How to secure your remote agent (Bamboo Server)
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The following describes Securing your remote agents documentation providing further information.
Before going through the steps below, please make sure you have:
- Bamboo server up.
- At least one Bamboo remote agent set up.
Create keys, stores, and certificates
The following steps should be done on Bamboo's server box.
Run the following commands to create the certificates.
[root@localhost ssl]# keytool -genkey -alias bamboo.secure.server -keyalg RSA -keystore bamboo.secure.server.ks Enter keystore password: Re-enter new password: They don't match. Try again Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: bamboo.secure.server What is the name of your organizational unit? [Unknown]: OU What is the name of your organization? [Unknown]: O What is the name of your City or Locality? [Unknown]: City What is the name of your State or Province? [Unknown]: State What is the two-letter country code for this unit? [Unknown]: CC Is CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC correct? [no]: y Enter key password for <bamboo.secure.server> (RETURN if same as keystore password): Re-enter new password:[root@localhost ssl]# keytool -export -alias bamboo.secure.server -keystore bamboo.secure.server.ks -file bamboo.secure.server.crt Enter keystore password: Certificate stored in file <bamboo.secure.server.crt>[root@localhost ssl]# keytool -genkey -alias bamboo.secure.client -keyalg RSA -keystore bamboo.secure.client.ks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: bamboo.secure.client What is the name of your organizational unit? [Unknown]: OU What is the name of your organization? [Unknown]: O What is the name of your City or Locality? [Unknown]: City What is the name of your State or Province? [Unknown]: State What is the two-letter country code for this unit? [Unknown]: CC Is CN=bamboo.secure.client, OU=OU, O=O, L=City, ST=State, C=CC correct? [no]: y Enter key password for <bamboo.secure.client> (RETURN if same as keystore password): Re-enter new password:[root@localhost ssl]# keytool -import -alias bamboo.secure.server -keystore bamboo.secure.client.ts -file bamboo.secure.server.crt Enter keystore password: Re-enter new password: Owner: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC Issuer: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC Serial number: 26ce7cbb Valid from: Fri Jun 19 11:46:46 EDT 2015 until: Thu Sep 17 11:46:46 EDT 2015 Certificate fingerprints: MD5: 2B:9F:5A:72:98:49:88:A7:C0:F5:3C:4A:16:3F:D6:53 SHA1: 92:A6:AF:C2:22:92:04:89:E1:CE:82:4A:B2:AC:FB:71:69:B4:41:27 SHA256: 04:E3:E1:29:4A:97:83:C4:91:A2:B1:9A:4E:A0:0E:A8:48:5B:05:4B:DA:C6:D1:B9:36:05:BD:52:A3:B6:16:73 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 73 E5 CC 9E 1F 70 D0 21 9B 7B 22 8D 71 A4 7E 6B s....p.!..".q..k 0010: 5A 92 70 2D Z.p- ] ] Trust this certificate? [no]: y Certificate was added to keystoreAs a result, you would have:
[root@localhost ssl]# ls -l -rw-r--r--. 1 root root 2246 Jun 19 11:49 bamboo.secure.client.ks -rw-r--r--. 1 root root 958 Jun 19 11:50 bamboo.secure.client.ts -rw-r--r--. 1 root root 879 Jun 19 11:48 bamboo.secure.server.crt -rw-r--r--. 1 root root 2247 Jun 19 11:46 bamboo.secure.server.ksGo to the Bamboo installation directory:
[root@localhost atlassian-bamboo-x.x.x]# cat bin/setenv.sh# place the certificates as per follows: JVM_SUPPORT_RECOMMENDED_ARGS="-Djavax.net.ssl.keyStore=/opt/atlassian/ssl/bamboo.secure.server.ks -Djavax.net.ssl.keyStorePassword=changeit"Copy the certificates to the Bamboo remote agent box.
[root@localhost ssl]# scp -r bamboo.secure* root@192.168.10.87:/opt/atlassian/remote-agent/ssl/ root@192.168.10.87's password: bamboo.secure.client.ks 100% 2246 2.2KB/s 00:00 bamboo.secure.client.ts 100% 958 0.9KB/s 00:00 bamboo.secure.server.crt 100% 879 0.9KB/s 00:00 bamboo.secure.server.ks 100% 2247 2.2KB/s 00:00Go to the "
<bamboo-home>" directory, edit "bamboo.cfg.xml" and replace "tcp" with "ssl".# 192.168.10.101, this is the IP address to Bamboo's server box # please, notice in both brokers "tcp" has been replaced by "ssl" <property name="bamboo.jms.broker.client.uri">failover:(ssl://192.168.10.101:54663?wireFormat.maxInactivityDuration=300000)?initialReconnectDelay=15000&maxReconnectAttempts=10</property> <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?wireFormat.maxInactivityDuration=300000</property>- Start Bamboo.
- Please, go to "
Bamboo administration >>Build resources >> Agents" and make sure you have "Enable Remote Agent Support".
The following steps should be done on Bamboo's remote agent box.
Go to the Bamboo remote agent directory and edit "
<bamboo-agent-home>/conf/wrapper.conf".#wrapper.java.additional.3=-agentlib:yjpagent wrapper.java.additional.3=-Djavax.net.ssl.keyStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ks wrapper.java.additional.4=-Djavax.net.ssl.keyStorePassword=changeit wrapper.java.additional.5=-Djavax.net.ssl.trustStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ts #wrapper.java.additional.6=-Djavax.net.debug=all # Application parameters. Add parameters as needed starting from 1 wrapper.app.parameter.1=com.atlassian.bamboo.agent.bootstrap.AgentBootstrap wrapper.app.parameter.2=http://192.168.10.101:8085/agentServer/Start the Bamboo remote agent.
<bamboo-agent-home>/bin/bamboo-agent.sh start
Last modified on Oct 29, 2021
Powered by Confluence and Scroll Viewport.