — httpsKeyStore=/path/to/jenkins.jks — httpsKeyStorePassword=chosen_pass — httpsListenAddress=0.0.0.0"
Replacing the path to jenkinks with the relevant path and password with correct password.
When I restart jenkins it just defaults to port 8080 on http. It seems to ignore the modifications to this file.
Is anyone able to help??

Related

How can I tell what options are in use on a running Mosquitto Service

How can I tell if the settings files associated with a Mosquitto instance, have been properly applied?
I want to add a configuration file to the conf.d folder to override some settings in the default file, but I do not know how to check they have been applied correctly once the Broker is running.
i.e. change persistence to false (without editing the standard file).
Test it.
You can run mosquitto with verbose output enabled, which will generally give you feedback on what options were set, but don't just believe that.
To do that, stop running Mosquitto as a service (how you do this depends on you setup) and manually run it from the shell with the -v option. Be sure to point it at the correct configuration file with the -c option.
That's not enough to be sure that it's actually working properly. To do that you need to test it.
Options have consequences or we wouldn't use them.
If you configure Mosquitto to listen on a specific port, test it by trying to connect to that port.
If you configure Mosquitto to require secure connections on a port, test it by trying to connect to the port unsecured (this shouldn't work) and secured (this should work).
You should be able to devise relatively simple tests for any options you can set in the configuration file. If you care if it's actually working, don't just take it on faith; test it.
For extra credit you can bundle the tests up into a script so that you can run an entire test suite easily in the future and test your Mosquitto installation anytime you make changes to it.
Having duplicate configuration options with different values is a REALLY bad idea.
The behaviour of mosquitto is not defined in this case, which value should be honoured, the first found, the last? When using the conf.d directory, what order will the files be loaded in?
Also will you always remember that you have changed the value in a conf.d file in the future when you go looking?
If you want to change one of the defaults in the /etc/mosquitto/mosquitto.conf file then edit that file. (Any sensible package management system will notice the file has been changed and ask what to do at the point of upgrade)
The conf.d/ directory is intended for adding extra listeners.
Also be aware that there really isn't a default configuration file, you must always specify a configuration file with the -c command line option. The file at /etc/mosquitto/mosquitto.conf just happens to be the config file that is passed when mosquitto is started as a service when installed using most Linux package managers. (The default Fedora install doesn't even setup the /etc/mosquitto/conf.d directory)

jenkins not reading config file

I am trying to get Jenkins to use https I have created my JKS file and I have amended the /etc/default/jenkins file. I have set http_port=-1 and have changed the last line in the file to someting similar to :-
JENKINS_ARGS=” — httpPort=-1 — httpsPort=8443 — httpsKeyStore=/path/to/jenkins.jks — httpsKeyStorePassword=chosen_pass — httpsListenAddress=0.0.0.0"
replacing the path to jenkinks with the relevant path and password with correct password.
When I restart jenkins it just defaults to port 8080 on http. It seems to ignore the modifications to this field
Has anyone see this before. Am I editing the correct file?? I am on Ubuntu 18.

How to install WebLogic AdminServer and NodeManager as windows service?

