You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
Next: Root
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
Hi, I have set the keystore for Bamboo Server in ${INSTALL}/conf/server.xml (along with non-default password) with a certificate that expires well into the future. However, I am finding that the automatic certificate management that Bamboo uses for the ActiveMQ broker (${HOME}/xml-data/configuration/broker.ks) only creates a certificate that is valid for 3 months. I would like to use the same certificate for both so that I don't have to keep deleting the file so that Bamboo can create a new certificate for the broker. I have tried the various SSL_OPTS=..., including following https://confluence.atlassian.com/bamboo/securing-your-remote-agents-289277197.html - Special considerations/troubleshooting. I find that no matter what, if I add -Dbamboo.manage.jms.ssl=false to either JAVA_TOOL_OPTIONS or as a parameter to start-bamboo.sh, the broker will continue to use the default file.
I also can't find what the password is for the default broker.ks file, so I don't know if symlinking it to the server keystore will break everything, or perhaps creating my own broker.ks file there. I tried both 'password' and 'changeit' and those were not the passwords.
Does ActiveMQ look for a certificate alias of 'jmsbrokerkey'???
It is very annoying that the certificate expires every 3 months, meaning our regular network scans will flag our server as non-compliant.
Hey Jorge,
Try adding these arguments to your o your JVM_SUPPORT_RECOMMENDED_ARGS in <bamboo-install>/bin/setenvh.sh:
We do a check to make sure both bamboo.manage.jms.ssl and javax.net.ssl.keyStore have been supplied before disabling the Automatic JMS SSL Management but setting a keystore in the Tomcat server.xml isn't equivalent to supplying it as an argument to the JVM.
If successful, you should see the below line logged logged to your <bamboo-home>/logs/atlassian-bamboo.log:
2018-07-06 10:02:58,345 INFO [localhost-startStop-1] [BambooBrokerService] Automatic JMS SSL management disabled
Does ActiveMQ look for a certificate alias of 'jmsbrokerkey'???
Yep, our implementation of securing the broker via JMS does look for a certificate of alias jmsbrokerkey.
Hope this helps! :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.