How to use a custom SSL certificate on the Bamboo ActiveMQ JMS service
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
As an additional step to Securing your Remote Agents, you can optionally make use of a custom SSL certificate on the Bamboo ActiveMQ JMS service.
This guide will walk you through the necessary steps to achieve it.
Bamboo will generate and use self-managed, self-signed certificates with its ActiveMQ JMS service. These certificates are distributed to the Remote agents automatically and are the recommended practice. To use a custom certificate, the automatic Keystore management must be disabled. In doing so the administrator will have to manage all the SSL settings on the Server and also on the Remote Agents.
It is assumed that your Bamboo Server is already secure and uses SSL to encrypt agent communication. If you have not configured Bamboo to use SSL please refer to this page before attempting any configuration from this article.
Solution
Request your SSL certificates
- Have your SSL certificate files and private keys ready. This article will not cover how to request the certificates from your CA.
- The examples will use a PEM format keypair as a source and will generate JKS format as an output.
- You will need to have certificates for your Bamboo Server and for any Remote Agents
Create a Java Keystore that will be used exclusively by the Bamboo Server
Create a JKS Keystore file from a PEM keypair. Assign "bamboo" as the password to both Keystore and the private key
This Keystore file can be shared with the one used by Tomcat
$ openssl pkcs12 -export -in certificate.cer -inkey certificate.key -name bambooserver -out bambooserver.p12 -password pass:bamboo $ keytool -keypasswd -new bamboo -storepass bamboo -alias bambooserver -keystore bambooserver.p12 $ keytool -importkeystore -deststorepass bamboo -srcstorepass bamboo -destkeystore bambooserver.jks -srckeystore bambooserver.p12 -srcstoretype PKCS12- Copy the "
bambooserver.jks" file to<bamboo-install>/conf - Copy your Java truststore
cacertsfile to<bamboo-install>/conf. It is usually found on yourJAVA_HOME/jre/lib/security(JDK8) orJAVA_HOME/lib/security(JDK11 and later) Add the following entries to your Bamboo system properties, usually on
<bamboo-install>/bin/setenv.sh/bat:-Dbamboo.manage.jms.ssl=false \ -Djavax.net.ssl.trustStore=<bamboo-install>/conf/cacerts \ -Djavax.net.ssl.keyStore=<bamboo-install>/conf/bambooserver.jks \ -Djavax.net.ssl.keyStoreAlias=bambooserverAdd the following entry to your
<bamboo-install>/conf/catalina.properties(so no passwords are exposed on the OS process list)# Extra bamboo init properties javax.net.ssl.keyStorePassword=bambooOptional: Import your Remote Agent certificates into your Bamboo Server custom truststore.
The truststore still uses the default 'changeit' password. You can modify it and assign a custom
java.net.ssl.trustStorePasswordto the Bamboo system properties.This step is only necessary if your Remote Agent certificates Root CA or Intermediate CA are not already trusted by your Bamboo Server truststore. I.e. self-signed certificates.
$ keytool -import -alias agent1 -storepass changeit -keystore <bamboo-install>/conf/cacerts -v -file agent1.pem $ keytool -import -alias agent2 -storepass changeit -keystore <bamboo-install>/conf/cacerts -v -file agent2.pem $ keytool -import -alias agent3 -storepass changeit -keystore <bamboo-install>/conf/cacerts -v -file agent3.pem $ keytool -import -alias agent4 -storepass changeit -keystore <bamboo-install>/conf/cacerts -v -file agent4.pem (...)- Restart Bamboo
Configure your Remote Agent to use a custom client certificate and to trust the Bamboo Server
Create a JKS Keystore file from a PEM keypair. Assign "bamboo" as the password to both Keystore and the private key. Repeat the same steps from Create a Java Keystore that will be used exclusively by the Bamboo Server, replacing the Bamboo Server certificate with the Remote Agent's one.
- Copy the "
agent1.jks" file to<bamboo-agent-home>/conf - Copy your Java truststore
cacertsfile to<bamboo-agent-home>/conf. It is usually found on yourJAVA_HOME/jre/lib/security(JDK8) orJAVA_HOME/lib/security(JDK11 and later) Add the following entries to
<bamboo-agent-home>/wrapper.conf:wrapper.java.additional.4=-Djavax.net.ssl.keyStoreAlias=agent1 wrapper.java.additional.5=-Djavax.net.ssl.keyStorePassword=bamboo wrapper.java.additional.6=-Djavax.net.ssl.keyStore=<bamboo-agent-home>/conf/agent1.jks wrapper.java.additional.7=-Djavax.net.ssl.trustStore=<bamboo-agent-home>/conf/cacertsOptional: Import your Remote Agent certificates into your Bamboo Server custom truststore
This step is only necessary if your Bamboo Server certificate Root CA or Intermediate CA is not trusted by your Remote Agent truststore. I.e. self-signed certificates.
$ keytool -import -alias bambooagent -storepass changeit -keystore <bamboo-install>/conf/cacerts -v -file bambooagent.pemIf that is the first time you are installing the Remote Agent, make sure to create the
jmsclient.tstruststore file containing the Bamboo Server SSL certificate:$ keytool -printcert -sslserver <bamboo_hostname>:443 -rfc > tempfile $ keytool -importcert -alias broker -storepass bamboo -storetype JKS -file tempfile -keystore <bamboo-agent-home>/configuration/jmsclient.ts- Restart the Remote Agent
To ease the administration, you can optionally assign a wildcard/SAN certificate to your Bamboo Agents and use it on every agent. This will also simplify the management on the Bamboo Server side as it will only have to trust one certificate.