How to secure your remote agent (Bamboo Server)

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible



The following describes Securing your remote agents documentation providing further information.

(info)   Before going through the steps below, please make sure you have:

  • Bamboo server up.
  • At least one Bamboo remote agent set up.

Create keys, stores, and certificates

(info)   The following steps should be done on Bamboo's server box.

  1. Run the following commands to create the certificates.

    [root@localhost ssl]# keytool -genkey -alias bamboo.secure.server -keyalg RSA -keystore bamboo.secure.server.ks
Enter keystore password:  
Re-enter new password: 
They don't match. Try again
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  bamboo.secure.server
What is the name of your organizational unit?
  [Unknown]:  OU
What is the name of your organization?
  [Unknown]:  O
What is the name of your City or Locality?
  [Unknown]:  City
What is the name of your State or Province?
  [Unknown]:  State
What is the two-letter country code for this unit?
  [Unknown]:  CC
Is CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC correct?
  [no]:  y

Enter key password for <bamboo.secure.server>
	(RETURN if same as keystore password):  
Re-enter new password: 

    [root@localhost ssl]# keytool -export -alias bamboo.secure.server -keystore bamboo.secure.server.ks -file bamboo.secure.server.crt
Enter keystore password:  
Certificate stored in file <bamboo.secure.server.crt>

    [root@localhost ssl]# keytool -genkey -alias bamboo.secure.client -keyalg RSA -keystore bamboo.secure.client.ks
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  bamboo.secure.client
What is the name of your organizational unit?
  [Unknown]:  OU
What is the name of your organization?
  [Unknown]:  O
What is the name of your City or Locality?
  [Unknown]:  City
What is the name of your State or Province?
  [Unknown]:  State
What is the two-letter country code for this unit?
  [Unknown]:  CC
Is CN=bamboo.secure.client, OU=OU, O=O, L=City, ST=State, C=CC correct?
  [no]:  y

Enter key password for <bamboo.secure.client>
	(RETURN if same as keystore password):  
Re-enter new password: 

    [root@localhost ssl]# keytool -import -alias bamboo.secure.server -keystore bamboo.secure.client.ts -file bamboo.secure.server.crt
Enter keystore password:  
Re-enter new password: 
Owner: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC
Issuer: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC
Serial number: 26ce7cbb
Valid from: Fri Jun 19 11:46:46 EDT 2015 until: Thu Sep 17 11:46:46 EDT 2015
Certificate fingerprints:
	 MD5:  2B:9F:5A:72:98:49:88:A7:C0:F5:3C:4A:16:3F:D6:53
	 SHA1: 92:A6:AF:C2:22:92:04:89:E1:CE:82:4A:B2:AC:FB:71:69:B4:41:27
	 SHA256: 04:E3:E1:29:4A:97:83:C4:91:A2:B1:9A:4E:A0:0E:A8:48:5B:05:4B:DA:C6:D1:B9:36:05:BD:52:A3:B6:16:73
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 73 E5 CC 9E 1F 70 D0 21   9B 7B 22 8D 71 A4 7E 6B  s....p.!..".q..k
0010: 5A 92 70 2D                                        Z.p-
]
]

Trust this certificate? [no]:  y
Certificate was added to keystore

    As a result, you would have:

    [root@localhost ssl]# ls -l
-rw-r--r--. 1 root root 2246 Jun 19 11:49 bamboo.secure.client.ks
-rw-r--r--. 1 root root  958 Jun 19 11:50 bamboo.secure.client.ts
-rw-r--r--. 1 root root  879 Jun 19 11:48 bamboo.secure.server.crt
-rw-r--r--. 1 root root 2247 Jun 19 11:46 bamboo.secure.server.ks

  2. Go to the Bamboo installation directory:

    [root@localhost atlassian-bamboo-x.x.x]# cat bin/setenv.sh 

    # place the certificates as per follows:
JVM_SUPPORT_RECOMMENDED_ARGS="-Djavax.net.ssl.keyStore=/opt/atlassian/ssl/bamboo.secure.server.ks -Djavax.net.ssl.keyStorePassword=changeit"

  3. Copy the certificates to the Bamboo remote agent box.

    [root@localhost ssl]# scp -r bamboo.secure* root@192.168.10.87:/opt/atlassian/remote-agent/ssl/
root@192.168.10.87's password: 
bamboo.secure.client.ks                                                                                                     100% 2246     2.2KB/s   00:00    
bamboo.secure.client.ts                                                                                                     100%  958     0.9KB/s   00:00    
bamboo.secure.server.crt                                                                                                    100%  879     0.9KB/s   00:00    
bamboo.secure.server.ks                                                                                                     100% 2247     2.2KB/s   00:00