I am trying to install Weblogic adminserver as windows service but getting "Input too long" error while executing the install script.
I have struggled a lot in this issue and finally got the way to register AdminServer and Nodemanager as windows service for Weblogic. Below are the steps and issues faced with the progress:
To register weblogic AdminServer as windows server first need to create a script which will contain values like oracle home, java home etc. Below is the script I have used to install the service:
`
echo off
SETLOCAL
set MW_HOME=C:\Oracle\Middleware\Oracle_Home
set DOMAIN_NAME=osb_domain
set USERDOMAIN_HOME=C:\Oracle\Middleware\Oracle_Home\user_projects\domains\osb_domain
set SERVER_NAME=AdminServer
set WL_HOME=C:\Oracle\Middleware\Oracle_Home\wlserver
set PRODUCTION_MODE=true
set JAVA_OPTIONS=-Dweblogic.Stdout="%USERDOMAIN_HOME%\stdout.txt" -Dweblogic.Stderr="%USERDOMAIN_HOME%\stderr.txt"
set WLS_USER=weblogic
set WLS_PW=Password123
set MEM_ARGS=-Xms1024m -Xmx1024m
call "C:\Oracle\Middleware\Oracle_Home\user_projects\domains\osb_domain\bin\setDomainEnv.cmd"
call "C:\Oracle\Middleware\Oracle_Home\wlserver\server\bin\installSvc.cmd"
ENDLOCAL
`
By running this script I was not even able to install the windows service as it was throwing " Input is too long" error and the reason is windows char limitations. You might get confused by classpath and will try to resolve classpath but
the issue is with JAVA_OPTIONS values which is set by SetDomainEnv.txt is creating this issue.
I have modified the script like below and shorten the JAVA_OPTIONS values by calling SetDomainEnv.txt command just before setting JAVA_OPTIONS in the script.
This has overridden the lengthy value of JAVA_OPTIONS. Now I have succesfully installed the AdminServer as windows service.
`
echo off
SETLOCAL
set MW_HOME=C:\Oracle\Middleware\Oracle_Home
set DOMAIN_NAME=osb_domain
set USERDOMAIN_HOME=C:\Oracle\Middleware\Oracle_Home\user_projects\domains\osb_domain
set SERVER_NAME=AdminServer
set WL_HOME=C:\Oracle\Middleware\Oracle_Home\wlserver
set PRODUCTION_MODE=true
call "C:\Oracle\Middleware\Oracle_Home\user_projects\domains\osb_domain\bin\setDomainEnv.cmd"
set JAVA_OPTIONS=-Dweblogic.Stdout="%USERDOMAIN_HOME%\stdout.txt" -Dweblogic.Stderr="%USERDOMAIN_HOME%\stderr.txt"
set WLS_USER=weblogic
set WLS_PW=Password123
set MEM_ARGS=-Xms1024m -Xmx1024m
call "C:\Oracle\Middleware\Oracle_Home\wlserver\server\bin\installSvc.cmd"
ENDLOCAL `
Even the service is successfully installed, when I was starting it the service is stopped immediately and wasn't printing any logs as it was not connecting to AdminServer.
After a bit analysis I found that JAVA_OPTIONS values which I have overridden in my script is very much needed to invoke AdminServer.
I have run SetDomainEnv.txt in cmd prompt and copied thre JAVA_OPTIONS values.
As the service is already installed, I just copied the correct JAVA_OPTIONS values CMDLINE param in the windows service registry manually.
Server subsystem failed. Reason: A MultiException has 6 exceptions.
Server installed as Windows NT service with incorrect password for user weblogic. The password may have been changed since the server was installed as a Windows NT Service. Contact the Windows NT system administrator.
Note: No extra spaces or character is inserted in CMDLINE param.
Now everything is in place which is actually required to start the admin server. But when I start the service it is throwing some authentication error along with others in the adminserver.log file.
after a lot of analysis I found that is is not authentoication issue, the problem was with boot.properties file. boot. properties file was not read properly.
This answer is continuation of below one:
after a lot of analysis I found that is is not authentoication issue, the problem was with boot.properties file. boot. properties file was not read properly.
Now I would give some background- If the fusion middleware is installed as development mode the boot.properties files is created automatically inside Oracle_HOME\user_projects\domains\domainname\servers\AdminServer\security and if you look at this prop file you will find the password and username in encrypted mode.
If the fusion Middleware is installed as production Mode then everytime it will ask for password and username. to avoid this perform below steps:
manually create file under Oracle_HOME\user_projects\domains\domainname\servers\AdminServer\security\boot.properties like mention below:
username=weblogic
password=Password
Note: No spaces should be added and take care of file extension.
Now start weblogic from domain\bin\startWeblogic.cmd. This will encrypt you boot.properties file. check boot.proprties file if encrypted you are good to go.
Finally start the windows service whic is installed following above process. It should work fine.
=======================
About Node manager use installNodeMgrSvc from domain\bin. Again if you get input is too long error, you must shorten JAVA_OPTIONS and then carefully edit CMDLINE param in the windows registry.

