How to restrict cryptographic protocols used by Bamboo's JMS broker for remote agent communication

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Purpose

After securing your remote agents with SSL, further hardening of the JMS broker used by Bamboo for remote agent communication may be desired. The purpose of this guide is to show you how you can restrict the SSL / TLS protocols and Cipher Suites supported by the broker endpoint once SSL has already been enabled.

Solution

  1. Shutdown Bamboo
  2. Modify your <bamboo-home>/bamboo.cfg.xml

  3. Add the transport.enabledProtocols property to the transport in the bamboo.jms.broker.uri property. The example below enables only TLSv1.2 on the broker:

    <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?transport.enabledProtocols=TLSv1.2&amp;wireFormat.maxInactivityDuration=300000</property>

  4. If restriction of the cipher suite is also required, add the transport.enabledCipherSuites property to the transport. The example below enables only SSL_RSA_WITH_RC4_128_SHA and SSL_DH_anon_WITH_3DES_EDE_CBC_SHA cipher suites.

    <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?transport.enabledProtocols=TLSv1.2&amp;transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA&amp;wireFormat.maxInactivityDuration=300000</property>
  5. Start Bamboo

Source:

Bamboo utilizes Apache's ActiveMQ for it's Java Messaging. More can be found about the SSL Transport in Apache's documentation below:

From the documentation:

Any SSLServerSocket option may be set on a TransportConnection via ?transport.XXX,

SSLServerSocket options are documented in the below Java 8 API reference below:

Values for each option can be found in the below Standard Name documentation:

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.