It's all about the answers!

Ask a question

Is there a way for the RTCscm (com.ibm.team.build.internal.hjplugin.RTCScm) checkout code running on a jenkins node to be made aware of a locally stored certificate to avoid a hand-shake error when connecting with the RTC repository?


Tammy Parker (36) | asked Sep 01 '18, 7:05 p.m.

ENV:
Have Team Concert Plugin 1.2.0.2
RTC Buildtoolkit 5.0.1 / 5.0.2
JDK 8
Jenkins version 2.73.3 running on linux as the master with several build/slave nodes
RTC repo, xxx.xxx.xxx is version 5.0.2

After switching over to a new RTC repository server that has a self-signed certificate, we are getting a handshake_failure error when running the RTCscm

(com.ibm.team.build.internal.hjplugin.RTCScm) checkout code used in a Jenkins project pipeline build :

From the Jenkins Log:
Sep 01, 2018 3:01:40 PM FINER com.ibm.team.build.internal.hjplugin.RTCScm

Create build result failure RTC : checkout failure: CRJAZ0099E An HTTP error occurred when this URL was being accessed: https://xxx.xxx.xxx:9443/ccm/versionCompatibility?

clientVersion=5.0.1. Error details: Received fatal alert: handshake_failure.
hudson.AbortException: RTC : checkout failure: CRJAZ0099E An HTTP error occurred when this URL was being accessed: https://xxx.xxx.xxx:9443/ccm/versionCompatibility?

clientVersion=5.0.1. Error details: Received fatal alert: handshake_failure.
    at com.ibm.team.build.internal.hjplugin.RTCAcceptTask.invoke(RTCAcceptTask.java:250)
    at com.ibm.team.build.internal.hjplugin.RTCAcceptTask.invoke(RTCAcceptTask.java:34)
    at hudson.FilePath$FileCallableWrapper.call(FilePath.java:2750)
    at hudson.remoting.UserRequest.perform(UserRequest.java:208)
    at hudson.remoting.UserRequest.perform(UserRequest.java:54)
    at hudson.remoting.Request$2.run(Request.java:360)
    at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
    at java.util.concurrent.FutureTask.run(FutureTask.java:277)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.lang.Thread.run(Thread.java:785)
    at ......remote call to severus(Native Method)
    at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1654)
    at hudson.remoting.UserResponse.retrieve(UserRequest.java:311)
    at hudson.remoting.Channel.call(Channel.java:905)
    at hudson.FilePath.act(FilePath.java:987)
    at hudson.FilePath.act(FilePath.java:976)
    at com.ibm.team.build.internal.hjplugin.RTCScm.checkout(RTCScm.java:2211)
    at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:113)
    at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:85)
    at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:75)
    at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
    at hudson.security.ACL.impersonate(ACL.java:260)
    at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

NOTE:  We get the same error if we also try to use RTC Buildtoolkit 5.0.2

Using the command from the linux build node/slave:  openssl s_client -connect xxx.xxx.xxx:9443/ccm/versionCompatibility?clientVersion=5.0.1 -showcerts
we saw that the certificate was not being recognized:
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 5B89FE4E43849C3E027249034596C1EF5DF9AD8D4A64A3ABC09F91F56B170507
    Session-ID-ctx:
    Master-Key: 1E7FFFDE962FC2CF005979F0B7690AED195CD285FF67004B72BB4ADB025B840E4AB13877C5F69D3BD81792F9985E4C6D
    Key-Arg   : None
    Start Time: 1535770153
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)

but when we added the certificate from the RTC repository to the ssl certs directory, it worked with the following command:
openssl s_client -CApath /etc/ssl/certs -connect xxx.xxx.xxx:9443/ccm/versionCompatibility?clientVersion=5.0.1 -showcerts
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 5B8B18D27193DB0D09DAFCF04EA2F88D5B2C65E8BCBEA67FE5B30473C406A4E5
    Session-ID-ctx:
    Master-Key: ACE2371E9F167D5C2FDC5DF6EAE246ED37B469C560F39465412B2722C0E7A6C1C12B052790363AFE8E79B69A4E2B3BCB
    Key-Arg   : None
    Start Time: 1535842478
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)




So, we were surmising that we if could add the signed certificate somewhere such that the RTC buildtoolkit could use it that we might be able to get past the checkout error
as well...
Does anyone know where it would be placed?  We have a .keystore file on the build system -- would it go in there ?  If so, that file has a password associated with it --
how would I make it available for the checkout to work ??

One answer



permanent link
Tammy Parker (36) | answered Sep 02 '18, 2:44 a.m.
edited Sep 02 '18, 2:46 a.m.

An update since this posting --

I had been hopeful after finding this article
https://support.cloudbees.com/hc/en-us/articles/203821254-How-to-install-a-new-SSL-certificate-

I followed the instructions to create a .keystore and to add the certificate from the repo ( a pem file )

I made the change first on the slave/node/build machine and restarted jenkins on it, and ran the build with no luck ( same error ) so then
I also made the change on the jenkins master and restarted the jenkins service on it, and ran the build, again with no luck ( same error ).

I don't know how/if we can get past this error.  Hopefully if we get a trusted CA certificate on the repo, the error will go away...   Any ideas out there ?

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.