jetty 9: setting up the most basic SSL / https

NOTE: If you want to see the behaviour of this demo app, just go to www.collaborativepowernowinternational.us. Here, select the testssl.PersonController, and you may create a person. Then go and edit the person, where the SSL channel is designated, which will give a redirect loop.
It seems like with Jetty 9 more configuration items went into the start.ini file, I have version 9.05.
In order to test the most basic SSL/https, I am uncommenting the following lines in start.ini:
#===========================================================
# SSL Context
# Create the keystore and trust store for use by
# HTTPS and SPDY
#-----------------------------------------------------------
jetty.keystore=etc/keystore
jetty.keystore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
jetty.keymanager.password=OBF:1u2u1wml1z7s1z7a1wnl1u2g
jetty.truststore=etc/keystore
jetty.truststore.password=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
jetty.secure.port=8443
etc/jetty-ssl.xml
#===========================================================
# HTTPS Connector
# Must be used with jetty-ssl.xml
#-----------------------------------------------------------
jetty.https.port=8443
etc/jetty-https.xml
No other Jetty configuration changes. I then built the most basic Grails app (has a Person class) where I set certain controller actions to secure, which works fine on my development machine using an older built in Jetty version (that Grails includes). This is done simply by including spring-security-core and then adding the following lines to a configuration file:
grails.plugins.springsecurity.secureChannel.definition = [
'/person/list': 'REQUIRES_INSECURE_CHANNEL',
'/person/delete/**': 'REQUIRES_SECURE_CHANNEL',
'/person/edit/**': 'REQUIRES_SECURE_CHANNEL',
'/person/show': 'REQUIRES_INSECURE_CHANNEL'
]
grails.plugins.springsecurity.portMapper.httpPort=80
grails.plugins.springsecurity.portMapper.httpsPort=443
When I access the person/edit action I get a redirect loop in the browser (using deployed WAR file to Jetty 9 on dedicated CentOs 6 machine). This is using the provided keystore that comes with Jetty 9, just uncommenting the lines in start.ini to use it.
The main Jetty SSL configuration page I'm reading is here. What isn't clear to me is, is updating the start.ini file enough? If not, how exactly does one add the lines in jetty-https.xml described in this previous link, i.e. the lines:
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="KeyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
<Set name="KeyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
<Set name="TrustStorePath"><Property name="jetty.home" default="." />/etc/keystore</Set>
<Set name="TrustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
</New>
Not sure how to add them, but they also seem a duplicate of the start.ini file lines above.
Can you please help help me get the most basic Jetty SSL running? Thanks much.
If not familiar with Grails, one can simply download it, then create a domain class -- there is a command line option for this. Then give it fields String firstName, String lastName. Then there are commands to generate a controller and views for it -- this is all totally automatic. Then one adds the plugin, spring-security-core. In chapter 16/17 of this doc and as I have shown, when lists which controller actions are secure, such as person/edit.
You actually have enough here for just the Jetty portion of this to be working using the default trial keystore we ship in Jetty 9.0.6 distribution.
Simply the blurb you have above is enough to make SSL work within Jetty. I downloaded the 9.0.6 distribution and uncommented those lines and it works. Well, I had to go into the start.d/demo.ini file and remove the last two lines with etc/jetty-ssl.xml and etc/jetty-https.xml because they would get run twice...but I digress.
If you start up Jetty you can navigate to https://localhost:8443 and it will complain about being an untrusted certificate and then load up the jetty distribution page.
Based on that I would say this is likely some sort of grails configuration issue that I sadly don't know the answer too, sorry.
Starting Jetty 9.1, things have changed, and you have to follow the instructions in here for things to look correct, per Jetty developers. Moreover, you are not supposed to change/delete/edit anything in ${jetty.home}'s directories. Here's what you need to do for a self-signed certificate based SSL/HTTPS on Jetty 9.1+:
(a) set up your environment variable $JETTY_HOME to point to where you installed your jetty tar bundle, say /opt/jetty/.
(b) Create a new directory, /tmp/myJettyApp, point it to $JETTY_BASE in your environment.
(c) cd to $JETTY_BASE
(d) Follow instructions in here:
/home/sonny $ cd $JETTY_BASE
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar --add-to-startd=https,http2
(e) Set your port if you'd like:
/home/sonny $ cd $JETTY_BASE;
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar jetty.ssl.port=8444
(f) And now, run jetty:
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar
you will see that HTTPS is running at port 8444. Now, if you want to make jetty listen in the traditional HTTPS port, you have to use sudo to run:
/tmp/myJettyApp/ $ java -jar $JETTY_HOME/start.jar jetty.ssl.port=443
/tmp/myJettyApp/ $ sudo java -jar $JETTY_HOME/start.jar
Note that this already does the self-signed certs etc. automagically.
Now, if you want to generate your own self-signed certificate (say, because you want to modify the validity to an arbitrary large or small value, depending on your needs), follow the instructions in here, generate a new self-signed cert using keytool and then place it in $JETTY_BASE/etc/ and modify the $JETTY_BASE/start.d/ssl.ini for jetty.sslContext.keyStorePassword and jetty.sslContext.keyManagerPassword respectively. BTW, for the last two ssl.ini passwords, you can use the obfuscated plain text password you used when you ran keytool or use the plain text ones. If you want to obfuscate them, run {jetty.home} $ java -cp lib/jetty-util-9.3.6.v20151106.jar org.eclipse.jetty.util.security.Password "MyInterestingAndAwesomePassword"
Hope this helps someone.

