Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 1.8.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Examples

    Home FortiPAM 1.8.0 Examples
    1.8.0
    1.8.0
    1.7.0
    1.6.0
    1.5.0
    1.4.0
    1.3.0
    1.2.0
    1.1.0
    1.0.0

    Integrating FortiPAM and Jenkins- CLI

    Integrating FortiPAM and Jenkins- CLI

    Before you begin

    1. Install the Jenkins OIDC provider plugin.
      1. Manage Jenkins > System configuration > Plugins.
      2. Search OpenID Connect Provider in Available Plugins.

        OR

      3. Download the hpi file in https://plugins.jenkins.io/oidc-provider/releases/.
      4. Go to Advanced setting > Deploy Plugin > Choose file.
    2. jq
      1. On the Jenkins host Unix machine , use:
         sudo apt install jq
    3. curl
      1. On the Jenkins host Unix machine, use:
         sudo apt install curl

    Setting up Jenkins URL

    1. Go to Manage Jenkins -> System configuration -> System -> Jenkins URL, and enter the URL.

    Setting up Jenkins OIDC provider

    1. Go to Manage Jenkins > Security > Credentials.
    2. To open the System page, go to the Stores scoped to Jenkins field and click System.
    3. To open the Global Credentials, click Global credentials.
    4. Click Add credentials and choose OpenID Connect id token.
    5. Optionally, edit Issuer, Audience, and ID.
    6. Click Create.
    7. Click Update to update the new credential.

      If the issuer is changed, you need to manually host the OIDC files. Otherwise, the OIDC link is https://<Jenkins_URL>/oidc/.well-known/openid-configuration.

    8. If the ID is not set, the credential ID is generated.

    Setting up FortiPAM JWT authentication

    1. In the FortiPAM CLI console, enter the following commands: 
        config secret jwt-key
   edit "jenkins"
    set type jwks
    set url <url> #The JWT URL
   next
  end
    2. Check that the key has been retrieved.
    3. Set up the JWT api user. 
        config system api-user
   edit "jenkins_jwt_test"
    set type jwt
    set accprofile "pam_standard_user"
    set vdom "root"
    config claims
      edit "iss"
       set value <value> #This is same as the Jenkins settings, e.g., https://jenkin220.fortipam.ca/oidc
      next
      edit "sub"
       set value "<by default the URL of a Jenkins job>" #e.g., https://jenkin220.fortipam.ca/job/jwt-test/
      next
     end
    next
   end
    4. In the FortiPAM GUI, grant API user secret and folder permission.

    Jenkins job example script

     pipeline {
  agent any
  stages {
   stage ('JWT-TEST') {
   steps {
      withCredentials([string(credentialsId: ‘<This will be the Jenkins credential id>', variable: 'JWT')]) 
       script{
        def PAM_ADDR = https://[PAM_Addr]:443
        sh 'echo $JWT | base64'
			def TOKEN_INFO = sh (
			script: "curl -k $PAM_ADDR/auth/jwt/login -H 'Content-Type:application/json' -d '{\"jwt\":\"$JWT\"}'",
			returnStdout: true
			).trim()
	sh "echo $TOKEN_INFO"
        def TOKEN = sh (
          script: "echo '$TOKEN_INFO' | jq -r '.[\"access-token\"]'",
	   returnStdout: true
	  ).trim()
	sh "echo $TOKEN"
	def FIELD_NAME = "<FPAM secret field name>"
	def SEC_CRED = sh (
           script "curl -k $PAM_ADDR/api/v2/cmdb/secret/database/<secret_id>?fieldname=$FIELD_NAME –H \"Authorization:Bearer $TOKEN\"",
           returnStdout: true
           ).trim()
         sh"echo $SEC_CRED"
	  pwd = sh (
       script: "echo '$SEC_CRED' | jq -r '.results[0].$FIELD_NAME'",
       returnStdout: true
       ).trim()
       println pwd
      }
     }
    }
   }
  }
 }

    Jenkins freestyle setup

    1. Go to Job > Configure.
    2. In Environment, select Use secret text(s) or file(s).

    3. Enter the environment variable name and select the OIDC provider credential.
    4. In the build setup, proceed with the script used in Jenkins job example script, e.g., environment variable referencing.

