Skip to end of metadata
Go to start of metadata
Icon

This page applies to remote agents and not elastic agents. Elastic agents are secured automatically by the Bamboo server and no additional steps are required.

We strongly recommend that you do not enable remote agent installation without securing them on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is disabled by default. If you choose to enable your remote agents without securing them, please read this Security Advisory to understand the security implications.

You can secure your remote agents by configuring them to use SSL (Secure Sockets Layer). This protocol provides a secure mechanism for communication between your Bamboo server and remote agents. The information below describes how to configure your remote agents to use SSL.

On this page:

Step 1. Create keys, stores and certificates

The first step in configuring your remote agents to use SSL is to create the required keys, stores and certificates. These artefacts are created using a keytool, as described below:

Icon

SSL relies on keys being set up on your server and clients (i.e. agents). To securely store these keys, keystores (databases of keys) need to be created. A certificate is then created by the server (and optionally on the clients, but not for this configuration) to allow publication of the server's key. To establish that the client "trusts" the server, this server certificate is then imported into a truststore (key database file that contains the public keys for a specific server) created on the client.

To create the required keys, stores and certificates for your server and agents:

  1. Using a keytool, create a certificate for your server by entering the following command:

  2. The server's certificate will be created. Export the certificate, so it can be shared with clients, by entering the following command:

  3. Each client should now be able to access the server's certificate. Create a keystore for each client, by entering the following command:

  4. Create a truststore for each client and import the server's certificate, by entering the command below. This establishes that the client "trusts" the server:

Step 2. Tell your Bamboo server and agents where to find the stores

The second step in configuring your agents to use SSL is to instruct your Bamboo server and agents to use the keystores and truststores that you have just created.

To tell your server where to find the keystore:

  1. Add the system properties 'javax.net.ssl.keyStore=/path/to/server.ks' and 'javax.net.ssl.keyStorePassword=password' to your VM.
    • Set the SSL_OPTS environment variable to hold the 'javax.net.ssl.keyStore=/path/to/server.ks' and 'javax.net.ssl.keyStorePassword=password' properties.
      e.g.

To tell your agents where to find the keystore and truststore:

For each agent,

  1. Tell your agent where to find the keystore and the trust store, by executing the following command to run the agent,

    including the following command line parameters,

    where <agentserverURL> is the URL of the agent's server, e.g.

For example,

Step 3. Configure your Bamboo server to use SSL

Once the server and agents know where to find the keystores and truststores, the final step is to instruct your Bamboo server to start using SSL so that agents will be able to authenticate the server.

To configure your Bamboo server to use SSL:

If you are setting up Bamboo for the first time,

  1. Launch the Bamboo Setup Wizard and change the protocol of the 'Broker URL' to 'SSL'.
    i.e. ssl://host:port/

Or, if you are configuring an existing installation of Bamboo,

  1. Shut down your Bamboo server and agents.
  2. Change the protocol of your 'Broker URL' in the bamboo.cfg.xml file to 'SSL'. Note, do not change the address of this URL.
    e.g. <property name="bamboo.jms.broker.uri">ssl://myhost:myport?wireFormat.maxInactivityDuration=0</property>
  3. Start up the Bamboo server.
  4. Start up the Bamboo agents. If your agents do not start up, please check that you have set up your certificates correctly.

5 Comments

  1. Don't forget to change "bamboo.jms.broker.client.uri" to use ssl as well

  2. The server steps in Step 2 say "carrying out any of the following three steps" but only one is listed. Are there other options?

    1. Thanks for pointing that out. There are no alternative steps, the reference to three steps should have been removed.

      Cheers,

      Nathan

  3. According to Remote agents are unable to validate the failover and connect to the server the "bamboo.jms.broker.uri" value should always be set to "0.0.0.0:port" so should this page really use 'host: port' and 'myhost:myport' in step 3?

    1. 0.0.0.0 binds the broker to all interfaces. "host" binds it to a single interface. With "host" you (may) get a more secure setup because you don't necessarily have to rely on firewalls to protect your brokers.