Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bamboo server and client certificates

Olaf Trygve Ber
Olaf Trygve Berglihn December 12, 2014

I want to add an extra layer of security to the Bamboo server, and only allow connect on the broker URL (jms/activemq) from agents that have valid client certificates (X.509). All my https-traffic is terminated by proxy, where client certificates are required. I set the Bamboo broker URL from tcp: to ssl:.

How do I make the Bamboo server require a trusted client certificate from the agents, and how do I make the agents use their client certificate?

Answer
Watch
Like Be the first to like this
1801 views

2 answers

1 accepted

0 votes
Answer accepted
Olaf Trygve Ber
Olaf Trygve Berglihn December 12, 2014

Digging in to the documentation of Apache activemq[1] i tested adding the parameter needClientAuth in bamboo.cfg.xml:

<property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?wireFormat.maxInactivityDuration=300000&needClientAuth=true</property>

I tested connecting with openssl s_client -connect.  Without the needClientAuth set the connection is accepted.  When i set it to to true the connection is rejected without a valid client certificate:

ERROR [ActiveMQ BrokerService[bamboo] Task-2] [TransportConnector] Could not accept connection from tcp://127.0.0.1:46419: javax.net.ssl.SSLHandshakeException: null cert chain

 

However, there is the problem of tuning the trust by setting the trustStore.  In the activemq documentation it is shown how to set the SSLContext for the broker only, and not for the whole VM.  If you set the javax.net.ssl.trustStore to a very limited set of CAs (your private CA), the https-traffic to atlassian from the Bamboo server will fail.

 

  1. http://activemq.apache.org/how-do-i-use-ssl.html
Reply
0 votes
rsperafico
rsperafico
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 12, 2014

Hello Olaf,

Thank you for your question.

Please, refer to Securing your remote agents for further information.

If you find this answer useful, I would kindly ask you to accept it so the same will be visible to others who might be facing the same issue you have inquired.

Thank you for your understanding.

Kind regards,
Rafael P. Sperafico
Atlassian Support

View More Comments
Olaf Trygve Ber
Olaf Trygve Berglihn December 12, 2014

Hi, Rafael. The pages you refer to needs to be fixed. There are several errors, as pointed out in the comments. One needs to add the parameters in JAVA_OPTS, and there is no mention of how to require valid client certs.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

    See all events