How to secure your remote agent (Bamboo Server)

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.



The following describes Securing your remote agents documentation providing further information.

(info)   Before going through the steps below, please make sure you have:

  • Bamboo server up
  • At least one Bamboo remote agent set up

Create keys, stores and certificates

(info)   The following steps have been taken from Bamboo's server box

  1. Run the following to create the certificates

    [root@localhost ssl]# keytool -genkey -alias bamboo.secure.server -keyalg RSA -keystore bamboo.secure.server.ks
    Enter keystore password:  
    Re-enter new password: 
    They don't match. Try again
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  bamboo.secure.server
    What is the name of your organizational unit?
      [Unknown]:  OU
    What is the name of your organization?
      [Unknown]:  O
    What is the name of your City or Locality?
      [Unknown]:  City
    What is the name of your State or Province?
      [Unknown]:  State
    What is the two-letter country code for this unit?
      [Unknown]:  CC
    Is CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC correct?
      [no]:  y
    
    Enter key password for <bamboo.secure.server>
    	(RETURN if same as keystore password):  
    Re-enter new password: 
    
    [root@localhost ssl]# keytool -export -alias bamboo.secure.server -keystore bamboo.secure.server.ks -file bamboo.secure.server.crt
    Enter keystore password:  
    Certificate stored in file <bamboo.secure.server.crt>
    
    [root@localhost ssl]# keytool -genkey -alias bamboo.secure.client -keyalg RSA -keystore bamboo.secure.client.ks
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  bamboo.secure.client
    What is the name of your organizational unit?
      [Unknown]:  OU
    What is the name of your organization?
      [Unknown]:  O
    What is the name of your City or Locality?
      [Unknown]:  City
    What is the name of your State or Province?
      [Unknown]:  State
    What is the two-letter country code for this unit?
      [Unknown]:  CC
    Is CN=bamboo.secure.client, OU=OU, O=O, L=City, ST=State, C=CC correct?
      [no]:  y
    
    Enter key password for <bamboo.secure.client>
    	(RETURN if same as keystore password):  
    Re-enter new password: 
    
    [root@localhost ssl]# keytool -import -alias bamboo.secure.server -keystore bamboo.secure.client.ts -file bamboo.secure.server.crt
    Enter keystore password:  
    Re-enter new password: 
    Owner: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC
    Issuer: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC
    Serial number: 26ce7cbb
    Valid from: Fri Jun 19 11:46:46 EDT 2015 until: Thu Sep 17 11:46:46 EDT 2015
    Certificate fingerprints:
    	 MD5:  2B:9F:5A:72:98:49:88:A7:C0:F5:3C:4A:16:3F:D6:53
    	 SHA1: 92:A6:AF:C2:22:92:04:89:E1:CE:82:4A:B2:AC:FB:71:69:B4:41:27
    	 SHA256: 04:E3:E1:29:4A:97:83:C4:91:A2:B1:9A:4E:A0:0E:A8:48:5B:05:4B:DA:C6:D1:B9:36:05:BD:52:A3:B6:16:73
    	 Signature algorithm name: SHA256withRSA
    	 Version: 3
    
    Extensions: 
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 73 E5 CC 9E 1F 70 D0 21   9B 7B 22 8D 71 A4 7E 6B  s....p.!..".q..k
    0010: 5A 92 70 2D                                        Z.p-
    ]
    ]
    
    Trust this certificate? [no]:  y
    Certificate was added to keystore
    

    As a result, you would have:

    [root@localhost ssl]# ls -l
    -rw-r--r--. 1 root root 2246 Jun 19 11:49 bamboo.secure.client.ks
    -rw-r--r--. 1 root root  958 Jun 19 11:50 bamboo.secure.client.ts
    -rw-r--r--. 1 root root  879 Jun 19 11:48 bamboo.secure.server.crt
    -rw-r--r--. 1 root root 2247 Jun 19 11:46 bamboo.secure.server.ks
    
  2. Go to Bamboo installation directory:

    [root@localhost atlassian-bamboo-x.x.x]# cat bin/setenv.sh 
    
    # place the certificates as per follows:
    JVM_SUPPORT_RECOMMENDED_ARGS="-Djavax.net.ssl.keyStore=/opt/atlassian/ssl/bamboo.secure.server.ks -Djavax.net.ssl.keyStorePassword=changeit"
    
  3. Copy certificates to Bamboo remote agent box

    [root@localhost ssl]# scp -r bamboo.secure* root@192.168.10.87:/opt/atlassian/remote-agent/ssl/
    root@192.168.10.87's password: 
    bamboo.secure.client.ks                                                                                                     100% 2246     2.2KB/s   00:00    
    bamboo.secure.client.ts                                                                                                     100%  958     0.9KB/s   00:00    
    bamboo.secure.server.crt                                                                                                    100%  879     0.9KB/s   00:00    
    bamboo.secure.server.ks                                                                                                     100% 2247     2.2KB/s   00:00 
    
  4. Go to "<bamboo-home>" directory and edit "bamboo.cfg.xml" by replacing "tcp" with "ssl"

    # 192.168.10.101, this is the IP address to Bamboo's server box
    # please, notice in both brokers "tcp" has been replaced by "ssl"
    <property name="bamboo.jms.broker.client.uri">failover:(ssl://192.168.10.101:54663?wireFormat.maxInactivityDuration=300000)?initialReconnectDelay=15000&amp;maxReconnectAttempts=10</property>
    <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?wireFormat.maxInactivityDuration=300000</property>
    
  5. start Bamboo
  6. please, go to "Bamboo administration >>Build resources >> Agents" and make sure you have "Enable Remote Agent Support"

(info)   The following steps have been taken from Bamboo's remote agent box

  1. Go to Bamboo remote agent directory and edit "<bamboo-agent-home>/conf/wrapper.conf"

    #wrapper.java.additional.3=-agentlib:yjpagent
    wrapper.java.additional.3=-Djavax.net.ssl.keyStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ks
    wrapper.java.additional.4=-Djavax.net.ssl.keyStorePassword=changeit
    wrapper.java.additional.5=-Djavax.net.ssl.trustStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ts
    #wrapper.java.additional.6=-Djavax.net.debug=all
    
    # Application parameters.  Add parameters as needed starting from 1
    wrapper.app.parameter.1=com.atlassian.bamboo.agent.bootstrap.AgentBootstrap
    wrapper.app.parameter.2=http://192.168.10.101:8085/agentServer/
    
  2. Start Bamboo remote agent

    <bamboo-agent-home>/bin/bamboo-agent.sh start
    

Last modified on Aug 22, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.