knownhosts for Ant scp and sshexec tasks

My question is similar to the one asked here:
Ant scp task failure
BUILD FAILED com.jcraft.jsch.JSchException: reject HostKey: ....
My question is why are the keys not found in my knownhosts file?
No matter what kind of known_hosts file I have, the host key is rejected. Connecting via ssh works perfectly fine, and adds the relevant entries, but maybe jsch is unable to read known_hosts files generated by OpenSSH?
The Ant docs mention that the knownhosts file needs to be in SSH2 format, not SSH1. Ironically, the SSH2 format known_hosts file from OpenSSH is supposed to be ~/.ssh/known_hosts2, but the default value for knownhosts is ~/.ssh/known_hosts.
The known hosts files created by SSH2 are in ~/.ssh2/knownhosts/, so it's probably safe to count that out for the expected format. So far I've been unable to get OpenSSH to create a known_hosts2 file, and the man pages aren't much help there either. So what do the docs actually mean that the file needs to be in SSH2 format?
I've tried dsa and rsa keys, and neither work (both work with OpenSSH).
I've searched for two days and the only answers I've found are 'set trust="true'. Yes, that gets the task working, but not without turning a blind eye to security.
Here's a format I found that works with more recent versions of jch:
[xx.xx.xx.xx]:22 ssh-rsa .......
In older versions it was like:
xx.xx.xx.xx ssh-rsa ......
i.e. no square brackets and no port number. (Not sure if the port number is necessary if you're using port 22, but I tested it with a server with a non-default port assigned for SSH. And, in case it's not obvious, xx.xx.xx.xx should be the IP address of the server, or hostname or whatever.)
I found this format by getting the JCraft/jsch library to generate the known_hosts file for me. If you visit www.jcraft.com you can download a zip of the jsch source code, and some examples. Either build the source to make a jar, or download the ready-made jar as well. I unzipped the zip download and then plopped the jar file in that same directory.
There's an examples folder containing KnownHosts.java. You need to compile that file and then run it - it will ask you for your known_hosts file (just create an empty file in the default location first (~/.ssh/known_hosts) and select that. It will then ask you for details to connect to a server... Enter those, for example sshusername#xx.xx.xx.xx, and the program will try to connect and then fill the known_hosts file for you.
For convenience for blundering Windows users like me who can never remember how to do stuff from the command line, here's what you need to compile and run that KnownHosts.java file:
First, navigate to the directory (having unzipped it and put the jar file inside, as I described above).
Then run:
javac -cp jsch-0.1.49.jar examples/KnownHosts.java
to compile KnownHosts.java. And then:
java -cp "examples;jsch-0.1.49.jar" KnownHosts
to run it. Follow through the instructions above and you should have a working known_hosts file.
One final note: the KnownHosts program assumes a port of 22. I edited it to allow me to enter something like sshusername#xx.xx.xx.xx:8888 so I could specify a server with a custom port and have it work as described above. In the source of KnownHosts.java I looked for a line like:
Session session=jsch.getSession(user, host, 22);
and replaced it with:
int port = 22;
final int colonIndex = host.indexOf(':');
if (colonIndex > -1) {
final String[] split = host.split(":");
host = split[0];
port = Integer.parseInt(split[1]);
}
Session session=jsch.getSession(user, host, port);
and then compiled and ran as above.
The sshexec ant task is looking for the file 'known_hosts' by default to ${user.home}/.ssh/known_hosts
Verify the value of 'user.home' system property. Probably it points to unsuspected place.
Or provide the 'knownhosts' value explicitly in the ant task's property.
There are two parameters you might be interested in:
trust: If set to true will trust unknown hosts. The default is set to false.
knownhosts: Set to the location of your known hosts file.
The first will allow you to set the tasks to not check whether or not it's a known host. The second will allow you to specify the file that contains the known hosts. This way, you could specify it as ${user.home}/.ssh/known_hosts2and override the default.
By the way, a good way to do this is to use properties for these values, and then use a property file to override those properties:
[...]
<property name="build.properties" value="build.properties"/>
<property file="${build.properties}"/>
<!-- Can be overridden via 'build.properies' file -->
<property name="knownhosts.file" value="${user.home}/.ssh/knownhosts"/>
<property name="remote.host" value="foo-system"/>
[...]
<scp file="${copy.this.file}"
todir="${user}#{host}:${remote.dir}"
knownhosts="${knownhosts.file}"/>
[...]

Resources