Active Directory plugin warning: TLS is not correctly configured
73 views
Skip to first unread message
Andreas Goeb
Jan 29, 2019, 5:17:12 PM1/29/19
to jenkins...@googlegroups.com
Dear fellow Jenkins users,
I came across an issue today that I just cannot figure out myself. I hope this is the correct place to ask for help.
*Problem:*
After some connection issues with Active Directory and following reconfiguration, Jenkins now shows the warning „TLS is not correctly configured on Active Directory plugin.Please, change to a more secured option;"
*Environment:*
When the issue occurred for the first time this morning, I was using Jenkins 2.150.2 with Active Directory plugin 2.11 and the following settings
- StartTLS: true
- TRUST_ALL_CERTIFICATES
*What I did so far:*
I thought the reason for the warning might be the TRUST_ALL_CERTIFICATES option, so I tried to disable it. However, it is not shown in the Global Security settings anymore, nor is it contained in the settings.xml file. So, I followed the plugin's documentation wiki page and performed the following steps for proper TLS/LDAPS configuration:
- set the hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true system property
- change the domain controller port in the plugin’s settings to 3269
- copy the JVM’s „cacerts" trust store and import the server certificate into the copy
- set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties to point to the copy
- configure a custom logger for ActiveDirectorySecurityRealm and log level FINER
The log now shows successful LDAPS connections over port 3269, and users can log in. However, the warning about insecure TLS configuration is still shown.
Does any of you know what the reason for the warning may be and which configuration I might still have to change?
Thanks a lot,
Andreas
I came across an issue today that I just cannot figure out myself. I hope this is the correct place to ask for help.
*Problem:*
After some connection issues with Active Directory and following reconfiguration, Jenkins now shows the warning „TLS is not correctly configured on Active Directory plugin.Please, change to a more secured option;"
*Environment:*
When the issue occurred for the first time this morning, I was using Jenkins 2.150.2 with Active Directory plugin 2.11 and the following settings
- StartTLS: true
- TRUST_ALL_CERTIFICATES
*What I did so far:*
I thought the reason for the warning might be the TRUST_ALL_CERTIFICATES option, so I tried to disable it. However, it is not shown in the Global Security settings anymore, nor is it contained in the settings.xml file. So, I followed the plugin's documentation wiki page and performed the following steps for proper TLS/LDAPS configuration:
- set the hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true system property
- change the domain controller port in the plugin’s settings to 3269
- copy the JVM’s „cacerts" trust store and import the server certificate into the copy
- set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword system properties to point to the copy
- configure a custom logger for ActiveDirectorySecurityRealm and log level FINER
The log now shows successful LDAPS connections over port 3269, and users can log in. However, the warning about insecure TLS configuration is still shown.
Does any of you know what the reason for the warning may be and which configuration I might still have to change?
Thanks a lot,
Andreas
wfoll...@cloudbees.com
Feb 8, 2019, 3:58:03 AM2/8/19
to Jenkins Users
Hello Andreas,
Thank you for the report on such issue. I created https://issues.jenkins-ci.org/browse/JENKINS-56047 for you. Normally for bug or weird behavior, you can just create a ticket in the JENKINS project.
We will try to provide a correction ASAP.
Wadeck
Brian Ray
Mar 24, 2019, 12:36:57 PM3/24/19
to Jenkins Users
Regarding the TRUST_ALL_CERTIFICATES option disappearing from the Global Security settings: If your master is on Windows you might have run into JENKINS-56224. We did so on a recent upgrade to from AD ~2.10 to AD 2.12. Though the underlying setting was still present in the settings file.
Reply all
Reply to author
Forward
0 new messages