To enable SSL communication between Build Forge and agents, you need to do the following:
To implement and test SSL quickly you can copy the .PEM files from the Build Forge installation. The files are in <bfinstall>/keystore.
The best practice for SSL is to use a separate certificate for each agent:
ssl_key_location buildForgeKey.pem ssl_key_password password ssl_cert_location buildForgeCert.pem ssl_ca_location buildForgeCA.pem ssl_protocol TLSv1 ssl_cipher_group ALL
The password is for the buildForgeKey.pem keystore. If you want to encrypt it, see Encrypting passwords in buildforge.conf and bfagent.conf.
ssl_client_authentication trueThis setting requires that the engine certificate be added in the agent's certificate authority keystore, buildForgeCA.pem.
ssl_cipher_override cipher_list
The console uses Server definitions to connect to agents.
For each Server definition that is connected to an SSL-enabled agent, do the following:
The following checklist describes common issues when enabling SSL:
<bfinstall>/keystore/buildForgeCA.pem
BFDEBUG_SECURITY=1
cd <bfinstall>/rc ./buildforge startOutput from the engine goes to the engine log file in <bfinstall>/log.
activity_log bfagent.logIn this example, the agent writes output to bfagent.log. You can specify a different filename.
An engine produces the following output when it connects successfully to an agent.
SSL_ca_file: ./keystore/buildForgeCA.pem SSL_cert_file: ./keystore/buildForgeCert.pem SSL_key_file: ./keystore/buildForgeKey.pem SSL_verify_mode: 0x01 SSL_version: TLSv1 SSL_cipher_list: ALL SSL_use_cert: 1 Making as SSL connection using socket IO::Socket::INET=GLOB(0x1e8f0f4). SSL connection to agent. DEBUG: .../IO/Socket/SSL.pm:1387: new ctx 80662848 DEBUG: .../IO/Socket/SSL.pm:880: dont start handshake: IO::Socket::SSL=GLOB(0x1e8f0f4) DEBUG: .../IO/Socket/SSL.pm:284: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:327: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:382: ssl handshake done Socket is of type: ref(IO::Socket::SSL=GLOB(0x1e8f0f4)) ReadyLine: 202 HELLO TLS - BuildForge Agent v_VERSION_ . Storing Agent Version [999.999.999.999-999-9999] for [08974C8E-6C3B-1014-972D-D9B2901D9F42] cmd ping username pbirk encpass c1713f4a31af3f1300f7b2414a24559c4d6097e07310cf9c412e go Sending agent request...
An agent running normally produces the following output when it establishes an SSL connection.
[2256] main.c : 409: === NEW AGENT === [2256] io.c : 264: In start_SSL [2256] io.c : 89: Key location: buildForgeKey.pem [2256] bfpwdlocloader.c: 134: Looking for password locator: ssl_key_password_locator [2256] bfpwdlocloader.c: 244: Looking for password for prop ssl_key_password from bfagent.conf. [2256] bfcryptloader.c : 202: Loading password encryption module. [2256] bfcryptloader.c : 276: Password encryption property password_encrypt_module is not configured. [2256] bfcryptloader.c : 539: Password decoded. [2256] io.c : 98: Cert location: buildForgeCert.pem [2256] bfpwdlocloader.c: 134: Looking for password locator: ssl_cert_password_locator [2256] bfpwdlocloader.c: 244: Looking for password for prop ssl_cert_password from bfagent.conf. [2256] io.c : 153: Setting key password in default userdata. [2256] io.c : 160: Getting private key from PEM. [2256] io.c : 166: Checking private key from PEM. [2256] io.c : 172: Getting CA store information. [2256] bfpwdlocloader.c: 134: Looking for password locator: ssl_ca_password_locator [2256] bfpwdlocloader.c: 244: Looking for password for prop ssl_ca_password from bfagent.conf. [2256] io.c : 178: CA location: buildForgeCert.pem [2256] io.c : 184: Checking the CA store. [2256] io.c : 230: Returning from init_CTX. [2256] io.c : 281: Calling SSL_new [2256] io.c : 294: Calling SSL_accept. [2256] io.c : 346: Cipher chosen: AES256-SHA [2256] io.c : 367: ssl_state = SS_CERTIFIED
If the keystore password configured on the agent side is wrong, it shows up in both engine and agent output.
Engine output (excerpt):
SSL_use_cert: 1 Making as SSL connection using socket IO::Socket::INET=GLOB(0x1e8f0f4). SSL connection to agent. DEBUG: .../IO/Socket/SSL.pm:1387: new ctx 80662848 DEBUG: .../IO/Socket/SSL.pm:880: dont start handshake: IO::Socket::SSL=GLOB(0x1e8f0f4) DEBUG: .../IO/Socket/SSL.pm:284: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:327: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1135: SSL connect attempt failed with unknown error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number DEBUG: .../IO/Socket/SSL.pm:333: fatal SSL error: SSL connect attempt failed with unknown error error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number DEBUG: .../IO/Socket/SSL.pm:1422: free ctx 80662848 open=80662848 80566656 DEBUG: .../IO/Socket/SSL.pm:1425: OK free ctx 80662848
Agent output (excerpt):
[ 5272] io.c : 98: Cert location: buildForgeCert.pem [ 5272] bfpwdlocloader.c: 134: Looking for password locator: ssl_cert_passwor d_locator [ 5272] bfpwdlocloader.c: 244: Looking for password for prop ssl_cert_password from bfagent.conf. [ 5272] io.c : 153: Setting key password in default userdata. [ 5272] io.c : 160: Getting private key from PEM. [ 5272] io.c : 218: Failure reason: SSLErrorBadPKeyFile [ 5272] io.c : 221: OpenSSL error string: error:00000000:lib(0):func(0):reason(0) [ 5272] io.c : 281: Calling SSL_new [ 5272] platform.c :2693: platform_release_credentials [ 5272] main.c : 412: --- EXITING ---
This list includes some of the other error codes you may encounter and their causes: