How to install and configure a secure Jenkins server

How to install and configure a secure Jenkins server

jenkins-secure-server

Here in this article we will see how we can install jenkins using linux package repository and configure it with SSL certificate for secure HTTPS communication.

Test Enviornment

Fedora 35 workstation

If you are interested in watching the video. Here is the YouTube video on the same step by step procedure below.

Procedure

Step1: Configure the Jenkins repository

As a first step we need to add the jenkins repository and the import the jenkins gpg key into the rpm key database.

[admin@jenkinscontrol ~]$ sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
[admin@jenkinscontrol ~]$ sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key
[admin@jenkinscontrol ~]$ cat /etc/yum.repos.d/jenkins.repo 
[jenkins]
name=Jenkins-stable
baseurl=http://pkg.jenkins.io/redhat-stable
gpgcheck=1

Step2: Install JDK dependency for Jenkins

Jenkins is a opensource build automation server that is purely based on java. We need to have the JDK 8 or 11 installed on the system where we want to have the jenkins server running. Let’s install the openjdk package as shown below if its not installed already.

[admin@jenkinscontrol ~]$ sudo dnf install java-11-openjdk
[admin@jenkinscontrol ~]$ java --version
openjdk 11.0.12 2021-07-20
OpenJDK Runtime Environment 18.9 (build 11.0.12+7)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7, mixed mode, sharing)

Step3: Install Jenkins

Now that we have the jenkins repository configured and JDK dependency installed. Let’s go ahead and install jenkins package from the configured jenkins repository as shown below and reload the systemd daemon for generating the jenkins.service systemd unit file for managing jenkins using systemctl.

[admin@jenkinscontrol ~]$ sudo dnf install jenkins
[admin@jenkinscontrol ~]$ sudo systemctl daemon-reload

Step4: Start, Enable and Check Jenkins Service

Let’s start, enable the jenkins service and verify that it actually started without any issues as shown below.

[admin@jenkinscontrol ~]$ sudo systemctl start jenkins.service 
[admin@jenkinscontrol ~]$ sudo systemctl enable jenkins.service 
[admin@jenkinscontrol ~]$ sudo systemctl status jenkins.service

Step5: Login to Jenkins

We can now access the jenkins on port 8080 as shown below. In my case fedser35 is my hostname, you can change it to whatever hostname is configured for your system.

URL – http://jenkinscontrol:8080/ (Please change FQDN as per your hostname)

For the first time login we need to capture the admin password as shown below and access the jenkins portal. There after it asks to configure the new administrator user with password and suggests to installed plugins as per your requirements. Once that is done we have our jenkins server up and running but its currently not sure as we are communication with it on non secure HTTP port 8080.

[admin@jenkinscontrol ~]$ sudo cat /var/lib/jenkins/secrets/initialAdminPassword
358ceb073fb24e26a4221311390656e5

Step6: Generate SSL certificate and convert into jks keystore

In order to secure our Jenkins server we need to generate SSL certificate and generate a keystore which can be configured in the jenkins ssl configuration for secure HTTPS communication.

First, lets install openssl package if its not present already as we will use openssl to genereate a self signed certificate and a keystore.

[admin@jenkinscontrol ssl]$ sudo dnf install openssl

Now, lets genereate SSL public and private key as shown below.

[admin@jenkinscontrol ssl]$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
..................+++++
.............+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:AA
State or Province Name (full name) []:MM
Locality Name (eg, city) [Default City]:MM
Organization Name (eg, company) [Default Company Ltd]:stack
Organizational Unit Name (eg, section) []:stack
Common Name (eg, your name or your server's hostname) []:fedser35
Email Address []:

Now let’s package the certificate.pem and key.pem file into a .p12 keystore.

[admin@jenkinscontrol ssl]$ openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12

Let’s import the .p12 file into the .jks keystore using keytool as shown below.

[admin@jenkinscontrol ssl]$ keytool -importkeystore -srckeystore ./certificate.p12 -srcstoretype pkcs12 -destkeystore jenkinsserver.jks -deststoretype JKS
[admin@jenkinscontrol ssl]$ ls -ltr
total 16
-rw-------. 1 admin admin 1704 Mar 17 15:11 key.pem
-rw-r--r--. 1 admin admin 1326 Mar 17 15:11 certificate.pem
-rw-------. 1 admin admin 2541 Mar 17 15:12 certificate.p12
-rw-r--r--. 1 admin admin 2285 Mar 17 15:14 jenkinsserver.jks

Copy the generated .jks file into /var/lib/jenkins directory and update the ownership to jenkins:jenkins

[admin@jenkinscontrol ssl]$ sudo cp jenkinsserver.jks /var/lib/jenkins/
[admin@fedser35 ssl]$ sudo chown jenkins:jenkins /var/lib/jenkins/jenkinsserver.jks

Step7: Configure Jenkins for SSL communication

Now we need to configure our jenkins service with the SSL part which consist of HTTPS port to listen on, HTTPS keystore to use and the corresponding password for the keystore. We can updated the jenkins.service file as shown below with the HTTPS configuration details.

[admin@jenkinscontrol system]$ cat /usr/lib/systemd/system/jenkins.service | grep -i "jenkins_https"
Environment="JENKINS_HTTPS_PORT=8443"
Environment="JENKINS_HTTPS_KEYSTORE=/var/lib/jeknins/jenkinsserver.jks"
Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=admin@1234"

Step8: Restart the Jenkins service

It’s time to reload the daemon and restart the jenkins service for it take the changes in effect.

[admin@jenkinscontrol system]$ sudo systemctl daemon-reload
[admin@jenkinscontrol ssl]$ sudo systemctl restart jenkins.service 

Step9: Validate Jenkins service on HTTPS

We can now access jenkins on HTTPS port. Though we have configured our jenkins service with self signed certificate you can carry out this configuration with a valid certificate signed from a certificate authority to avoid SSL trust exception which you will see in browser with a self signed certificate.

URL – https://jenkinscontrol:8443/ (Please change FQDN as per your hostname)

Hope you enjoyed reading this article. Thank you..