diff --git a/manifests/cli.pp b/manifests/cli.pp
index a47e7e904..42c959e26 100644
--- a/manifests/cli.pp
+++ b/manifests/cli.pp
@@ -23,8 +23,8 @@
   }
 
   $jar = "${jenkins::libdir}/jenkins-cli.jar"
-  $extract_jar = "jar -xf ${jenkins::libdir}/jenkins.war WEB-INF/jenkins-cli.jar"
-  $move_jar = "mv WEB-INF/jenkins-cli.jar ${jar}"
+  $download_jar = "wget http://localhost:${jenkins::port}/jnlpJars/jenkins-cli.jar -O ${jar}.downloading"
+  $move_jar = "mv ${jar}.downloading ${jar}"
   $remove_dir = 'rm -rf WEB-INF'
   $cli_tries = $jenkins::cli_tries
   $cli_try_sleep = $jenkins::cli_try_sleep
@@ -36,7 +36,7 @@
     creates => $jar,
   }
   ~> exec { 'jenkins-cli' :
-    command     => "${extract_jar} && ${move_jar} && ${remove_dir}",
+    command     => "${download_jar} && ${move_jar}",
     path        => ['/bin', '/usr/bin'],
     cwd         => '/tmp',
     refreshonly => true,
@@ -64,6 +64,15 @@
     ' '
   )
 
+  if !empty($jenkins::cli_password) {
+    $cmd_environment = [
+      "JENKINS_USER_ID=${jenkins::cli_username}",
+      "JENKINS_API_TOKEN=${jenkins::cli_password}",
+    ]
+  } else {
+    $cmd_environment = undef
+  }
+
   # Do a safe restart of Jenkins (only when notified)
   exec { 'safe-restart-jenkins':
     command     => "${cmd} safe-restart && /bin/sleep 10",
@@ -72,6 +81,7 @@
     try_sleep   => $cli_try_sleep,
     refreshonly => true,
     require     => File[$jar],
+    environment => $cmd_environment,
   }
 
   # jenkins::cli::reload should be included only after $::jenkins::cli::cmd is
diff --git a/manifests/cli/exec.pp b/manifests/cli/exec.pp
index 925187317..9ad61b350 100644
--- a/manifests/cli/exec.pp
+++ b/manifests/cli/exec.pp
@@ -28,9 +28,14 @@
   )
 
   if $unless {
-    $environment_run = [ "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}" ]
+    $environment_run = delete_undef_values(
+      flatten([
+        $jenkins::cli::cmd_environment,
+        "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}",
+      ])
+    )
   } else {
-    $environment_run = undef
+    $environment_run = $jenkins::cli::cmd_environment
   }
 
   exec { $title:
diff --git a/manifests/cli/reload.pp b/manifests/cli/reload.pp
index 1d028ffa7..a6b040f60 100644
--- a/manifests/cli/reload.pp
+++ b/manifests/cli/reload.pp
@@ -17,5 +17,6 @@
     try_sleep   => $cli_try_sleep,
     refreshonly => true,
     require     => File[$jar_file],
+    environment => $jenkins::cli::cmd_environment,
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 98cf4d0f8..849ec0c78 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -401,7 +401,9 @@
     # Username / Password auth (needed for AD and other Auth Realms)
     if $_use_new_cli {
       if !empty($cli_password) {
-        $_cli_auth_arg = "-auth '${cli_username}:${cli_password}'"
+        # username and password passed as environment variables to prevent showing in ps output
+        # so setting cli_auth_arg to empty string
+        $_cli_auth_arg = ''
       } elsif !empty($cli_password_file) {
         $_cli_auth_arg = "-auth '@${cli_password_file}'"
       } else {
diff --git a/manifests/job/absent.pp b/manifests/job/absent.pp
index ec1c86932..b34b44b89 100644
--- a/manifests/job/absent.pp
+++ b/manifests/job/absent.pp
@@ -33,11 +33,12 @@
 
   # Delete the job
   exec { "jenkins delete-job ${jobname}":
-    path      => ['/usr/bin', '/usr/sbin', '/bin'],
-    command   => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
-    logoutput => false,
-    onlyif    => "test -f \"${config_path}\"",
-    require   => Exec['jenkins-cli'],
+    path        => ['/usr/bin', '/usr/sbin', '/bin'],
+    command     => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
+    logoutput   => false,
+    onlyif      => "test -f \"${config_path}\"",
+    require     => Exec['jenkins-cli'],
+    environment => $jenkins::cli::cmd_environment,
   }
 
