How to restrict cryptographic protocols used by Bamboo's JMS broker for remote agent communication
Purpose
After securing your remote agents with SSL, further hardening of the JMS broker used by Bamboo for remote agent communication may be desired. The purpose of this guide is to show you how you can restrict the SSL / TLS protocols and Cipher Suites supported by the broker endpoint once SSL has already been enabled.
Solution
- Shutdown Bamboo
- Modify your <bamboo-home>/bamboo.cfg.xml
Add the
transport.enabledProtocols
property to the transport in thebamboo.jms.broker.uri
property. The example below enables onlyTLSv1.2
on the broker:<property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?transport.enabledProtocols=TLSv1.2&wireFormat.maxInactivityDuration=300000</property>
If restriction of the cipher suite is also required, add the
transport.enabledCipherSuites
property to the transport. The example below enables onlySSL_RSA_WITH_RC4_128_SHA
andSSL_DH_anon_WITH_3DES_EDE_CBC_SHA
cipher suites.<property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?transport.enabledProtocols=TLSv1.2&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA&wireFormat.maxInactivityDuration=300000</property>
- Start Bamboo
Source:
Bamboo utilizes Apache's ActiveMQ for it's Java Messaging. More can be found about the SSL Transport in Apache's documentation below:
From the documentation:
Any SSLServerSocket option may be set on a TransportConnection via ?transport.XXX,
SSLServerSocket options are documented in the below Java 8 API reference below:
Values for each option can be found in the below Standard Name documentation: