Jenkins HTTPS keystore without displaying a password

Vilius · January 16, 2024, 7:52pm

Hi,

is there a way to setup HTTPS support in Jenkins without displaying keystore password in the process list?

I’m running Jenkins installed via RPM on Rocky Linux 9. HTTPS support is configured in the unit file which includes:
Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=mypassword"

As soon as I start Jenkins --httpsKeyStorePassword=mypassword is displayed in the ps auxww list which looks like an oversite :(.

mawinter69 · January 16, 2024, 8:09pm

You can start jenkins with the --config option. You will need to put all jenkins command line args into this file (java properties format), afaik you can’t mix and have some directly and some in the config file.

httpsPort=8443
httpsKeyStore=/path/to/keystore
httpsKeyStorePassword=mypassword

java -Dfile.encoding=UTF-8 -jar jenkins.war --config=/path/to/config

Vilius · January 21, 2024, 5:06pm

Thanks @mawinter69 . I tried and improved on your suggestion.

You can mix command line arguments and config file (works at least on my end). I ended up with the following systemd unit file:

[Service]
Environment="JENKINS_PORT=-1"
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment="JENKINS_HTTPS_PORT=443"
Environment="JENKINS_HTTPS_KEYSTORE=/srv/jenkins/keystore.jks"
Environment="JENKINS_OPTS=--config=/srv/jenkins/startup.properties"

This hides keystore password from the process list:

[]# ps aux |grep jenkins
jenkins    72137 14.3  9.6 9407764 1550936 ?     Ssl  18:43   3:19 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=-1 --httpsPort=443 --httpsKeyStore=/srv/jenkins/keystore.jks --config=/srv/jenkins/startup.properties

Interesting enough Initial Settings talks about sensitive parameters specifically about --httpsKeystorePassword and recommends to use --paramsFromStdIn but Jenkins’ own systemd starter doesn’t follow that.

I have created an improvement ticket for that → JENKINS-72585. Please vote!

OmShree · July 9, 2024, 7:35pm

Hello Markus Winter/all. I am running Jenkins 2.452.2 on RHEL-9.4 with openjdk version "21.0.3; trying to hide the keystore password; unfortunately I can’t start the service. Throwing error “Failed to start jenkins.service: Unit jenkins.service has a bad unit file setting.” No issues starting the service without --config=/path/to/startup.properties. What versions (jenkins/java) you are using? how does the startup file looks like? Thank you.

Vilius · July 10, 2024, 4:41pm

@OmShree if you want somebody to help you, you need to provide your full unit file. Most probably you made some kind of syntax error in a file. Also, keep in mind that I have provided only those unit file options which are related to the question. It’s not a full file.

OmShree · July 12, 2024, 5:23pm

Thank you Vilius, the issue is resolved; syntax error in the startup file.

Topic		Replies	Views
Encrypt or hide password from Jenkins.xml file: --httpsKeyStorePassword Community question	2	157	May 7, 2024
SSL On Red Hat® Enterprise Linux® 8.3 Using Jenkins	19	2095	May 8, 2024
SSL Cert update for AD login's Ask a question	11	1121	February 21, 2023
Enable LDAPS on Jenkins Using Jenkins	3	445	May 6, 2024
Jenkins Location -> Jenkins URL with a port number Using Jenkins	2	1342	January 12, 2023

Jenkins HTTPS keystore without displaying a password

Related Topics