I want to add an extra layer of security to the Bamboo server, and only allow connect on the broker URL (jms/activemq) from agents that have valid client certificates (X.509). All my https-traffic is terminated by proxy, where client certificates are required. I set the Bamboo broker URL from tcp: to ssl:.
How do I make the Bamboo server require a trusted client certificate from the agents, and how do I make the agents use their client certificate?
Digging in to the documentation of Apache activemq[1] i tested adding the parameter needClientAuth in bamboo.cfg.xml:
<property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?wireFormat.maxInactivityDuration=300000&amp;needClientAuth=true</property>
I tested connecting with openssl s_client -connect. Without the
needClientAuth set
the connection is accepted. When i set it to to
true the connection is rejected without a valid client certificate:
ERROR [ActiveMQ BrokerService[bamboo] Task-2] [TransportConnector] Could not accept connection from tcp://127.0.0.1:46419: javax.net.ssl.SSLHandshakeException: null cert chain
However, there is the problem of tuning the trust by setting the trustStore. In the activemq documentation it is shown how to set the SSLContext for the broker only, and not for the whole VM. If you set the javax.net.ssl.trustStore to a very limited set of CAs (your private CA), the https-traffic to atlassian from the Bamboo server will fail.
Hello Olaf,
Thank you for your question.
Please, refer to Securing your remote agents for further information.
If you find this answer useful, I would kindly ask you to accept it so the same will be visible to others who might be facing the same issue you have inquired.
Thank you for your understanding.
—
Kind regards,
Rafael P. Sperafico
Atlassian Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Rafael. The pages you refer to needs to be fixed. There are several errors, as pointed out in the comments. One needs to add the parameters in JAVA_OPTS, and there is no mention of how to require valid client certs.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.