I'm using Jenkins with DC/OS (Mesos) and the service doesn't have a standard login but instead uses Mesos/Zookeeper for authentication. I'm can access JENKINS_HOME and have the config files for each user. I see the config.xml and also see the secret.key. I found this code:
https://github.com/abrindeyev/jenkins-helpers/blob/master/bin/get_api_token.rb
whose purpose is to decode the Jenkins API Token from the config. However, when I run this I get the following error:
/root/decrypt_api.rb:28:in `final': wrong final block length (OpenSSL::Cipher::CipherError)
from /root/decrypt_api.rb:28:in `decrypt'
from /root/decrypt_api.rb:35:in `<main>'
Here's an example Token and Key (from a Docker Jenkins test container):
Cipher in config.xml:
<jenkins.security.ApiTokenProperty>
<apiToken>{AQAAABAAAAAwrkIhJkGOx+QkqgJ/Ep8NhecxeWcqAs78RI9v5kr8y1FSCJBA4YFHrneQGxmetsj3/xSywFRXItIbtuCufWR6ng==}</apiToken>
</jenkins.security.ApiTokenProperty>
Secret Key:
bdafc86eae946c35ca57d3af02a82b733741d59e1eca44e0a3f7ef0b8f25f8e6
How can I decode the Token with the cipher and the key?
You can decode Jenkins token by going to Script Console in your master node (or go to /script), then run the following command:
println(hudson.util.Secret.decrypt("{XXX=}"))
Note: Replace {XXX=} with your token string.
To decrypt it without using Jenkins, checkout these scripts:
tweksteen/jenkins-decrypt, menski/jenkins-decrypt.py.
Related:
Extract passphrase from Jenkins' credentials.xml
What password encryption Jenkins is using?
How to decrypt Jenkins passwords from credentials.xml?
go to
http://jenkins-host/script
hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J'
passwd = hudson.util.Secret.decrypt(hashed_pw)
println(passwd)
it should decrypt your token
Related
I am attempting to use a certificate with JMeter and can see that it appears to be loaded fine from the logs.
INFO o.a.j.u.SSLManager: JmeterKeyStore Location: certificate.jks type jks
INFO o.a.j.u.SSLManager: KeyStore created OK
INFO o.a.j.u.SSLManager: Total of 1 aliases loaded OK from keystore
Yet, when I send the Http Request, the results from the server just keep stating 'Client Certificate Not Provided'.
Below are the parameters I've used on the command line.
-D javax.net.ssl.keyStoreType=jks
-D javax.net.ssl.keyStore=certificate.jks
-D javax.net.ssl.keyStorePassword=password123
All the examples I can find simply state that if I configure the Jmeter element 'KeyStore Configuration' with the alias, it should send the certificate with the requests. It does not seem to be doing so. For the record, I have also tried to use the p12 cert and set the type to pkcs12 with the same results.
What am I missing?
In fact given you have only one certificate you don't need the Keystore Configuration at all, just remove it from the test plan and your setup should start working normally
Most probably your Keystore Configuration is not correct, for instance the "variable name holding certificate alias" is not set or doesn't match the record in the keystore
Check its value using Debug Sampler and make sure that certificate with this alias exists in the keystore. You can see a working sample in How to Use Multiple Certificates When Load Testing Secure Websites article
I am trying to verify a HS256 JWT Token generated with locally ran KeyCloak Authentication Provider on https://jwt.io.
The KeyCloack instance is running on my local machine inside a docker container. I have applied almost the same steps as described in this answer (which on contrary applies the RS algorithm instead, and works as described): https://stackoverflow.com/a/55002225/1534753
My validation procedure is very simple:
1.) Request the token (with Postman) from my local docker KeyCloak instance with:
POST requesting http://localhost:8080/auth/realms/dev/protocol/openid-connect/token
2.) Copy the token contents inside the jwt.io's "Encoded" section
3.) I verify that the header and payload are as expected and correct
4.) I copy the client secret from my KeyCloak instance admin dashboard, you can see the reference on the image below:
5.) I paste the secret into the "VERIFY SIGNATURE" section on jwt.io and the "Encoded" token section changes, hence resulting with an invalid signature and a invalid (i.e. different) token.
My core question is what am I missing here? Why does the token change when I apply the expected secret!? Am I applying the right secret, the one from the client? If I understand JWT infrastructre and standard correctly then It should stay the same if the secret (with the expected algorithm applied) is valid. My reasoning is that something with JWT creation on KeyCloak is specific. I have not touched the HS256 algorithm provider on KeyCloak, everything is used as default with the docker installation guide on using KeyCloak. The settings related to the token and algorithm are setup to use HS256, and the algorithm is specified as expected in the JWT's header section correctly which can be verified after the encoded token is pasted into the jwt.io's page.
I need this to work as I am trying to apply the same JWT validation process inside a .NET Core web API application. I have encountered this whole issue in there, i.e. inside the System.IdentityModel.Tokens.JWT and the JwtSecurityTokenHandle.ValidateSignature method which results with an invalid signature and finally resulting in an exception.
On side note, I am accessing the token with Postman and its Authorize feature the configuration can be seen on the image below:
One more side note is I have a user "John" which belongs to my "Demo" realm. I use him to request an access token from KeyCloak.
To get the secret used for signing/verifying HS256 tokens, try using the following SQL:
SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = '<realm-id-here>' and provider_id = 'hmac-generated' AND CC.name = 'secret';
If you use the resulting secret to verify the tokens, the signature should match. I’m not sure if this secret is available through the UI, probably not.
Source: https://keycloak.discourse.group/t/invalid-signature-with-hs256-token/3228/3
you can try using Keycloak Gatekeeper.
