How to generate a new Bamboo ActiveMQ broker certificate using automatic keystore management
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
If you have secured your agents following the steps inside the Securing your remote agents > Configure your Bamboo server to use SSL page by simply updating the protocol to SSL in the Broker URL and Broker Client URL inside the <bamboo-home>/bamboo.cfg.xml file Bamboo will have automatically set up the key and trust stores and distributed certificates to your agents the first time they connected to the server. This feature is called automatic keystore management.
This page describes how to verify the details of the (existing) certificate and generate a new one if necessary. There are a few caveats though so please make sure to read through the following:
This page is not meant for you if you have disabled automatic keystore management using the following Java property in your Bamboo instance:
-Dbamboo.manage.jms.ssl=false- If you have disabled automatic keystore management and have set the Broker URL and Broker Client URL to use SSL then you are likely using your own certificate to secure your agents. This page is also not meant for you since the process you will need to follow to generate a new certificate is very different from the one used by the automatic keystore management. If you're looking for steps on how to secure your agents using your own certificate have a look at the following page: https://confluence.atlassian.com/bamkb/how-to-secure-your-remote-agent-bamboo-server-757465762.html.
Environment
Bamboo versions 5.10 and higher.
Solution
Verifying Bamboo ActiveMQ broker certificate details
In order to verify the certificate details (e.g. owner, expiry date and etc) and see whether you should generate a new one you can use the following options:
openSSL
openssl s_client -connect <brokerClientURL>:54663Replace brokerClientURL with the the URL from the bamboo.jms.broker.client.uri property inside the <bamboo-home>/bamboo.cfg.xml file.
keytool
- Navigate to the <bamboo-shared-home>/configuration directory.
Run the following command:
keytool -v -list -keystore broker.ks -alias jmsbrokerkey
Starting from Bamboo 6.8.0 the validity extension of the Bamboo ActiveMQ broker certificate has been extended to 20 years.
BAM-20164 - Getting issue details... STATUS
Generating a new Bamboo ActiveMQ broker certificate
In order to generate a new certificate and make sure that it is propagated to your existing agents you will have to:
Bamboo
- Stop Bamboo.
- Navigate to the <bamboo-shared-home>/configuration directory.
- Delete the broker.ks file (or move it to another folder in the server, in case you want to have a backup file).
- Start Bamboo.
- Bamboo will automatically generate a new certificate due to the automatic keystore management feature.
Agent(s)
- Stop agent.
- Navigate to the <bamboo-agent-home>/configuration folder.
- Delete the jmsclient.ks and jmsclient.ts files (or move them to another folder in the server, in case you want to have backup files).
- Start agent.
- The agent will receive the new certificate from Bamboo during startup.
You must do this to every agent connected to Bamboo after generating a new certificate otherwise agents will fail to establish a successful connection to Bamboo with the following errors:
PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failedThere's a feature request asking for a change in this behaviour and to facilitate the process of generating new certificates here:
BAM-21721 - Getting issue details... STATUS