This document describes how to configure Rundeck for SSL/HTTPS support, and assumes you are using the rundeck-launcher standalone launcher.
Before beginning, do a first-run of the launcher, as it will create the base directory for Rundeck and generate configuration files.
-
cd $RDECK_BASE; java -jar rundeck-launcher-1.0.0.jarThis will start the server and generate necessary config files. Press control-c to shut down the server.
-
Generate a keystore for use as the server cert and client truststore. specify passwords for key and keystore:
keytool -keystore etc/keystore -alias rundeck -genkey -keyalg RSA -keypass password -storepass passwordBe sure to specify the correct hostname of the server as the response to the question "What is your first and last name?". Answer "yes" to the final question.
You can pass all the answers to the tool on the command-line by using a HERE document. Replace the first line "Venkman.local" with the hostname for your server, and use any other organizational values you like:
keytool -keystore etc/keystore -alias rundeck -genkey -keyalg RSA -keypass admin -storepass admin <<! Venkman.local devops My org my city my state US yes ! -
CLI tools that communicate to the Rundeck server need to trust the SSL certificate provided by the server. They are preconfigured to look for a truststore at the location:
$RDECK_BASE/etc/truststore. Copy the keystore as the truststore for CLI tools:$ cp etc/keystore etc/truststore -
Modify the ssl.properties file to specify the location of the keystore and the appropriate passwords:
$ vi server/config/ssl.properties -
Configure client properties. Modify the file
$RDECK_BASE/etc/framework.propertiesand change these properties:framework.server.urlframework.rundeck.urlframework.server.port
Set them to the appropriate https protocol, and change the port to 4443, or to the value of your
-Dserver.https.portruntime configuration property. -
Launch the rundeck launcher and tell it where to read the ssl.properties
$ java -Drundeck.ssl.config=$RDECK_BASE/server/config/ssl.properties rundeck-launcher-1.0.0.jarYou can change port by adding
-Dserver.https.port:$ java -Drundeck.ssl.config=$RDECK_BASE/server/config/ssl.properties -Dserver.https.port=1234 rundeck-launcher-1.0.0.jar
If successful, you will see a line indicating the SSl connector has started:
Started SslSocketConnector@0.0.0.0:4443
Passwords do not have to be stored in the ssl.config. If they are not set, then the server will prompt on the console for a user to enter the passwords.
If you want the server to start without prompting then you need to set the passwords in the config file.
The passwords stored in ssl.properties can be obfuscated so they are not in plaintext:
Run the jetty "Password" utility:
$ java -cp server/lib/jetty-6.1.21.jar:server/lib/jetty-util-6.1.21.jar org.mortbay.jetty.security.Password <password>
This will produce two lines, one starting with "OBF:"
Use the entire OBF: output as the password in the ssl.properties file, eg:
key.password=OBF:1lk2j1lkj321lj13lj
Some common error messages and causes:
; java.io.IOException: Keystore was tampered with, or password was incorrect
: A password specified in the file was incorrect.
;2010-12-02 10:07:29.958::WARN: failed SslSocketConnector@0.0.0.0:4443: java.io.FileNotFoundException: /Users/greg/rundeck/etc/keystore (No such file or directory)
: The keystore/truststore file specified in ssl.properties doesn't exist
You can export the PEM formatted server certificate for use by HTTPS clients (web browsers or e.g. curl).
Export pem cacert for use by e.g. curl:
keytool -export -keystore etc/keystore -rfc -alias rundeck > rundeck.server.pem