 }
diff --git a/manifests/job/present.pp b/manifests/job/present.pp
index be5bb6caf..b851e1d5f 100644
--- a/manifests/job/present.pp
+++ b/manifests/job/present.pp
@@ -65,9 +65,9 @@
   $job_dir            = "${jenkins::job_dir}/${jobname}"
   $config_path        = "${job_dir}/config.xml"
 
-  # Bring variables from Class['::jenkins'] into local scope.
+  # Bring variables from Class['jenkins'] into local scope.
   $cli_tries          = $jenkins::cli_tries
-  $cli_try_sleep   = $jenkins::cli_try_sleep
+  $cli_try_sleep      = $jenkins::cli_try_sleep
 
   Exec {
     logoutput   => false,
@@ -80,18 +80,20 @@
   $cat_config = "cat \"${tmp_config_path}\""
   $create_job = "${jenkins_cli} create-job \"${jobname}\""
   exec { "jenkins create-job ${jobname}":
-    command => "${cat_config} | ${create_job}",
-    creates => [$config_path, "${job_dir}/builds"],
+    command     => "${cat_config} | ${create_job}",
+    creates     => [$config_path, "${job_dir}/builds"],
+    environment => $jenkins::cli::cmd_environment,
   }
 
   if $replace {
     # Use Jenkins CLI to update the job if it already exists
     $update_job = "${jenkins_cli} update-job ${jobname}"
     exec { "jenkins update-job ${jobname}":
-      command => "${cat_config} | ${update_job}",
-      onlyif  => "test -e ${config_path}",
-      unless  => "${difftool} ${config_path} ${tmp_config_path}",
-      notify  => Exec['reload-jenkins'],
+      command     => "${cat_config} | ${update_job}",
+      onlyif      => "test -e ${config_path}",
+      unless      => "${difftool} ${config_path} ${tmp_config_path}",
+      notify      => Exec['reload-jenkins'],
+      environment => $jenkins::cli::cmd_environment,
     }
   }
 
diff --git a/spec/classes/jenkins_cli_spec.rb b/spec/classes/jenkins_cli_spec.rb
index 03751806d..a1e5ee8a2 100644
--- a/spec/classes/jenkins_cli_spec.rb
+++ b/spec/classes/jenkins_cli_spec.rb
@@ -25,7 +25,7 @@
           it { is_expected.to contain_exec('reload-jenkins').with_command(%r{http://localhost:9000}) }
           it { is_expected.to contain_exec('reload-jenkins').with_command(%r{-i\s'/path/to/key'}) }
           it { is_expected.to contain_exec('reload-jenkins').that_requires('File[/path/to/libdir/jenkins-cli.jar]') }
-          it { is_expected.to contain_exec('safe-restart-jenkins') }
+          it { is_expected.to contain_exec('safe-restart-jenkins').with('environment' => nil) }
           it { is_expected.to contain_jenkins__sysconfig('HTTP_PORT').with_value('9000') }
 
           describe 'jenkins::cli' do
@@ -40,6 +40,50 @@
               end
             end
           end
+
+          context '$cli_password is defined' do
+            let(:params) do
+              {
+                version: '2.54',
+                libdir: '/path/to/libdir',
+                cli: true,
+                cli_remoting_free: true,
+                cli_username: 'user01',
+                cli_password: 'password01'
+              }
+            end
+
+            it do
+              is_expected.to contain_exec('safe-restart-jenkins').with(
+                'environment' => [
+                  'JENKINS_USER_ID=user01',
+                  'JENKINS_API_TOKEN=password01'
+                ]
+              )
+            end
+          end
+
+          context '$cli_password is defined' do
+            let(:params) do
+              {
+                version: '2.54',
+                libdir: '/path/to/libdir',
+                cli: true,
+                cli_remoting_free: true,
+                cli_username: 'user01',
+                cli_password: 'password01'
+              }
+            end
+
+            it do
+              is_expected.to contain_exec('safe-restart-jenkins').with(
+                'environment' => [
+                  'JENKINS_USER_ID=user01',
+                  'JENKINS_API_TOKEN=password01'
+                ]
+              )
+            end
+          end
         end
 
         context '$cli => false' do