server.xml でパスワードを暗号化する

To add extra security to your Bamboo instance, you can encrypt passwords that you use to configure Connectors in the Tomcat’s server.xml file.

はじめる前に

This solution is an obfuscation that can be used to secure information such as passphrases used by Bamboo to access its local keystores and other secrets. This doesn’t assure real security. For example, though stored locally using an encrypted format, an Apache Reverse Proxy will send the proxy secret in clear-text to Bamboo when using the AJP protocol. An attacker could act like Bamboo to obtain the password.

To improve security, use HTTPS and secure the server where Bamboo resides.

Bamboo provides the following protocols that extend Tomcat protocols with support for password encryption.

Show me available protocols...
Bamboo protocolTomcat protocol on which Bamboo protocol is basedパスワード暗号化がサポートされている属性
com.atlassian.bamboo.tomcat.utils.Http11NioProtocolWithPasswordEncryption



Http11NioProtocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.bamboo.tomcat.utils.Http11Nio2ProtocolWithPasswordEncryption
Http11Nio2Protocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.bamboo.tomcat.utils.Http11AprProtocolWithPasswordEncryption
Http11AprProtocol
  • KeystorePass
  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.bamboo.tomcat.utils.AjpNioProtocolWithPasswordEncryption
AjpNioProtocol
  • シークレット
com.atlassian.bamboo.tomcat.utils.AjpNio2ProtocolWithPasswordEncryption
AjpNio2Protocol
  • シークレット
com.atlassian.bamboo.tomcat.utils.AjpAprProtocolWithPasswordEncryption
AjpAprProtocol
  • シークレット

単一のパスワードの暗号化

  1. <Bamboo-installation-directory>/lib に移動します。
  2. 次のコマンドを実行します。

    java -jar atlassian-bamboo-tomcat-utils-<your bamboo version>.jar
  3. Enter your password when prompted.

    The encryption tool will generate two files: encryptedPassword and encryptionKey. Move those files to a safe location. You can also rename the files if you want.


Encrypting multiple passwords for one Connector

If you want to encrypt more than one password for a single Connector, you must use the same encryption key for all passwords. After you encrypt you first password, use the generated encryptionKey to encrypt the subsequent password by passing path to the key to the encryption tool:

java -jar atlassian-bamboo-tomcat-utils-*.jar /path/to/encryptionKey

暗号化ツールでは encryptedPassword ファイルのみが生成されます。


コネクタ設定における暗号化されたパスワードの使用

To use encrypted passwords in Connector configuration, you need to set up the following properties:

  • protocol - use on of the Bamboo protocols described above

  • bambooEncryptionKey - specify a path to the encryptionKey file

Then you can use path to a proper encryptedPassword file in place of plain text password in the Connector configuration.

For example, configuration of a Http11Nio2 Connector with encrypted keystore and key passwords might look similarly to this:

<Connector
    protocol="com.atlassian.bamboo.tomcat.utils.Http11Nio2ProtocolWithPasswordEncryption"
    port="8443"

    (...)

    keystoreFile="/var/secrets/keystore/keystore"
    keystorePass="/var/secrets/keystore/encryptedKeystorePass"
    keyPass="/var/secrets/keystore/encryptedKeyPass"

    bambooEncryptionKey="/var/secrets/encryptionKey"
/>

Note that only one bambooEncryptionKey is specified, and both keystorePass and keyPass had to be encrypted with the same key.



最終更新日 2023 年 11 月 15 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.