I am running Jenkins 1.6 on Linux (CentOS 7.2 specifically). I have several Windows 2012 servers without A.D. I connect to the Windows machines with local credentials. I have configured a development environment with Python and WinRM on the Linux server. For production my configuration will not work because WinRM is not encrypted. If you can encrypt it without A.D., please let me know how.
How do I securely have Jenkins initiate builds on Windows machines without A.D.? I think my requirement of not having A.D. rules out Kerberos. (This link says that both the Linux and Windows servers must be part of the domain. I read elsewhere that it is inadvisable to join a Linux server to an A.D. domain.) How do I use encryption?
Pywinrm can be encrypted if I use SSL according to this link. How do I use SSL to use pywinrm? It won’t matter if you have another solution for me.
On the Windows server that I set up with Jenkins, I tried to harden it to simulate production requirements: I used this command (from a command prompt opened as Administrator):
winrm set winrm/config/service @{AllowUnencrypted=“false”}
But this made my Jenkins builds brake with an error like this:
winrm.exceptions.UnauthorizedError: 401 Unauthorized
My Jenkins builds use Python code with the authentication hard coded in them. I cannot have plaintext passwords in production. But
they do work for interacting with Windows machines (from a Jenkins installation running on Linux).
My Jenkins build worked until I changed the AllowUnencrypted setting on the Windows sever. So I know the credentials worked. The password must be encrypted during transit across the network from the Jenkins instance to the Windows servers.
If there is not a way to encrypt WinRM from the Linux/Jenkins server without A.D., what are my options for Jenkins pushing builds (running PowerShell commands) in a secure way in production?