Skip to Content

Default language.

Configure HTTPS for Code Pipeline and XL Release

This section describes the XL Release integration with Code Pipeline and the configuration required to implement HTTPS.

Overview

XL Release is an end-to-end pipeline orchestration tool from XebiaLabs that allows Continuous Delivery and DevOps teams to handle automated tasks, manual tasks, complex dependencies, and release trains. Code Pipeline is an active work environment that coordinates and controls application development and support work.

Request and Notification Flow

RequestAndNotificationFlow.png

Configuration Requirements

Configure HTTPS request and notification flows between XL Release and Code Pipeline as follows:

  • Use the current Code Pipeline Eclipse plugin.
  • Use the same major Java release version.
  • Correctly configure SSL certificates and keystores.

Code Pipeline Plugin Requirements

To integrate with Code Pipeline on the host, the latest Code Pipeline Eclipse plugin must be used. The plugin can be downloaded from the following GitHub location:

https://github.com/xebialabs-community/xlr-ispw-plugin/releases

Java Requirements

The same major version of Java must be used for the applicable Java integration points (

CES

and XL Release).

Certificate and Configuration Requirements

All configurations settings for

CES

can be found in the BMC AMI Products for Web Installation and Configuration Guide. The configuration settings for BMC AMI Common Mainframe Services Controller (CMSC) can be found in the Enterprise Common Components Advanced Configuration Guide.

XL Release,

CES

, and CMSC all must be configured for HTTPS.

CES

can optionally be configured to require a client certificate when XL Release or CMSC connects to it. Because multiple HTTPS connections are performed throughout this process, several SSL certificates are required:

  • When XL Release sends a request to

    CES

    ,

    CES

    sends a server certificate back to XL Release. If

    CES

    is configured to require a client certificate,

    CES

    will require XL Release to send a client certificate back.
  • When CMSC sends the notification to

    CES

    ,

    CES

    sends a server certificate back to CMSC. If

    CES

    is configured to require a client certificate,

    CES

    will requires CMSC to send a client certificate back.
  • When

    CES

    sends the notification to XL Release, XL Release will send a server certificate to

    CES

    , and

    CES

    will send a client certificate back to XL Release.

Keystore Configuration

Keystores must be configured for

CES

, CMSC, and XL Release.

CES

CES

uses the following two keystores for this process:

  • The keystore specified on the

    CES

    WebServer page for HTTPS must contain one or both of the following:
    • Valid server certificate (required)
    • Trusted certificate(s) used to sign the client certificates returned by CMSC and XL Release (if

      CES

      is configured to require a client certificate).
  • The default Java keystore ($JRE_HOME$/jre/lib/security/cacerts) must contain two certificates:
    • Client certificate to return to XL Release on request
    • Trusted certificate used to sign the server certificate provided by XL Release.

CMSC

The CMSC must be configured with a keystore containing the following:

  • Trusted certificate used to sign the server certificate provided by

    CES

    .
  • Optionally, a client certificate to send to

    CES

    if required.

CMSC startup parameters, including the location of the keystore for the CMSC, are maintained in your site’s CMSC PARMLIB member, by default named CMSC00. Before starting the CMSC, modify the parameters in the CMSC00 PARMLIB member to your site’s requirements as follows:

  • If the keystore is an SAF-managed keyring, use parameter CES_SSL_KEYRING to specify the name of the key ring file.
  • If the keystore is on USS, use:
    • Parameter CES_SSL_KEYDB to specify the name of the key database to be used.
    • Parameter CES_SSL_KEYSTH to specify the name of the password stash file.

XL Release

XL Release also uses two keystores:

  • XL Release must be configured for HTTPS, and the keystore specified in that configuration must contain the following:
    • Valid server certificate
    • Trusted certificate used to sign the client certificate returned by

      CES

      .
  • The default Java keystore ($JRE_HOME$/jre/lib/security/cacerts) must contain one or two certificates:
    • Trusted certificate used to sign the server certificate returned by

      CES

      .
    • Optionally, a client certificate to send to

      CES

      if required.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI DevX Code Pipeline 22.01