how to configure jnlp slaves with https and form based authentication

1,661 views
Skip to first unread message

Vach, Matthias

unread,
Sep 6, 2011, 5:01:45 AM9/6/11
to jenkins...@googlegroups.com
Hi all,
we do have a problem with our Jenkins landscape.
 
Here our Landscape setup:
--- Master ---
- Jenkins master configured on tomcat6/linux.
- The security relalm is “ Delegate to servlet container”
- Anonymous does not have any permission configured in “Matrix-based security”
- All HTTP(8080) requests are forwarded to HTTPS(8443) inside tomcat.
- Tomcat is configured to use client cert authentication with fallback to form based authentication
- The Jenkins URL is configured to: https://veldivalidate.wdf.sap.corp:8443/hudson/
 
--- Slave ---
- Jenkins slave running on Windows
- The slave is installed using JNLP and converted it to a Windows Service
- The slaves runtime JDK contains the required ca certificate to communicate via https with the master
 
Now to the problem:
The slave needs to use form based authentication over https to connect to the Master but that communication fails if we install the service.
We install the JNLP client by triggering the “Launch agent from browser on slave”-Button via Hudson Web-UI.
That slave can be used as long as we don’t convert it to a Windows Service. As soon as we do the conversion, the slave fails to connect to the master.
 
The jenkins-slave.xml contains
----------------------------------------------
<executable>C:\Program Files\Java\jdk1.6.0_27\jre\bin\java.exe</executable>
  <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://veldivalidate.wdf.sap.corp:8443/hudson/computer/veldivals002w/slave-agent.jnlp -jnlpCredentials usr:pw -auth usr:pw</arguments>
----------------------------------------------
 
The jenkins-slave-err.log contains
----------------------------------------------
java.io.IOException: Failed to load https://veldivalidate.wdf.sap.corp:8443/hudson/computer/veldivals002w/slave-agent.jnlp: 500 Internal Server Error
        at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
        at hudson.remoting.Launcher.run(Launcher.java:190)
        at hudson.remoting.Launcher.main(Launcher.java:166)
Waiting 10 seconds before retry
----------------------------------------------
 
Thanks for any help
Regards Matthias
 

Vach, Matthias

unread,
Sep 7, 2011, 5:21:33 AM9/7/11
to jenkins...@googlegroups.com

Does no one has any idea?

Mykola Nikishov

unread,
Sep 7, 2011, 7:22:18 AM9/7/11
to jenkins...@googlegroups.com
On 09/07/2011 12:21 PM, Vach, Matthias wrote:

Does no one has any idea?

The jenkins-slave-err.log contains

----------------------------------------------

java.io.IOException: Failed to load https://veldivalidate.wdf.sap.corp:8443/hudson/computer/veldivals002w/slave-agent.jnlp: 500 Internal Server Error

        at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)

        at hudson.remoting.Launcher.run(Launcher.java:190)

        at hudson.remoting.Launcher.main(Launcher.java:166)

Waiting 10 seconds before retry

----------------------------------------------


500 while trying to get JNLP file from the master and only when running as a service.

But I don't see any logs from the master, only slave ones.

Vach, Matthias

unread,
Sep 7, 2011, 7:39:28 AM9/7/11
to jenkins...@googlegroups.com

which server log should contain information about the 500? Catalina.out?

which log level can I increase on server to get more details?

Mykola Nikishov

unread,
Sep 7, 2011, 9:06:53 AM9/7/11
to jenkins...@googlegroups.com
On 09/07/2011 02:39 PM, Vach, Matthias wrote:
>
> which server log should contain information about the 500? Catalina.out?
>
Yes, catalina.out should contain a stacktrace for 500.

>
> which log level can I increase on server to get more details?
>
In this case you don't have to increase log verbosity, 500 is serious
enough to be logged.
>
> *From:*jenkins...@googlegroups.com
> [mailto:jenkins...@googlegroups.com] *On Behalf Of *Mykola Nikishov
> *Sent:* Mittwoch, 7. September 2011 13:22
> *To:* jenkins...@googlegroups.com
> *Subject:* Re: how to configure jnlp slaves with https and form based

Vach, Matthias

unread,
Sep 19, 2011, 10:07:21 AM9/19/11
to jenkins...@googlegroups.com
Hi,
sorry for the late response.
I didn't had time during last two weeks to take care for the issue.


In the tomcat log I do find following Exception occurring every 10seconds which is exactly the slave polling interval:
----
SEVERE: Servlet.service() for servlet Stapler threw exception
hudson.security.AccessDeniedException2: anonymous is missing the Read permission
----

In fact anonymous is missing any permissions because I need to enforce client cert login.

How can I set the user which is used for the jnlp client connect?
My jenkins-slave.xml looks like:

<service>
<id>jenkinsslave-c__tmp</id>
<name>Jenkins Slave</name>
<description>This service runs a slave for Jenkins continuous integration system.</description>
<executable>C:\Program Files (x86)\Java\jdk1.6.0_21\jre\bin\java.exe</executable>
<arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://veldivalidate.wdf.sap.corp:8443/hudson/computer/d044133/slave-agent.jnlp -jnlpCredentials user:pw -auth user:pw</arguments>
<logmode>rotate</logmode>
</service>


Best Regards Matthias


-----Original Message-----
From: jenkins...@googlegroups.com [mailto:jenkins...@googlegroups.com] On Behalf Of Mykola Nikishov

Vach, Matthias

unread,
Sep 20, 2011, 6:13:36 AM9/20/11
to jenkins...@googlegroups.com
Hi again,
does someone has an idea how to set the user which is used for the jnlp client connect?
Or is that a Bug?
Reply all
Reply to author
Forward
0 new messages