1. Sebastian Sdorra
  2. scm-manager

Wiki

Clone wiki

scm-manager / scm-server-ssl

SCM-Server SSL

Note: This document describes a ssl configuration with a self-signed certificate

1. Open a shell and go to the conf directory of the scm-server

2. Create a certificate request. Replace all variables (*varname*)

$ keytool -genkey -alias scm -keyalg RSA -keystore keystore.jks

Enter keystore password: your password
Re-enter new password: your password
What is your first and last name?
  [Unknown]:  *your servername*
What is the name of your organizational unit?
  [Unknown]:  *organisation unit*
What is the name of your organization?
  [Unknown]:  *organisation*
What is the name of your City or Locality?
  [Unknown]:  *city*
What is the name of your State or Province?
  [Unknown]:  *state*
What is the two-letter country code for this unit?
  [Unknown]:  *country code*
Is CN=your servername, OU=your organisation unit, O=your organisation, L=your city, ST=your state, C=cc correct?
  [no]:  yes

Enter key password for <scm>
	(RETURN if same as keystore password): *password*
Re-enter new password: *password*

Note: You have to enter the full qualified hostname of your server for the cn (cn = What is your first and last name?)

3. Edit the server-config.xml, uncomment the SSL-Connector and set your password. For example:

<Call name="addConnector">
  <Arg>
    <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
       <Arg>
       <!--
       Exclude SSLv3 to avoid POODLE vulnerability.
       See https://groups.google.com/d/msg/scmmanager/sX_Ydy-wAPA/-Dvs5i7RHtQJ
        -->
         <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
           <Set name="excludeProtocols">
             <Array type="java.lang.String">
               <Item>SSLv2Hello</Item>
               <Item>SSLv3</Item>
             </Array>
           </Set>
         </New>
      </Arg>
      <Set name="Port">8181</Set>
      <Set name="maxIdleTime">30000</Set>
      <Set name="keystore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
      <Set name="password">*password*</Set>
      <Set name="keyPassword">*password*</Set>
      <Set name="truststore"><SystemProperty name="basedir" default="." />/conf/keystore.jks</Set>
      <Set name="trustPassword">*password*</Set>
    </New>
  </Arg>
</Call>

4. Start or restart the scm-server

Note: It looks like there is a error in some version of OpenJDK (issues #84 and #151). If you have such a problem, please try to use the Oracle JDK.

Configure Git

1. Export the certificate from keystore:

$ keytool -exportcert -keystore keystore.jks -alias scm -rfc -file cert.pem

2. Copy the certificate to your client and add it to your git config:

$ git config http.sslCAInfo /complete/path/to/cert.pem

Configure Mercurial

1. Export the certificate from keystore:

$ keytool -exportcert -keystore keystore.jks -alias scm -rfc -file cert.pem

2. Copy the certificate to your client and add it to your .hgrc config file:

[web]
cacerts = /complete/path/to/cert.pem

Sources

Updated