SSL via Java API

[vbedrosova]

Hello, SourceGear Vault team!

I am the one responsible for TeamCity CI tool Vault integration.

We have a plugin which communicates with Vault server using Java API (ServerOperations, etc.) for retrieving history and sources in scope of TeamCity build process.

One of our users is trying to configure the plugin to connect to Vault 5.0.4 (18845) server using https (please see the corresponding thread at http://devnet.jetbrains.net/message/5286308#5286308).

In fact our plugin code runs following:
ServerOperations.client.LoginOptions.URL = "https://...";
ServerOperations.client.LoginOptions.Repository = "repo_name";
ServerOperations.client.LoginOptions.User = "username";
ServerOperations.client.LoginOptions.Password = "password";
ServerOperations.Login();

And that results in "server cannot be contacted or uses a protocol that is not supported by this client" error.

Any help on using https and Java API will by very much appreciated!

[jclausius]

Victory,

A couple of thoughts off the top of my head:

a) Does the user know if there are any problems with the SSL Certificate? Non-trusted authorization? Expired certificate? Perhaps something about the certificate itself may lead you to the problem.

b) Perhaps using the SSL port in the connect string may help ex:-

Code: Select all

https://development.healthcaresynergy.com:443/VaultService

c) Have you tried this internally against a test vault server running https? Assuming you have an SSL cert you can assign to a machine, you should be able to configure a test environment relatively quickly.

HTH

[dmurty]

Jeff,

a) There does not seem to be anything wrong with the certificate. If I use IE 8 on the same machine as TeamCity I am able to connect to the site without any problems using https. The ssl certificate is issued by Go Daddy Secure Certification Authority and is valid until 7/21/2013.

b) I tried to have the VCS root connect using https://development.healthcaresynergy.c ... ultService but got the same error message.

c) I assume this would be for the TeamCity developers to try.

Damien

[jclausius]

Addressing c)... Yes, but there is one thing you should try first. .NET is going to store SSL certificate values in one place, and the libraries used to convert this to Java are going to use a different spot. One way around this is to import the SSL certificate in Java's keystore.

This post Using SSL with the Eclipse Plugin or Java CLC has instructions for importing the certificate.

If that does work for you, please post back to the TeamCity site so their developers also know of a possible solution.

[dmurty]

Hi Jeff,

I followed the instructions to the best of my ability. Not a strong Java person. I was able to run keytool to import the certificate but TeamCity still does not allow me to connect to vault using https. The instructions said something about running the command as root but I was not able to figure out what that meant. That could be part of the problem.

[jclausius]

It could this has to be done under the same credentials that TeamCity would be running under. I don't have any experience with TeamCity integration. Perhaps their support staff could use this info to develop some kind of solution.

[dmurty]

I did do this under the same account that teamcity is running. I will check with the TeamCity support people to see what we can do to resolve this.

Thank you,
Damien

[dmurty]

After adding the certificate to the java keystore and rebooting the machine. TeamCity is now able to connect to Vault using https.

Thanks for your help.

Damien

[jclausius]

After adding the certificate to the java keystore and rebooting the machine. TeamCity is now able to connect to Vault using https.

Thanks for your help.

Damien

NP. Was it simply a matter of running "keytool" and then rebooting?

[dmurty]

Yes,

Just had to run the keytool and then reboot.

Thanks,

Damien

[vbedrosova]

Jeff,

Thanks a lot for your help!

Is running Java keytool and then rebooting the machine mandatory for all TeamCity Vault plugin users?
Or in some cases certificate can be picked up by Vault Java API somehow without this procedure?

[vbedrosova]

* I mean all TeamCity Vault plugin users interested in using https connections

[jclausius]

Is running Java keytool and then rebooting the machine mandatory for all TeamCity Vault plugin users? Or in some cases certificate can be picked up by Vault Java API somehow without this procedure?

Victory,

The keytool is definitely req'd (see the post above). Why it took a reboot in order for that to work? To be honest, I don't really know. Perhaps the information created from keytool is only available when a JVM starts, and all that was needed was a restart of the TeamCity process. It's hard to say w/ out working with that setup.

[vbedrosova]

Ok, then I'll investigate this aspect.

[jclausius]

Good luck in your research.