Setup Rundeck with SSL

In this blog post I will describe the steps needed to configure rundeck to use SSL. I go through the steps of requesting a certificate from a Microsoft CA then exporting them to a Linux rundeck server. I then go through the steps of importing the certificates into a java keystore. And finally the configuration steps needed to get rundeck working with SSL.

STEP 1. Request a certificate
Open the mmc.exe > add/remove snapin > certificates > local computer

STEP 2. Click Next

STEP 3. Configure the CN (common name) and Subject Alternative names.

STEP 4. Mark private key as exportable

STEP 5. Select Enroll

STEP 6. Export the certificate

STEP 7. Export private key

STEP 8. Export the certificate and private key in PKCS #12 format

STEP 9. Set private key password

STEP 10. Export the the Certificate Authorities certificate.
This certificate will be placed in the the trusted CA Java keystore. Do not export the private key for the CA, export the CA as DER format.

STEP 10. SFTP the certificate to your Linux Rundeck Server
I placed the rundeck.pfx file in /etc/rundeck/ssl
Also place the ca.cer file in /etc/rundeck/ssl

STEP 11. Create a keystore for the rundeck.pfx certificate
Create a Java keystore to hold the new rundeck certificate

keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

STEP 12. Retrieve the alias from the PKCS #12 file
Save the alias id, you will need this for the next step

keytool -v -list -storetype pkcs12 -keystore /etc/rundeck/ssl/rundeck.pfx


STEP 13. Import the Certificate and Private Key into the Java keystore
Use the alias id from the previous command as the source alias and destination alias.

keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /etc/rundeck/ssl/keystore -srckeystore /etc/rundeck/ssl/rundeck.pfx -srcstoretype PKCS12 -srcstorepass password -srcalias le-webserver-e8683358-23d9-4477-a6c8-21cc2c400c10 -alias le-webserver-e8683358-23d9-4477-a6c8-21cc2c400c10

STEP 14. Create a keystore for the ca.cer certificate authority

keytool -keystore /etc/rundeck/ssl/ca -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

STEP 15. Add the CA cert to the CA keystore

keytool -import -alias ca -file /etc/rundeck/ssl/lab-ca-der.cer -keystore /etc/rundeck/ssl/ca -storepass password
Trust this certificate? [no]:  yes
Certificate was added to keystore

STEP 16. Review of previous steps
a. At this point we should have requested and received a certificate from the Microsoft CA
b. Export the CA’s certificate
c. Created a java keystore for our rundeck certificate
d. Created a java keystore for our CA certificate

STEP 17. Configure Rundeck /etc/rundeck/etc/
Configure the path to the certificate keystore and CA keystore you created earlier


STEP 18. Configure /etc/rundeck/profile
Add the following options the rundeck JVM

export RDECK_JVM="
        -Drundeck.ssl.config=/etc/rundeck/ssl/ \

STEP 19. Configure /etc/rundeck/
Update the property below with https and 4443


STEP 20. Configure /etc/rundeck/
Configure the appropriate port 4443 and update the url https

framework.server.port = 4443
framework.server.url =

At this point you should be able to hit https://rundeck:4443 and make a secure connection.
For troubleshooting look at the /var/log/rundeck/service.log.


Configure Rundeck to use Active Directory Authentication

This guide was written using the rundeck 2.4.2 RPM installed on CentOS 6.5. I go over the steps needed to setup Active Directory authentication in Rundeck

STEP 1. CREATE Active Directory Group

In Active Directory create a new group named “rundeckusers.” Then add your users to that AD group.

STEP 2. Create jaas-activedirectory.conf file

touch /etc/rundeck/jaas-activedirectory.conf
chown rundeck:rundeck /etc/rundeck/jaas-activedirectory.conf

Enter the following configuration settings into your jaas-ldap.conf file. You will need to configure the username/password for the user which will bind to Active Directory. You will also need to configure the userBaseDn. This is the OU which recursive searches for users will be performed on. In addition, configuring the roleBaseDn. The roleBaseDn is the OU where your “rundeck” AD user group is.

activedirectory {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

STEP 3. Modify /etc/rundeck/profile

You’ll need to configure / modify to two lines. Add the path to the jaas-activedirectory.conf file and the loginmodule name, “activedirectory.” The login module name is the same as the name used in the jaas-activedirectory.conf file.

export RDECK_JVM=" \"

STEP 4. Create file /etc/rundeck/rundeckusers.aclpolicy
Add the ACL policy below for the admin in Rundeck. The group field should be the Active Directory user group “rundeckusers.” All users in the AD group with have admin access in rundeck.

touch /etc/rundeck/rundeckusers.aclpolicy
chown rundeck:rundeck /etc/rundeck/rundeckusers.aclpolicy
description: Admin project level access control. Applies to resources within a specific project.
  project: '.*' # all projects
    - equals:
        kind: job
      allow: [create] # allow create jobs
    - equals:
        kind: node
      allow: [read,create,update,refresh] # allow refresh node sources
    - equals:
        kind: event
      allow: [read,create] # allow read/create events
    - allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs
    - allow: [create,read,update,delete,run,runAs,kill,killAs] # allow create/read/write/delete/run/kill of all jobs
    - allow: [read,run] # allow read/run for nodes
  group: [rundeckusers]


description: Admin Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.
  application: 'rundeck'
    - equals:
        kind: project
      allow: [create] # allow create of projects
    - equals:
        kind: system
      allow: [read] # allow read of system info
    - equals:
        kind: user
      allow: [admin] # allow modify user profiles
    - match:
        name: '.*'
      allow: [read,import,export,configure,delete] # allow full access of all projects or use 'admin'
    - allow: [read,create,update,delete] # allow access for /ssh-key/* storage content

  group: [rundeckusers]

STEP 5. Configure Secure LDAP
Import the CA certificate which was used to setup Secure LDAP on the Active Directory Domain Controller. To secure the LDAP connection between the rundeck server and the AD domain controller it is recommended to import and trust the CA used on the domain controller. Then configure the jaas-ldap.conf file to use ldaps.

keytool -import -alias -file /root/CA.pem -keystore /usr/lib/jvm/java-1.7.0-openjdk- -storepass changeit

Copy VM between two ESXi servers, without shared storage

The vmware ovftool tool can be used to copy a VM between two ESXi servers which are not connected via shared storage. This comes in handy in a home lab environment. In the example below I am copying the VM “WIN10” to another ESXi host on my home network.

[root@mysql04p ~] ovftool -ds=datastore1 vi://root@ vi://root@

Enter login information for source vi://
Username: root
Password: ********
Opening VI source: vi://root@
Enter login information for target vi://
Username: root
Password: ********
Opening VI target: vi://root@
Deploying to VI: vi://root@
Transfer Completed
Completed successfully
[root@mysql04p ~]

In my home lab I’ not running a full VMware vsphere cluster. The free version of ESXi does not offer the clone feature. When testing various applications I often run into the requirement to clone VMs on the same ESXi host. This can easily be accomplished with the ovftool. Below I clone the VM “KVM01” to “KVM01v2.”

[root@mysql04p ~] ovftool -ds=datastore1 --name=KVM01v2 --diskMode=thin vi://root@ vi://root@

Enter login information for source vi://
Username: root
Password: ********
Opening VI source: vi://root@
Enter login information for target vi://
Username: root
Password: ********
Opening VI target: vi://root@
Deploying to VI: vi://root@