Setup Rundeck with SSL

In this blog post I will describe the steps needed to configure rundeck to use SSL. I go through the steps of requesting a certificate from a Microsoft CA then exporting them to a Linux rundeck server. I then go through the steps of importing the certificates into a java keystore. And finally the configuration steps needed to get rundeck working with SSL.

STEP 1. Request a certificate
Open the mmc.exe > add/remove snapin > certificates > local computer
request-cert

STEP 2. Click Next
request-cert2

STEP 3. Configure the CN (common name) and Subject Alternative names.
request-cert3

STEP 4. Mark private key as exportable
request-cert4

STEP 5. Select Enroll
request-cert5

STEP 6. Export the certificate
request-cert6

STEP 7. Export private key
request-cert7

STEP 8. Export the certificate and private key in PKCS #12 format
request-cert8

STEP 9. Set private key password
request-cert9

STEP 10. Export the the Certificate Authorities certificate.
This certificate will be placed in the the trusted CA Java keystore. Do not export the private key for the CA, export the CA as DER format.
export-CA

STEP 10. SFTP the certificate to your Linux Rundeck Server
I placed the rundeck.pfx file in /etc/rundeck/ssl
Also place the ca.cer file in /etc/rundeck/ssl

STEP 11. Create a keystore for the rundeck.pfx certificate
Create a Java keystore to hold the new rundeck certificate

keytool -keystore /etc/rundeck/ssl/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

STEP 12. Retrieve the alias from the PKCS #12 file
Save the alias id, you will need this for the next step

keytool -v -list -storetype pkcs12 -keystore /etc/rundeck/ssl/rundeck.pfx

keystore-alias

STEP 13. Import the Certificate and Private Key into the Java keystore
Use the alias id from the previous command as the source alias and destination alias.

keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /etc/rundeck/ssl/keystore -srckeystore /etc/rundeck/ssl/rundeck.pfx -srcstoretype PKCS12 -srcstorepass password -srcalias le-webserver-e8683358-23d9-4477-a6c8-21cc2c400c10 -alias le-webserver-e8683358-23d9-4477-a6c8-21cc2c400c10

STEP 14. Create a keystore for the ca.cer certificate authority

keytool -keystore /etc/rundeck/ssl/ca -alias rundeck -genkey -keyalg RSA -keypass password -storepass password

STEP 15. Add the CA cert to the CA keystore

keytool -import -alias ca -file /etc/rundeck/ssl/lab-ca-der.cer -keystore /etc/rundeck/ssl/ca -storepass password
Trust this certificate? [no]:  yes
Certificate was added to keystore

STEP 16. Review of previous steps
a. At this point we should have requested and received a certificate from the Microsoft CA
b. Export the CA’s certificate
c. Created a java keystore for our rundeck certificate
d. Created a java keystore for our CA certificate

STEP 17. Configure Rundeck /etc/rundeck/etc/ssl.properties
Configure the path to the certificate keystore and CA keystore you created earlier

keystore=/etc/rundeck/ssl/keystore
keystore.password=password
key.password=password
truststore=/etc/rundeck/ssl/ca
truststore.password=password

STEP 18. Configure /etc/rundeck/profile
Add the following options the rundeck JVM

export RDECK_JVM="
        -Drundeck.ssl.config=/etc/rundeck/ssl/ssl.properties \
        -Dserver.https.port=${RDECK_HTTPS_PORT}"

STEP 19. Configure /etc/rundeck/rundeck-config.properties
Update the property below with https and 4443

grails.serverURL=https://rundeck.lab.net:4443

STEP 20. Configure /etc/rundeck/framework.properties
Configure the appropriate port 4443 and update the url https

framework.server.port = 4443
framework.server.url = https://rundeck.lab.net:4443

At this point you should be able to hit https://rundeck:4443 and make a secure connection.
For troubleshooting look at the /var/log/rundeck/service.log.

Advertisements

3 thoughts on “Setup Rundeck with SSL

  1. I think all you would have to do is import the self signed certificate into your keystore and when prompted to trust the certificate select yes. Then configure your ssl.properties to point at the same keystore for both the truststore and keystore=

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s