If you want to verify that token in that way you need to change the Client Authenticator to "Signed JWT with client secret", otherwise you can use this "Gatekeeper" option. Here you can read more about it.
I am using saltstack state script to create a jar from BitBucket and upload the jar to Artifactory. When uploading to Artifactory I see an authorization error. I am not sure if this is the right approach to achieve the upload to Artifactory.
I tried using CURL to achieve upload. I need to provide -u myUser:myPassword along the CURL command for it to work. I cannot provide the credentials in my salt state scripts. I am looking for a better option to achieve the upload without using login credentials. How to upload artifacts to artifactory using saltstack?
curl -X PUT -T /tmp/Batch.jar http://artifactory/artifactory/Batch.jar
Error:
stdout:
{
\"errors\" : [ {
\"status\" : 401,
\"message\" : \"Unauthorized\"
} ]
}
I've run into this sort of thing a couple of times. The easiest solution is to write a small salt execution module to do this work. This way you can store the artifactory credentials as pillar data and use the normal python requests or salt http helpers to make the web requests.
Looks like salt stack provides a module for artifactory alread: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.artifactory.html
It may not do exactly what you're looking for, but you could definitely extend it: https://github.com/saltstack/salt/blob/develop/salt/modules/artifactory.py
The saltstack docs for writing execution modules can be here:
https://docs.saltstack.com/en/latest/ref/modules/
According to Artifactory documentation, the REST API supports these forms of authentication:
Basic authentication using your username and password
[Simplest] Basic authentication using your username and API Key.
Using a dedicated header (X-JFrog-Art-Api) with your API Key.
Using an access token instead of a password for basic authentication.
[Recommended] Using an access token as a bearer token in an authorization header
(Authorization: Bearer) with your access token.
You will have to choose one of the above.
I'm writing a script to configure .npmrc file with JFrog Artifactory credentials. Artifactory/NPM requires the configured password to be base64 encoded, i.e. (with the password "test"):
//mycompany.jfrog.io/mycompany/api/npm/npm-repo/:_password=dGVzdAo=
However, a base64 encoded string does not match what Artifactory provides for the password in the Set Me Up dialog. In fact, base64 decoding the string that Artifactory provides in this dialog yields a different string that is not the account's password. How is the password string provided by Artifactory generated?
You can use the Artifactory npm auth REST API to retrieve the setting for the .npmrc.
For example:
$ curl -uadmin:<CREDENTIAL> http://<ARTIFACTORY_SERVER_DOMAIN>:8081/artifactory/api/npm/auth
Will return the following response
_auth = YWRtaW46e0RFU2VkZX1uOFRaaXh1Y0t3bHN4c2RCTVIwNjF3PT0=
email = myemail#email.com
always-auth = true
For more info see the npm repositories documentation.
You can try using the encrypted password generated by Artifactory, or your API key for authentication purposes, as mentioned here
I have been looking for a way to base64 encode in Windows.
PowerShell script:
$Text = ‘Password’
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
echo $EncodedText
This will return the following response:
UABhAHMAcwB3AG8AcgBkAA==
I have a common use case to implement a web service (WCF) and a web client which is consuming this web service. Both Client and Service are sending and receiving Signed and Encrypted messages (Message Level Security).
I can have multiple clients those are using my service, hence multiple client certificate need to be installed on Server where Service project is running.
I have installed 2 Certificates (Service Certificate and Client Certificate) in local machine store under personal and trusted root certification authorities.
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFServer" -len 2048 -sky exchange -pe
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFClient" -len 2048 -sky exchange -pe
Although Certificate give me error of "integrity of licence can not be guaranteed" but now i dont care about this issue.
Web Client need to Sign the request message through its own Private Key and Encrypt message through Service Certificate Public key.
Service receive the request and verify the signature of message through client Public Key and Decrypt the contents through own Private Key
Than process the request and create a response object.
Now Service must sign the response by own private key and encrypt the message through client public key.
Now client get Signed and Encrpted response. Now it verify the response through Service Public Key and Decrypt the message by its own private key.
This is whole Szenerio . I have installed both(Client and Service) X.509 Certificates on my local development machine. I am using wsHttpBinding and communication is working fine.
I am using [ServiceContract(ProtectionLevel=ProtectionLevel.EncryptAndSign)] for ServuceContract and [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign, IsOneWay = false)] for OperationContract.
I have following question:
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
I go through following code project and its working fine.
http://www.codeproject.com/Articles/36683/simple-steps-to-enable-X-certificates-on-WCF
My Source code (Visual Studio Project) Including both certificates is available on Bitbucket for download here
Can any one tell me, do i need to do all this stuff in code or its done through my current configurations.
Thanks in advance.
i got following answer from MSDN forum.
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
If we have configured the service to use the certificate authentication in the config file, then as you said all the response and request message will be Encrypted/Decrypted by the client certficate's private key/ public key and service certificate's private key/ public key. So in my mind it is enough to do all the stuff in the configure file.
For more information, please try to refer to the following articles:
Certificate authentication:
https://msdn.microsoft.com/en-us/library/ff648360.aspx .
Message and Transport Security:
https://msdn.microsoft.com/en-us/library/ff648863.aspx .
i have few more questions which may be any one can answer me.
I have multiple clients (external web applications ) which will access my service. do each client need to create their own certificate? client will deliver us certificate without private key which need to be install on Service Host server? is this a correct way?
Each client certificate need to be configured in web.config ?
I need to export my service certificate without private key and send to clients. clients must install and configure certificate on their application server? is this correct?
here i got another ver good answer (step by step guide) from MSDN Team.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/a9d85e9f-6d35-425c-ac6d-b3cd883760e4/wcf-message-level-security-using-certificate-x509-message-signed-and-encrypted?forum=wcf&prof=required