I want to add an extra layer of security to the Bamboo server, and only allow connect on the broker URL (jms/activemq) from agents that have valid client certificates (X.509). All my https-traffic is terminated by proxy, where client certificates are required. I set the Bamboo broker URL from tcp: to ssl:.
How do I make the Bamboo server require a trusted client certificate from the agents, and how do I make the agents use their client certificate?
Digging in to the documentation of Apache activemq i tested adding the parameter
needClientAuth in bamboo.cfg.xml:
I tested connecting with
openssl s_client -connect. Without the needClientAuth
the connection is accepted. When i set it to to true
the connection is rejected without a valid client certificate:
ERROR [ActiveMQ BrokerService[bamboo] Task-2] [TransportConnector] Could not accept connection from tcp://127.0.0.1:46419: javax.net.ssl.SSLHandshakeException: null cert chain
However, there is the problem of tuning the trust by setting the trustStore. In the activemq documentation it is shown how to set the SSLContext for the broker only, and not for the whole VM. If you set the javax.net.ssl.trustStore to a very limited set of CAs (your private CA), the https-traffic to atlassian from the Bamboo server will fail.
Thank you for your question.
Please, refer to Securing your remote agents for further information.
If you find this answer useful, I would kindly ask you to accept it so the same will be visible to others who might be facing the same issue you have inquired.
Thank you for your understanding.
Rafael P. Sperafico
Hello, Community! My name is Gosia and I'm a Product Manager on Jira Server and Data Center here at Atlassian. Since 2002 when we launched our public issue tracker, jira.atlass...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs