[JENKINS-54247] Add to TROUBLESHOOTING how to backup/restore current keys

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: saml-plugin
Labels:
- SAML
- SAML2
- plugin
- rfe

Similar Issues:
Powered by SuggestiMate

Show
Released As:
saml-1.1.2

Hi,

I tried to find a way to save current keys used for saml auth. But it was unsuccessful.

I can backup metadata (directly from the plugin configuration link).

Is there way to backup current keys that uses SAML plugin?

For example, we redeployed completely from scratch Jenkins master, is there a way to use the same metadata without reconfiguring idP? It would be nice to add this info to : https://github.com/jenkinsci/saml-plugin/blob/master/doc/TROUBLESHOOTING.md

Thank you!

Ivan Fernandez Calvo added a comment - 2018-10-25 13:17

If you configured the encryption settings, you only have to copy the key store and the config files (you should maintain the secrets also). The default key store is "JENKINS_HOME/saml-jenkins-keystore.jks" the configuration is in "JENKINS_HOME/saml-jenkins-keystore.xml" some data is encrypted, so it is not for manual manage, and it only is valid for a Jenkins with the same JANKINS_HOME/secrets.

Ivan Fernandez Calvo added a comment - 2018-10-25 13:17 If you configured the encryption settings, you only have to copy the key store and the config files (you should maintain the secrets also). The default key store is "JENKINS_HOME/saml-jenkins-keystore.jks" the configuration is in "JENKINS_HOME/saml-jenkins-keystore.xml" some data is encrypted, so it is not for manual manage, and it only is valid for a Jenkins with the same JANKINS_HOME/secrets.

Andrei Stepanov added a comment - 2018-10-26 11:34

Hi, thank you for answer.

I our Jenkins: checkbox "Encryption Configuration" is not set.

Does this mean that Jenkins master doesn't have personal private key to talk to idP?

Could you please just in steps say what I need to back up, and how to restore?

We do not use "Encryption Configuration" checkbox is SAML plugin configuration.

Andrei Stepanov added a comment - 2018-10-26 11:34 Hi, thank you for answer. I our Jenkins: checkbox "Encryption Configuration" is not set. Does this mean that Jenkins master doesn't have personal private key to talk to idP? Could you please just in steps say what I need to back up, and how to restore? We do not use "Encryption Configuration" checkbox is SAML plugin configuration.

Ivan Fernandez Calvo added a comment - 2018-10-26 14:08

>Does this mean that Jenkins master doesn't have personal private key to talk to idP?

The plugin creates a key pair automatically and stores them in "JENKINS_HOME/saml-jenkins-keystore.jks", then store the data related into "JENKINS_HOME/saml-jenkins-keystore.xml", you can grab the public key from "JENKINS_HOME/saml-sp-metadata.xml".

>Could you please just in steps say what I need to back up, and how to restore?

You need the following files to restore the SAML configuration

JENKINS_HOME/config.xml
JENKINS_HOME/saml-jenkins-keystore.jks
JENKINS_HOME/saml-jenkins-keystore.xml
JENKINS_HOME/saml-ipd-metadata.xml
JENKINS_HOME/saml-sp-metadata.xml
Also you need the same secret.key, if not the configuration is impossible to unencrypt

but in any case, you use to make a backup of your full JENKINS_HOME to make your Jenkins instance work properly (not only SAML Plugin), I recommend you to take a look at this CloudBees KB https://support.cloudbees.com/hc/en-us/articles/216241937-Migration-Guide-CloudBees-Jenkins-Platform-and-CloudBees-Jenkins-Team-

Ivan Fernandez Calvo added a comment - 2018-10-26 14:08 >Does this mean that Jenkins master doesn't have personal private key to talk to idP? The plugin creates a key pair automatically and stores them in "JENKINS_HOME/saml-jenkins-keystore.jks", then store the data related into "JENKINS_HOME/saml-jenkins-keystore.xml", you can grab the public key from "JENKINS_HOME/saml-sp-metadata.xml". >Could you please just in steps say what I need to back up, and how to restore? You need the following files to restore the SAML configuration JENKINS_HOME/config.xml JENKINS_HOME/saml-jenkins-keystore.jks JENKINS_HOME/saml-jenkins-keystore.xml JENKINS_HOME/saml-ipd-metadata.xml JENKINS_HOME/saml-sp-metadata.xml Also you need the same secret.key, if not the configuration is impossible to unencrypt but in any case, you use to make a backup of your full JENKINS_HOME to make your Jenkins instance work properly (not only SAML Plugin), I recommend you to take a look at this CloudBees KB https://support.cloudbees.com/hc/en-us/articles/216241937-Migration-Guide-CloudBees-Jenkins-Platform-and-CloudBees-Jenkins-Team-

Andrei Stepanov added a comment - 2018-10-26 15:07

Okay, thank you. I think this ticket can be closed.

Andrei Stepanov added a comment - 2018-10-26 15:07 Okay, thank you. I think this ticket can be closed.

Details

Description

Attachments

Activity

Collapse comment: Ivan Fernandez Calvo added a comment - 2018-10-25 13:17

Expand comment: Ivan Fernandez Calvo added a comment - 2018-10-25 13:17

Collapse comment: Andrei Stepanov added a comment - 2018-10-26 11:34

Expand comment: Andrei Stepanov added a comment - 2018-10-26 11:34

Collapse comment: Ivan Fernandez Calvo added a comment - 2018-10-26 14:08

Expand comment: Ivan Fernandez Calvo added a comment - 2018-10-26 14:08

Collapse comment: Andrei Stepanov added a comment - 2018-10-26 15:07

Expand comment: Andrei Stepanov added a comment - 2018-10-26 15:07

People

Dates