    Previous
    Next

    Integrating FortiPAM and Jenkins- CLI

    Integrating FortiPAM and Jenkins- CLI

    Before you begin

    1. Install the Jenkins OIDC provider plugin.
      1. Manage Jenkins > System configuration > Plugins.
      2. Search OpenID Connect Provider in Available Plugins.

        OR

      3. Download the hpi file in https://plugins.jenkins.io/oidc-provider/releases/.
      4. Go to Advanced setting > Deploy Plugin > Choose file.
    2. jq
      1. On the Jenkins host Unix machine , use:
         sudo apt install jq
    3. curl
      1. On the Jenkins host Unix machine, use:
         sudo apt install curl

    Setting up Jenkins URL

    1. Go to Manage Jenkins -> System configuration -> System -> Jenkins URL, and enter the URL.

    Setting up Jenkins OIDC provider

    1. Go to Manage Jenkins > Security > Credentials.
    2. To open the System page, go to the Stores scoped to Jenkins field and click System.
    3. To open the Global Credentials, click Global credentials.
    4. Click Add credentials and choose OpenID Connect id token.
    5. Optionally, edit Issuer, Audience, and ID.
    6. Click Create.
    7. Click Update to update the new credential.

      If the issuer is changed, you need to manually host the OIDC files. Otherwise, the OIDC link is https://<Jenkins_URL>/oidc/.well-known/openid-configuration.

    8. If the ID is not set, the credential ID is generated.

    Setting up FortiPAM JWT authentication

    1. In the FortiPAM CLI console, enter the following commands: 
        config secret jwt-key
   edit "jenkins"
    set type jwks
    set url <url> #The JWT URL
   next
  end
    2. Check that the key has been retrieved.
    3. Set up the JWT api user. 
        config system api-user
   edit "jenkins_jwt_test"
    set type jwt
    set accprofile "pam_standard_user"
    set vdom "root"
    config claims
      edit "iss"
       set value <value> #This is same as the Jenkins settings, e.g., https://jenkin220.fortipam.ca/oidc
      next
      edit "sub"
       set value "<by default the URL of a Jenkins job>" #e.g., https://jenkin220.fortipam.ca/job/jwt-test/
      next
     end
    next
   end
    4. In the FortiPAM GUI, grant API user secret and folder permission.

    Jenkins job example script

     pipeline {
  agent any
  stages {
   stage ('JWT-TEST') {
   steps {
      withCredentials([string(credentialsId: ‘<This will be the Jenkins credential id>', variable: 'JWT')]) 
       script{
        def PAM_ADDR = https://[PAM_Addr]:443
        sh 'echo $JWT | base64'
			def TOKEN_INFO = sh (
			script: "curl -k $PAM_ADDR/auth/jwt/login -H 'Content-Type:application/json' -d '{\"jwt\":\"$JWT\"}'",
			returnStdout: true
			).trim()
	sh "echo $TOKEN_INFO"
        def TOKEN = sh (
          script: "echo '$TOKEN_INFO' | jq -r '.[\"access-token\"]'",
	   returnStdout: true
	  ).trim()
	sh "echo $TOKEN"
	def FIELD_NAME = "<FPAM secret field name>"
	def SEC_CRED = sh (
           script "curl -k $PAM_ADDR/api/v2/cmdb/secret/database/<secret_id>?fieldname=$FIELD_NAME –H \"Authorization:Bearer $TOKEN\"",
           returnStdout: true
           ).trim()
         sh"echo $SEC_CRED"
	  pwd = sh (
       script: "echo '$SEC_CRED' | jq -r '.results[0].$FIELD_NAME'",
       returnStdout: true
       ).trim()
       println pwd
      }
     }
    }
   }
  }
 }

    Jenkins freestyle setup

    1. Go to Job > Configure.
    2. In Environment, select Use secret text(s) or file(s).

    3. Enter the environment variable name and select the OIDC provider credential.
    4. In the build setup, proceed with the script used in Jenkins job example script, e.g., environment variable referencing.

    Previous
    Next