Integrate Java CSP with Jenkins build for CI/CD pipeline

DevOps or Build Engineers using Jenkins as a build system in their organization for building binaries meant for Java runtime might wish to integrate Secure App Service (SAS) Java CSP to leverage secure digital signing of the files being built.

Below mentioned are the instructions to integrate Secure App Service (SAS) Java CSP with Jenkins build for CI/CD pipeline:

Pre-requisites

  1. Any OS for agent which supports Java
  2. Installed Jenkins build system
  3. Java JDK installed on the Agent
  4. A copy of Secure App Service (SAS) Java CSP jar file (the name of the jar file should be jce.jar)
  5. Set Environment variable JAVA_HOME pointing to the installed JDK location.
  6. A property file which includes all the values required to make SOAP API call from the Java JCE. The valid fields which needs to be configured in property file are - username, password, partnercode, publisherid, signingservice, sasapiurl, pemfile and pempassword (Refer the README guide available with the Java CSP)

Setup

With pre-requisites properly satisfied you can configure the build pipeline in Jenkins in the usual way with an exception where you would invoke $JAVA_HOME/jarsigner after the binary/library is built for digitally signing the file using Secure App Service Java CSP. Below is a sample build pipeline for the reference:

c#
node {
	stage('Preparation') {
		echo 'preparation stage'
		// Get some code from a GitHub repository
		$git 'http://<GIT_SERVER>/cc/demo-java.git'
	}
	stage('Build') {
		echo 'build stage'
		echo 'building demo-java jar'
		// The gradle tool is used here to build the java archive or jar. You are free to use any other tool for this. If you are using gradle, ensure that gradle plugin is configured in jenkins. I am using gradle here to build the java archive or jar. One is free to use whatever tool one wants to. Make sure gradle plugin is configured in Jenkins.
		$gradle assemble
		echo 'signing java binary using Secure App Service (SAS) Java CSP'
		// Please refer the Java CSP README guide for more details on the parameters and its details
jarsigner -J-DcspPropertiesFile=<path to the properties file> -tsadigestalg <digest algorithm> -tsa <URL> -keystore NONE -storepass changeit -storetype SAS -keypass changeit -sigalg SHA256withRSA –digestalg SHA-256 -providerName SymantecSAS -providerClass com.symantec.sas.csp.CSPProvider -signedjar <folder path>\java\signed\<file name> -verbose -debug <jar file> <alias>	
	}
}

Now proceed and build the project. The Java binary is now digitally signed using Secure App (SAS) Service Java CSP without even risking the private keys which are secured with Secure App Service cloud.

We use cookies to ensure that we give you the best experience on our website. By using this site, you agree to the Terms of Service.