Friday, August 31, 2012

Run Jenkins on Tomcat with SSL

At work I recently got the task of getting Jenkins up and running on Tomcat and set it up in such a way that requests were exclusively served via SSL. Since it took a bit of googling to get this done I decided to document the instructions should anyone need to do the same. Here they are:

  • Download and install the latest version of Tomcat.  
  • Download the latest Jenkins WAR file and extract it to [Tomcat home]/webapps/ROOT.
    • Note: this is assuming the only web application you will be running on Tomcat is Jenkins.  If you are planning to use Tomcat to run multiple web applications you will need to create server.xml host configurations for each one.
  • If you haven't already, download and install the latest version of Java
  • If you are not planning to run SSL, all you should have to do at this point is start Tomcat (via [Tomcat home]/bin/Tomcat7w.exe or the service menu on Windows, or [Tomcat home]/bin/ on Linux/Unix)
  • To get SSL working you will need an SSL certificate.  You can get an official certificate through Verisign or Thawty.  In this example we will be using a free self-signed certificate, generated with the keytool that comes with Java.
  • Run: [Java home]/bin/keytool genkey -alias tomcat -keyalg RSA -keystore [tomcat home]/.keystore -validity [desired number days the certificate should be valid for]
    E.g.: "C:\Program Files\Java\jdk1.7.0_05\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore C:\Tomcat\.keystore -validity 365
  • Provide a password for the keystore and answer questions about your organization.  When asked for key password just hit enter.  This should create one certificate in the keystore located at  C:\Tomcat\.keystore.
  • Edit [Tomcat home]/conf/server.xml and html-uncomment the following text:
  • <!--     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" />
  • Furthermore add to it the following two attributes:  keystoreFile="C:\Tomcat\.keystore" keystorePass="YourPassword"  (inputing values that match your setup) and change the port value to 443.
  • To redirect all http traffic to https change the line:
  • <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
    over to:
    <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
  • That's it.  You should now be able to start Tomcat (seet bullet #4) and view Jenkins on http://localhost (which should autoredirect you to https://localhost) or use your actual hostname.