Buildforge JAVA API with SSL
Hi,
I'm using the Java API to run a project in buildforge and having problems connection with SSL. when working without SSL, this connection code works great: APIClientConnection conn = new APIClientConnection ("server"); it also works great when i use the default port: APIClientConnection conn = new APIClientConnection ("server",3966); when trying to work with the SSL port, and initializing SSL like this: System.setProperty("javax.net.ssl.keyStore", "c:\\buildForgeKeyStore.p12"); i'm getting this exception: Exception in thread "main" java.io.IOException: Unexpected EOF i've also tried obtaining SSL certificate from the browser (working with the admin-console), i've also tried using invalid password or files but i'm always getting the same error, is there a way to set the connection more to SSL? Thanks. |
11 answers
Here are some instructions for setting up SSL for Java API clients with Build Forge 7.1.x. Let me know if you have any questions about these instructions. The intent is to get the Java API quickly using SSL. Obviously, it's always good to use unique SSL certificates on the client, rather than copying them over from the server. But this is a quick way to get it working.
Using bflclient.conf to configure SSL connections for an API client (Perl or Java) To make an SSL connection with an API client program, you will need to setup bfclient.conf which contains the SSL configuration properties needed to make an SSL connection. To simplify this process, follow the steps below and run your client in the client directory mentioned below.
|
|
Thanks,
It seems to be working with two exceptionals: 1) I had to copy the both .pem and .p12 files to make it work 2) using the BFDEBUG_SECURITY debug option didn't bring any special messages why is that? i have 2 more questions regarding this issue: 1) is there a way to shut-down the non-ssl port in buildforge, so that no one will be able to work against buildforge without ssl. 2) is there a way to use the LDAP user that is running the script as the build-forge user, without having to pass the password of-course? Best regards, Hagai. |
Thanks, 1), it depends on the type of client you have. If you have a Java API client, you should have only needed the .p12 files. For a Perl API client, you should only need the .pem files. If you need both, I'm not sure why, other than satisfying a reference. 2) BFDEBUG_SECURITY is only effective for the Perl API client. If you want to see debug for the API client, you need to referencing logging.properties via -Djava.util.logging.config.file=logging.properties (whereever it exists).. This should produce logging output. You can also trace JSSE by adding -Djavax.net.debug=true to your launching script.
1) You can disable the Services Layer TCP port during installation. It has a checkbox next to the port which lets you deselect it. There's probably a way to disable the port after installation, but I would have to check around. 2) There is currently no way to authenticate to the Build Forge Services Layer API without userid/password. We do support password encryption in bfclient.conf which allows you to encrypt the password stored there. You can also specify the password in your code via the authUser API. If we were to support some mechanism to pass a token instead of user/pass it would likely be Kerberos or Certificates. Let me know if you need some other mechanism, but userid w/o password is not secure. Regards, Pete |
|
Thanks,
Can we use an LDAP user&password when making a client connection? |
Thanks, Yes. You can use the same user/pass (DB or LDAP) that you are able to login to the BF console with. It goes though basically the same flow. If you have multiple LDAP servers, you must specify the domain or it will try using the "default" LDAP domain. Regards, Pete |
|
Thanks, it works perfectly, got a few more questions from our security team:
1) regarding the buildforge users - how are the users & password saved in the buildforge database? are they encrypted, and if so using what algorithm? and where is the encryption key saved? 2) about the connection between buildforge and it's agents - can we make it use SSL? 3) did you have a chance to find out if there's a way to disable the Services Layer TCP after installation? Thanks again, your support if much appreciated. |
Thanks, it works perfectly, got a few more questions from our security team: 1) If you enable password encryption at the console (Administration -> Security), then passwords will get encrypted with 128-bit AES encryption. See the Build Forge installation documentation for more details. If you do not enable password encryption, then all passwords get stored with an encoding algorithm for obfuscation purposes. 2) Yes, you must use a 7.1.x or later console and agent. With this combination, you can use SSL between engine and agent. You can still use 7.0.2 agents with a 7.1 engine, but just cannot use SSL to those agents. You can have some agents using SSL while others are configured for TCP. 3) If you comment out the #services_tcp_port=3966 property in buildforge.conf, it will cause the port to stay closed. You should do this in two laces: Directory of C:\BuildForge7113.053\Apache\tomcat\webapps\rbf-services\WEB-INF\classes\buildforge.conf and C:\BuildForge7113.053\buildforge.conf After remarking them out with a # and starting the server up, a netstat -a will show 3966 is not started while 49150 is started. Hope that helps. Regards, Pete |
|
Hi,
I changed the following line to a comment #services_tcp_port 3966 on both: D:\Program Files\ibm\Build Forge\Apache\tomcat\webapps\rbf-services\WEB-INF\classes\buildforge.conf D:\Program Files\ibm\Build Forge\buildforge.conf But after restarting the server, it still listens on port 3966. Any suggestions? Thanks. |
Hi, You do need to change buildforge.conf files as you did, but what really assigns the port is the web.xml for rbf-services. Open the file tomcat/webapps/rbf-services/WEB-INF/web.xml and look for the following stanza: <servlet> <servlet-name>ServicesBootstrap</servlet-name> <servlet-class>com.buildforge.services.server.web.BootstrapServlet</servlet-class> <init-param> <param-name>port</param-name> <param-value>3966</param-value> </init-param> <init-param> <param-name>sslPort</param-name> <param-value>49150</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet> You can change the port and sslPort to whatever you want it to be. However, make sure buildforge.conf matches the values you choose. Regards, Pete |
|
What you're saying is that I can only
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.