search

SAP-archive / devops-cm-client

Simple command line interface to handle basic change management related actions via ODATA requests.
Apache License 2.0
36 stars 15 forks source link

SSL handshake in Jenkins #28

Closed mar-hol closed 5 years ago

mar-hol commented 5 years ago

Running the decops-cm-client in jenkins, we're facing connection issues with SSL handshake

When running a trial-command in jenkins, we cann't establish the connection: `"+ mkdir -p /var/apphome/xxxxx/.jenkins/workspace/CI_Fiori_ABAPBackend_master_Transportauftrag/tmp" "+ cp -R /var/apphome/<...>/dist.cli/ /var/apphome/xxxxx/.jenkins/workspace/CI_Fiori_ABAPBackend_master_Transportauftrag/tmp/dist.cli/" "+ /var/apphome/xxxxx/.jenkins/workspace/CI_Fiori_ABAPBackend_master_Transportauftrag/tmp/dist.cli/bin/cmclient -t SOLMAN -e https://xxxxxx/sap/opu/odata/sap/AI_CRM_GW_CM_CI_SRV/ -u xxxx -p [xxxxx] is-change-in-development -cID xxxxxxx879"

"Exception in thread "main" org.apache.olingo.client.api.http.HttpClientException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.apache.olingo.client.core.communication.request.AbstractODataRequest.doExecute(AbstractODataRequest.java:303) at org.apache.olingo.client.core.communication.request.retrieve.ODataEntityRequestImpl.execute(ODataEntityRequestImpl.java:57) at org.apache.olingo.client.core.communication.request.retrieve.ODataEntityRequestImpl.execute(ODataEntityRequestImpl.java:37) at sap.ai.st.cm.plugins.ciintegration.odataclient.CMODataSolmanClient.getChange(CMODataSolmanClient.java:101) at sap.prd.cmintegration.cli.GetChangeStatus.execute(GetChangeStatus.java:60) at sap.prd.cmintegration.cli.GetChangeStatus.main(GetChangeStatus.java:91) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at sap.prd.cmintegration.cli.Commands.main(Commands.java:312) at sap.prd.cmintegration.cli.ExitWrapper.main(ExitWrapper.java:15) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" `_

Running the same command directly with users cli, the connection works. We export the variables before the call through JAVA_OPTS:

export 'JAVA_OPTS= -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Djavax.net.ssl.trustStore=/var/apphome/xxxx/conf/keystore/trustStore.jks -Djavax.net.ssl.trustStorePassword=…‘

Question: what does the devops_cm_client expect? is it possible to adapt the call in a way to directly set the truststore or set the loglevel to debug?

Thanks

radsoulbeard commented 5 years ago

Hello, thanks for your questions. To provide general Java options via JAVA_OPTS is the common way. If you need special JVM options for the cmclient you can set the environment variable CMCLIENT_OPTS Have you checked your environment in Jenkins if you pass the same JAVA_OPTS ? And if you are able to use Jenkins Pipelines we recommend to use our Jenkins library https://github.com/SAP/jenkins-library where we already have implemented the steps and you just need to configure them.

Best regards !

mar-hol commented 5 years ago

Hi,

thanks for the feedback. I'll check again our response with our jenkins-admins.

We're aware of project Piper but currently our jenkins has not the required version. (But it will be updated soon and then use delivered jenkins-pipies by piper)

Best regards

mar-hol commented 5 years ago

Hello,

thanks for the hint with the CMCLIENT_OPTS environment variable. Using CMCLIENT_OPTS in our Jenkins, we're able pass the environment-specific parameters (e.g. truststore-location, ... )

Best regards!

noellowry commented 4 years ago

@mar-hol wondering how you solved this? I face the same issue in my piper pipeline. I have tried to add certs to image but it still fails. Would be great to see how someone might have already solved the issue :)

mar-hol commented 4 years ago

@noellowry we had the issue with the trust store when calling the devops-client directly in jenkins (not using piper). Setting env. variable CMCLIENT_OPTS to the trust store, we were able to call SolMan-System, eg. to check if change is in development.