  4. Go to the "<bamboo-home>" directory, edit "bamboo.cfg.xml" and replace "tcp" with "ssl".

    # 192.168.10.101, this is the IP address to Bamboo's server box
# please, notice in both brokers "tcp" has been replaced by "ssl"
<property name="bamboo.jms.broker.client.uri">failover:(ssl://192.168.10.101:54663?wireFormat.maxInactivityDuration=300000)?initialReconnectDelay=15000&amp;maxReconnectAttempts=10</property>
<property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?wireFormat.maxInactivityDuration=300000</property>
  5. Start Bamboo.
  6. Please, go to "Bamboo administration >>Build resources >> Agents" and make sure you have "Enable Remote Agent Support".

(info)   The following steps should be done on Bamboo's remote agent box.

  1. Go to the Bamboo remote agent directory and edit "<bamboo-agent-home>/conf/wrapper.conf".

    #wrapper.java.additional.3=-agentlib:yjpagent
wrapper.java.additional.3=-Djavax.net.ssl.keyStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ks
wrapper.java.additional.4=-Djavax.net.ssl.keyStorePassword=changeit
wrapper.java.additional.5=-Djavax.net.ssl.trustStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ts
#wrapper.java.additional.6=-Djavax.net.debug=all

# Application parameters.  Add parameters as needed starting from 1
wrapper.app.parameter.1=com.atlassian.bamboo.agent.bootstrap.AgentBootstrap
wrapper.app.parameter.2=http://192.168.10.101:8085/agentServer/

  2. Start the Bamboo remote agent.

    <bamboo-agent-home>/bin/bamboo-agent.sh start

To manage server certificate for JMS SSL connection manually, follow the instructions from the How to secure your remote agent guide.

There’s a limitation regarding the javax.net.ssl.keyStorePassword, as it's stored in plain text can be accessed by any user who has access to the process list or the setenv.sh/setenv.bat files

Since BAM-21714 fix, user can encode credentials to keystore/truststore files and provide them in encrypted form to Bamboo process.

Follow these steps to manage server certificate for JMS SSL connection manually in Bamboo 10.1 onwards.

  1. Create keystore and put necessary certificates as described at https://confluence.atlassian.com/bamkb/how-to-secure-your-remote-agent-bamboo-server-757465762.html

  2. Go to $BAMBOO_INSTALL_DIR/tools/atlassian-password

  3. Run java -jar atlassian-secrets-cli.jar -config=db command

  4. Type password you want to encrypt

  5. Check output. You need content of XML tag <property name="hibernate.connection.password">, e.g. for <property name="hibernate.connection.password">MTIzNDU=</property> encrypted password is MTIzNDU=

  6. Edit $BAMBOO_INSTALL_DIR/setenv.shor setenv.bat file and provide the following system properties in the required section

    #
#  Occasionally Atlassian Support may recommend that you set some specific JVM arguments.  You can use this variable below to do that.
#
: ${JVM_SUPPORT_RECOMMENDED_ARGS:="-Dbamboo.jms.ssl.keyStore=/etc/store.ks -Dbamboo.jms.ssl.keyStorePassword=MTIzNDU="}


    where bamboo.jms.ssl.keyStore is path to keystore file, bamboo.jms.ssl.keyStorePassword is an encrypted password

  7. The same logic applies to truststore file in the agent environment. Follow the instructions at https://confluence.atlassian.com/bamkb/how-to-secure-your-remote-agent-bamboo-server-757465762.html to create truststore on the agent side and encrypt password with atlassian-secrets-cli.jar

  8. Provide path to truststore file and password at agent’s wrapper.conf

    wrapper.java.additional.5=-Dbamboo.jms.ssl.trustStore=/etc/trust.ts
wrapper.java.additional.6=-Dbamboo.jms.ssl.trustStorePassword=MTIzNDU=

    It’s also possible to use more advanced algorithms of password encryption, see details at https://confluence.atlassian.com/security/advanced-database-password-encryption-in-bamboo-1402421091.html . Follow provided instructions to encrypt password and then use property bamboo.jms.ssl.cipher to pass required class name. At provided output, take content of <property name="jdbc.password.decrypter.classname"> tag, e.g. for <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property> the value is com.atlassian.secrets.store.algorithm.AlgorithmSecretStore

Last modified on Nov 20, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.