Regarding the TRUST_ALL_CERTIFICATES option disappearing from the Global Security settings: If your master is on Windows you might have run into JENKINS-56224 <https://issues.jenkins-ci.org/browse/JENKINS-56224>. We did so on a recent upgrade to from AD ~2.10 to AD 2.12. Though the underlying setting was still present in the settings file.
On Tuesday, January 29, 2019 at 2:17:12 PM UTC-8, Andreas Goeb wrote: > > Dear fellow Jenkins users, > > I came across an issue today that I just cannot figure out myself. I hope > this is the correct place to ask for help. > > *Problem:* > > After some connection issues with Active Directory and following > reconfiguration, Jenkins now shows the warning „TLS is not correctly > configured on Active Directory plugin.Please, change to a more secured > option;" > > *Environment:* > > When the issue occurred for the first time this morning, I was using > Jenkins 2.150.2 with Active Directory plugin 2.11 and the following > settings > > - StartTLS: true > - TRUST_ALL_CERTIFICATES > > *What I did so far:* > > I thought the reason for the warning might be the TRUST_ALL_CERTIFICATES > option, so I tried to disable it. However, it is not shown in the Global > Security settings anymore, nor is it contained in the settings.xml file. > So, I followed the plugin's documentation wiki page and performed the > following steps for proper TLS/LDAPS configuration: > > - set the > hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true > system property > - change the domain controller port in the plugin’s settings to 3269 > - copy the JVM’s „cacerts" trust store and import the server certificate > into the copy > - set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword > system properties to point to the copy > - configure a custom logger for ActiveDirectorySecurityRealm and log level > FINER > > The log now shows successful LDAPS connections over port 3269, and users > can log in. However, the warning about insecure TLS configuration is still > shown. > > Does any of you know what the reason for the warning may be and which > configuration I might still have to change? > > Thanks a lot, > Andreas -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b270a75b-a06d-417d-a9c3-ac9e32d3f626%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
