Fortanix Data Security Manager Jenkins Plugin Library

1.0 Introduction

Jenkins is a widely used Continuous Integration (CI) and Continuous Delivery (CD) tool. For many Jenkins projects, the server needs access to secrets, such as database passwords or SSH keys. However, Jenkins cannot adequately protect these secrets; therefore, they should be stored in Fortanix-Data-Security-Manager (DSM). A Jenkins plugin establishes a connection to Fortanix DSM and enables the retrieval of secrets from this platform.

This article describes the installation of Jenkins, the deployment of the Jenkins plugin, and a demonstration of the solution.

2.0 Prerequisites

This plugin has been tested on servers with the following specifications:

• Operating System: Ubuntu 24.04 or later

• RAM: 2GB

• Hard Drive: 25GB

• A good and stable internet connection is required.

3.0 Installation

This section describes the steps to begin installing Jenkins and then deploying the Jenkins plugin. These instructions for installation are sourced from Debian Jenkins Packages.

3.1 Install Jenkins

Perform the following steps:

1. Log in to the shell and execute the following commands to add the Jenkins package repository and its GPG key:

   curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key | sudo tee /usr/share/keyrings/jenkins-keyring.asc > /dev/null
   echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null

2. Run the following command to update the Jenkins package list:

   sudo apt-get update

3. Run the following command to install the required dependencies:

   sudo apt-get install fontconfig openjdk-11-jre

4. Run the following command to install Jenkins:

   sudo apt-get install jenkins

5. Run the following command to start Jenkins:

   sudo systemctl start jenkins 

6. Enter the URL: http://<JENKINS_SERVER>:8080/ in a web browser.

7. Enter the password available in the /var/lib/jenkins/secrets/initialAdminPassword file in the Administration password field to unlock Jenkins.

For further configuration, refer to How to Install Jenkins on Ubuntu 20.04 | DigitalOcean documentation.

3.2 Download the HPI File

You must download the Hemera Photo-Object Image (HPI) file from https://github.com/fortanix/dsm-secrets-jenkins-plugin/releases to install the Jenkins plugin.

It is recommended to build the plugin with OpenJDK 11 on a 64-bit.

Run the following command to generate the binary:

mvn clean package

The output of this command is an hpi file.

3.3 Install Jenkins Plugin

Perform the following steps to deploy the Jenkins plugin within Jenkins:

1. Log in to Jenkins with valid credentials.

2. Navigate to Manage Jenkins → Manage Plugins.

   

   

3. Select the Advanced settings tab and click Browse… under the Deploy Plugin section to select the plugin. After selecting the plugin, click Deploy.

   

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it while creating the Jenkins project.

4.6 Creating a Security Object

Perform the following steps to import a new exportable RSA key in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name for your security object.

   2. Group: Select the group as created in Section 4.3: Creating a Group.

   3. Select the IMPORT radio button.

   4. In the Choose a type section, select the RSA key type.

   5. In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw, and click UPLOAD A FILE to upload the key file.

   6. In the Key operations permitted section, select the required operations to define the actions that can be performed with the cryptographic keys, such as encryption, decryption, signing, and verifying.

      NOTE

      Ensure that the Export permission is selected.

3. Click IMPORT to create the new security object.

4. Copy the name of the security object to later map it in the Jenkins project.

The new security object is added to the Fortanix DSM successfully.

5.0 Jenkins Plugin Demo

The following sections describe the steps to demonstrate the Jenkins plugin.

5.1 Create Jenkins Project

Perform the following steps:

1. Log in to the Jenkins user interface (UI).

2. From the left navigation panel, click + New Item to create a new Jenkins project.

   

3. In the new Jenkins project, from the left navigation panel, navigate to Configure → Source Code Management.

4. In the Build Environment section, select the Fortanix DSM Secrets check box.

5. To add a new Fortanix DSM credential, click Add and then select Jenkins from the drop down menu.

   

6. In the Jenkins Credentials Provider: Jenkins form, enter the following details to configure the credentials:

   1. Domain: Enter the domain that this credential belongs to. By default, Global credentials (unrestricted) is selected.

   2. Kind: Select the Fortanix DSM Client Credentials option from the drop down menu.

   3. Scope: Defines where this credential will be used. By default, Global (Jenkins, node, items, all child items, etc) is selected.

   4. API Endpoint: Enter the Fortanix DSM URL. For example, https://eu.smartkey.io.

   5. API Key: Paste the API key copied in Section 4.5: Copying the API Key.

   6. ID: Enter a unique ID for this credential. Some characters, such as spaces are not allowed in the ID field. If the ID field is not set, a UUID will be created by Jenkins instead.

   7. Description: Enter a description for this credential.

7. Click Add.

   

8. In the Secret section, enter the following:

   1. Path: Define the path as the name of the security object in Fortanix DSM.

   2. Environment Variable: The name of the environment variable, as available in Jenkins.

   3. Click Add a secret to map the secret in Jenkins.

      

9. To demonstrate that the value of the secret is retrieved from Fortanix DSM, in the Build Steps section, click the Add build step and select the Execute shell option from the drop down menu.

   

10. In the Execute shell form, enter the value of the environment variable defined above.

11. Click Save to complete the project configuration.

    

12. In the Jenkins project left navigation panel, click Build Now to initiate the build.

    

13. The build result is shown at the bottom right corner. To view the build results, click any of the builds.

    

14. In the Build information, click Console Output.

    

    The password is displayed in the console output.

    

5.2 Additional Information

The following sub-sections provide further information on the Jenkins plugin.

5.2.1 Managing Credentials

Navigate to Manage Jenkins → Manage Credentials to update or delete the previously created credentials for Fortanix DSM.

Select the required operation to be performed on the credential from the drop down menu.

5.2.2 Supported Security Objects

The Jenkins plugin supports working with Secrets and symmetric keys that are marked as exportable. Other security objects may also be compatible.

5.2.3 Credential Scope

While creating credentials in the Jenkins project, you have two scope options: Global and System.