PAM360 Plugin for Jenkins
Jenkins is a leading Java-based open source automation tool that is widely used in DevOps environments to build and test software projects continuously. SDLC tasks related to building, testing, and delivering or deploying software can be created as automation schedules in Jenkins, named as 'jobs.' Execution of these 'jobs' more often than not require user credentials and similar sensitive information like privileged passwords, API keys, and access tokens to interface with other systems and services. In most DevOps environments, such credentials are stored within plain text files in the Jenkins server, which can lead to a horde of security and management issues.
The PAM360 plugin developed for secrets management in Jenkins helps improve security in organizations' DevOps pipeline. The plugin once enabled in Jenkins, ensures that required credentials are retrieved from PAM360's vault every time when a job is run, instead of being embedded in plain text within script files. Upon secure retrieval, the credentials can then be used in environment variables, such as connecting to a remote server for build activation. The plugin also saves the user from the arduous job of having to manually update the password in the script file every time there's an update. Often, there are instances when a user is unable to run a job since they're locked out of the target application or server owing to an outdated password in the script file. Now with the credentials stored in PAM360, they're regularly rotated and also updated in the respective remote device, which ensures that only latest passwords are retrieved from the vault while running jobs. Currently, the plugin can be used for secrets management at a job level, i.e. for freestyle project jobs.
Read further to learn in detail on how to use the PAM360 plugin for secrets management in Jenkins:
- Enabling Jenkins Integration in PAM360
- Installing and Enabling the PAM360 Plugin in Jenkins
- Retrieving Passwords from PAM360 for Jenkins' Freestyle Project Jobs
- List of Available PAM360 Attributes
1. Enabling Jenkins Integration in PAM360
- Log into PAM360 and navigate to Admin >> Integration >> CI/CD Platform Integration >> Jenkins.
- AUTH Token: Click on 'Generate' to populate an AUTH Token automatically. This will be required later while configuring the plugin in Jenkins' console. Once set up, all incoming connections from Jenkins will be validated by PAM360 using this AUTH token.
- Username: Here, enter the username of an active PAM360 user whose account will be used automatically by Jenkins to securely retrieve the required passwords from PAM360's vault.
- Click Enable.
Note: Since Jenkins may have multiple instances, Host Name check will be disabled for the Jenkins requests.
2. Installing and Enabling the PAM360 Plugin in Jenkins
The following actions to be carried in Jenkins' console require a user role with the privilege to manage plugins in the tool.
2.1 Installing the Plugin
- First, download the plugin here.
Ensure the below SHA256 value upon downloading the file:
SHA256 Checksum: - Open Jenkins' console and navigate to Manage Jenkins >> Manage Plugins >> Advanced.
- Under Upload Plugin section, upload the plugin file.
- Additionally, Jenkins also requires the SSL certificate of your PAM360 installation while establishing a connection. So the SSL certificate has to be added to Jenkins' keystore.
Add the SSL certificate using the below command:
keytool -import -trustcacerts -keystore <<PATH_TO_JENKINS_JAVA_KEYSTORE>> -alias <<ALIAS_NAME>> -import <<PATH_TO_PAM360_SSL_CERTIFICATE>>
- Upon installation, restart the Jenkins server to apply the changes.
2.2 Enabling the Plugin
- Navigate to Manage Jenkins >> Configure System.
- In the UI that loads, scroll down to locate the PAM360 plugin section.
- PAM360 URL: Enter the URL to your PAM360 instance, in the format https://<hostname>:<portnumber>
- PAM360 AUTH Token: Here, copy and paste the AUTH Token generated earlier in PAM360's interface. Please note that the AUTH Token entries in both PAM360 and Jenkins should always match for successfully plugin configuration and password retrieval.
- Save the changes to enable and start using the PAM360 plugin in Jenkins.
3. Retrieving Passwords from PAM360 for Jenkins' Freestyle Project Jobs
At present, the plugin can be used to retrieve required credentials from PAM360 for Jenkins' freestyle project jobs. This requires adding various PAM360 attributes such as resource name, account name, and password while configuring the job. Upon this attribute configuration at job level, the value of these PAM360 attributes will be available as 'Environmental Variables' during job execution. When Jenkins connects to PAM360 to retrieve a specific password, the environmental variables will be how the former identifies the required values in the latter. Below is a step-wise explanation of the actions involved:
- Once you create a specific freestyle project job, you can find an option to use the PAM360 plugin for that job under its 'Build Environment' section.
- Enable the check box beside Manage credentials with PAM360 Plugin and click Add an Account.
- In the Resource Name and Account Name fields, specify the respective names of the resource and its account that you want Jenkins to fetch from PAM360.
- The next step is creating variable-attribute pairs, using which Jenkins will retrieve the required values from PAM360. To create a pair, first refer to the list of available PAM360 attributes given below and specify the required attribute in the PAM360 Attribute field. Then add a desired name for the Environment Variable, for which the value of the corresponding PAM360 attribute will be automatically assigned.
- Click Add a variable/attribute pair to include all the required PAM360 attributes in a similar fashion and then save the configuration. The plugin is now ready for use in Jenkins.
4. List of Available PAM360 Attributes
- RESOURCE_NAME
- RESOURCE_DESCRIPTION
- OPERATINGSYSTEM
- DNSNAME
- DEPARTMENT
- LOCATION
- RESOURCE_URL
- ACCOUNTNAME
- NOTES
- PASSWORD
- Resource-level and account-level additional fields, excluding file-based additional fields.