SSL For RunDeck – From .pfx to https

Introduction

This article describes how to configure SSL for a RunDeck server. When looking for an automation tool, there are some things which are critical and a must-have feature. One of them is Active Directory integration. We need to be able to assign permisssions with Active Directory groups, which is easy to configure and enhances security. Another critical feature of an automation tool is a way to encrypt it’s traffic. As RunDeck uses SSH for executing commands on nodes, it already has a big advantage over other protocols.

SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. When you connect, you will be dropped into a shell session, which is a text-based interface where you can interact with your server. For the duration of your SSH session, any commands that you type into your local terminal are sent through an encrypted tunnel and executed on your server. Clients generally authenticate either using passwords (less secure and not recommended) or SSH keys, which are very secure.

But the RunDeck URL also needs to be protected, otherwise attackers could easily sniff your network and extract usernames, passwords, job options and more. This procedure decribes the steps that need to be taken in order to configure SSL for your RunDeck server. I decided to create my ow version of the official documentation as it only applicable to MS .pfx certificates.

SSL

How to configure SSL for RunDeck?

  1. Generate a .pfx server certificate with your private root ca
  2. Copy the generated server certificate <servername>.pfx to /etc/rundeck/ssl
  3. Create a keystore to hold the server certificate <servername>.pfx
  4. Retrieve the alias from the <servername>.pfx file
  1. Import the Certificate and Private Key into the Java keystore
  2. Create a keystore for the CA certificate
  3. Add the CA certificate to the CA keystore
  4. Edit /etc/rundeck/ssl/ssl.properties and update all properties with their current values:
  5. Edit /etc/rundeck/profile and uncomment:
  6. Edit /etc/rundeck/rundeck-config.properties
  7. Edit /etc/rundeck/framework.properties
  8. Make sure port 4443 is opened in the firewall:
  9. Restart the rundeckd daemon
  10. Tail the RunDeck logs to make sure everything works fine:

Final Words

I hope this small guide makes it easier to start using RunDeck. You can’t allow users to log in your RunDeck appliance without https or their passwords are sent in cleartext. Add to that the countless api calls which will be made.. As access to your automation systems would be devastating in many cases, you need to take the time to configure SSL for your RunDeck server. If you have no access to a pki, your can always use sefl-signed certificates, as decribed in this procedure from the RunDeck documentation.