Skip to main content
Skip table of contents

Configuring MettleCI Workbench to use 'secrets' to improve security of HTTPS connections

The process of configuring MettleCI Workbench to use HTTPS requires you to record HTTPS connection configuration, including the password to the MettleCI Java KeyStore and TrustStore (which are often the same store), in plain text in the config.yml file. Access to the config.yml file is protected by your environment’s file system security by providing access permission only to the owning user account (typically mciworkb) and root. Despite this, the presence of plain text credentials may contravene an organisation's security restrictions, and so in these instances you can add a further layer of security by configuring MettleCI Workbench to use secrets (as described) to secure SSL certificate-related passwords when it is configured to communicate with Git over HTTPS.

Note that the approach described here adds a layer of security by introducing a layer of indirection which, ultimately, does not make the passwords more secure as any operating system user account that has access to config.yml almost certainly has access to the secrets directory in which the sensitive data is stored. Indeed, the user account executing the MettleCI Workbench service must have access or the service will fail to start.

Configuration

To use secrets start by creating a secrets directory as described in Configuring MettleCI Workbench to communicate with Git over HTTPS, or use the one that was created by the MettleCI Workbench installation wizard.

Next, place your password to the MettleCI Java KeyStore in a plaintext file in that directory, being careful not to use a filename already in use.

Next, alter your MettleCI config.yml file to introduce a reference to the Java KeyStore using a value which uses a special indirection format: ${file:UTF-8:/opt/dm/mci/.secrets/ssh-keystore-password}

Here’s an example using an applicationConnector, but an adminConnector will also work the same way. Change confg.yml

From this

To this

CODE 
---
mettleHome: "/opt/dm/mci"
server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: "PKCS12"
      keyStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
      keyStorePassword: "mySecretPassword"
      trustStoreType: "PKCS12"
      trustStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
      trustStorePassword: "mySecretPassword"

(where "mySecretPassword" is the actual password value (in plaintext)

CODE 
---
mettleHome: "/opt/dm/mci"
server:
  applicationConnectors:
    - type: https
      port: 8443
      keyStoreType: "PKCS12"
      keyStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
      keyStorePassword: ${file:UTF-8:/opt/dm/mci/.secrets/ssh-keystore-password}
      trustStoreType: "PKCS12"
      trustStorePath: "/opt/dm/mci/workbenchEntrustSigned.p12"
      trustStorePassword: ${file:UTF-8:/opt/dm/mci/.secrets/ssh-keystore-password}

where “ssh-keystore-password" is the name of the file containing the plaintext password.

Some notes and cautions

  • The above example uses the default install directory.

  • The secrets directory is the same directory the MettleCI Workbench installation wizard created (for use with Git) which is a subdirectory of the install directory.

  • Although it may seem that double quotes around the ${} filename would theoretically work, leave the string unquoted (as shown here) or it may fail and produce entries in the mci.log such as the following failure to decrypt error.

CODE 
ERROR [2022-12-12 13:42:54,985] io.dropwizard.cli.ServerCommand: Unable to start server, shutting down
! java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException:
Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
<SNIP>
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close