-
Bug
-
Resolution: Won't Fix
-
Major
-
OS: Redhat 6.9+Jenkins+IBM J9 JRE 1.8
The jenkins configuration as below:
/etc/sysconfig/jenkins
JENKINS_HOME="/var/lib/jenkins"
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhttps.protocols=TLSv1.2"
JENKINS_HTTPS_PORT="8443"
JENKINS_HTTPS_KEYSTORE="/var/lib/jenkins/keystore/jenkins_ibmjre8.jks"
JENKINS_HTTPS_KEYSTORE_PASSWORD="tivoli4u"
JENKINS_ARGS="--httpsKeyManagerType=IbmX509"
The certificate for jenkins:
keytool -list -keystore "/var/lib/jenkins/keystore/jenkins_ibmjre8.jks" -storepass tivoli4u
Keystore type: jks
Keystore provider: IBMJCE
Your keystore contains 5 entries
cn=ibm internal intermediate ca, o=international business machines corporation, c=us, Aug 9, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): F0:46:B4:00:B8:52:24:6E:A2:94:6B:17:CE:83:23:49:54:9A:3A:49
caintermediatecert, Aug 8, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): F0:46:B4:00:B8:52:24:6E:A2:94:6B:17:CE:83:23:49:54:9A:3A:49
myjenkinsreq, Aug 9, 2018, keyEntry,
Certificate fingerprint (SHA1): C2:8C:5D:46:0E:A7:D7:A3:15:40:8B:5E:F3:69:43:5B:CE:F9:53:B2
cn=ibm internal root ca, o=international business machines corporation, c=us, Aug 9, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 66:7C:48:44:D0:B6:0B:EF:1A:F7:ED:D5:2D:C3:55:76:B0:1A:02:73
carootcert, Aug 8, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 66:7C:48:44:D0:B6:0B:EF:1A:F7:ED:D5:2D:C3:55:76:B0:1A:02:73
The certificate for IBM J9 JRE 1.8:
keytool -list -keystore /var/ibm-java8/jre/lib/security/cacerts|grep my_jenkins_host
Enter keystore password: changeit
my_jenkins_host, Aug 10, 2018, trustedCertEntry,
OS: Redhat 6.9+Jenkins+IBM J9 JRE 1.8 The jenkins configuration as below: /etc/sysconfig/jenkins JENKINS_HOME="/var/lib/jenkins" JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dhttps.protocols=TLSv1.2" JENKINS_HTTPS_PORT="8443" JENKINS_HTTPS_KEYSTORE="/var/lib/jenkins/keystore/jenkins_ibmjre8.jks" JENKINS_HTTPS_KEYSTORE_PASSWORD="tivoli4u" JENKINS_ARGS="--httpsKeyManagerType=IbmX509" The certificate for jenkins: keytool -list -keystore "/var/lib/jenkins/keystore/jenkins_ibmjre8.jks" -storepass tivoli4u Keystore type: jks Keystore provider: IBMJCE Your keystore contains 5 entries cn=ibm internal intermediate ca, o=international business machines corporation, c=us, Aug 9, 2018, trustedCertEntry, Certificate fingerprint (SHA1): F0:46:B4:00:B8:52:24:6E:A2:94:6B:17:CE:83:23:49:54:9A:3A:49 caintermediatecert, Aug 8, 2018, trustedCertEntry, Certificate fingerprint (SHA1): F0:46:B4:00:B8:52:24:6E:A2:94:6B:17:CE:83:23:49:54:9A:3A:49 myjenkinsreq, Aug 9, 2018, keyEntry, Certificate fingerprint (SHA1): C2:8C:5D:46:0E:A7:D7:A3:15:40:8B:5E:F3:69:43:5B:CE:F9:53:B2 cn=ibm internal root ca, o=international business machines corporation, c=us, Aug 9, 2018, trustedCertEntry, Certificate fingerprint (SHA1): 66:7C:48:44:D0:B6:0B:EF:1A:F7:ED:D5:2D:C3:55:76:B0:1A:02:73 carootcert, Aug 8, 2018, trustedCertEntry, Certificate fingerprint (SHA1): 66:7C:48:44:D0:B6:0B:EF:1A:F7:ED:D5:2D:C3:55:76:B0:1A:02:73 The certificate for IBM J9 JRE 1.8: keytool -list -keystore /var/ibm-java8/jre/lib/security/cacerts|grep my_jenkins_host Enter keystore password: changeit my_jenkins_host, Aug 10, 2018, trustedCertEntry,
Previously I used Jenkins+Oracle JRE 1.8, it works with TLSv1.2, but when I run the Jenkins jobs from UCD, it shows the java version is not compatible. So I switched java to IBM J9 JRE 1.8, generated and imported the certificate on Jenkins keystore and java keystore. The jenkins can be started with the argument "--httpsKeyManagerType=IbmX509", but the SSL (TLSv1.2) is not working , so the https url cannot be accessed.
Below is some error information from Jenkins server command:
openssl s_client -connect my_jenkins_host :8443
CONNECTED(00000003)
140241296922440:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 7 bytes and written 247 bytes
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
java -jar jenkins-cli.jar -s https://my_jenkins_host:8443 build df_test -s -v --username me_admin --password tivoli4u
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2033)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:100)
at hudson.cli.CLI.plainHttpConnection(CLI.java:652)
at hudson.cli.CLI._main(CLI.java:612)
at hudson.cli.CLI.main(CLI.java:426)