How to secure your remote agent (Bamboo Server)

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く



The following describes Securing your remote agents documentation providing further information.

(info)   Before going through the steps below, please make sure you have:

  • Bamboo server up.
  • At least one Bamboo remote agent set up.

Create keys, stores, and certificates

(info)   The following steps should be done on Bamboo's server box.

  1. Run the following commands to create the certificates.

    [root@localhost ssl]# keytool -genkey -alias bamboo.secure.server -keyalg RSA -keystore bamboo.secure.server.ks
    Enter keystore password:  
    Re-enter new password: 
    They don't match. Try again
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  bamboo.secure.server
    What is the name of your organizational unit?
      [Unknown]:  OU
    What is the name of your organization?
      [Unknown]:  O
    What is the name of your City or Locality?
      [Unknown]:  City
    What is the name of your State or Province?
      [Unknown]:  State
    What is the two-letter country code for this unit?
      [Unknown]:  CC
    Is CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC correct?
      [no]:  y
    
    Enter key password for <bamboo.secure.server>
    	(RETURN if same as keystore password):  
    Re-enter new password: 
    
    [root@localhost ssl]# keytool -export -alias bamboo.secure.server -keystore bamboo.secure.server.ks -file bamboo.secure.server.crt
    Enter keystore password:  
    Certificate stored in file <bamboo.secure.server.crt>
    
    [root@localhost ssl]# keytool -genkey -alias bamboo.secure.client -keyalg RSA -keystore bamboo.secure.client.ks
    Enter keystore password:  
    Re-enter new password: 
    What is your first and last name?
      [Unknown]:  bamboo.secure.client
    What is the name of your organizational unit?
      [Unknown]:  OU
    What is the name of your organization?
      [Unknown]:  O
    What is the name of your City or Locality?
      [Unknown]:  City
    What is the name of your State or Province?
      [Unknown]:  State
    What is the two-letter country code for this unit?
      [Unknown]:  CC
    Is CN=bamboo.secure.client, OU=OU, O=O, L=City, ST=State, C=CC correct?
      [no]:  y
    
    Enter key password for <bamboo.secure.client>
    	(RETURN if same as keystore password):  
    Re-enter new password: 
    
    [root@localhost ssl]# keytool -import -alias bamboo.secure.server -keystore bamboo.secure.client.ts -file bamboo.secure.server.crt
    Enter keystore password:  
    Re-enter new password: 
    Owner: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC
    Issuer: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC
    Serial number: 26ce7cbb
    Valid from: Fri Jun 19 11:46:46 EDT 2015 until: Thu Sep 17 11:46:46 EDT 2015
    Certificate fingerprints:
    	 MD5:  2B:9F:5A:72:98:49:88:A7:C0:F5:3C:4A:16:3F:D6:53
    	 SHA1: 92:A6:AF:C2:22:92:04:89:E1:CE:82:4A:B2:AC:FB:71:69:B4:41:27
    	 SHA256: 04:E3:E1:29:4A:97:83:C4:91:A2:B1:9A:4E:A0:0E:A8:48:5B:05:4B:DA:C6:D1:B9:36:05:BD:52:A3:B6:16:73
    	 Signature algorithm name: SHA256withRSA
    	 Version: 3
    
    Extensions: 
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 73 E5 CC 9E 1F 70 D0 21   9B 7B 22 8D 71 A4 7E 6B  s....p.!..".q..k
    0010: 5A 92 70 2D                                        Z.p-
    ]
    ]
    
    Trust this certificate? [no]:  y
    Certificate was added to keystore
    

    As a result, you would have:

    [root@localhost ssl]# ls -l
    -rw-r--r--. 1 root root 2246 Jun 19 11:49 bamboo.secure.client.ks
    -rw-r--r--. 1 root root  958 Jun 19 11:50 bamboo.secure.client.ts
    -rw-r--r--. 1 root root  879 Jun 19 11:48 bamboo.secure.server.crt
    -rw-r--r--. 1 root root 2247 Jun 19 11:46 bamboo.secure.server.ks
    
  2. Go to the Bamboo installation directory:

    [root@localhost atlassian-bamboo-x.x.x]# cat bin/setenv.sh 
    
    # place the certificates as per follows:
    JVM_SUPPORT_RECOMMENDED_ARGS="-Djavax.net.ssl.keyStore=/opt/atlassian/ssl/bamboo.secure.server.ks -Djavax.net.ssl.keyStorePassword=changeit"
    
  3. Copy the certificates to the Bamboo remote agent box.

    [root@localhost ssl]# scp -r bamboo.secure* root@192.168.10.87:/opt/atlassian/remote-agent/ssl/
    root@192.168.10.87's password: 
    bamboo.secure.client.ks                                                                                                     100% 2246     2.2KB/s   00:00    
    bamboo.secure.client.ts                                                                                                     100%  958     0.9KB/s   00:00    
    bamboo.secure.server.crt                                                                                                    100%  879     0.9KB/s   00:00    
    bamboo.secure.server.ks                                                                                                     100% 2247     2.2KB/s   00:00 
    
  4. Go to the "<bamboo-home>" directory, edit "bamboo.cfg.xml" and replace "tcp" with "ssl".

    # 192.168.10.101, this is the IP address to Bamboo's server box
    # please, notice in both brokers "tcp" has been replaced by "ssl"
    <property name="bamboo.jms.broker.client.uri">failover:(ssl://192.168.10.101:54663?wireFormat.maxInactivityDuration=300000)?initialReconnectDelay=15000&amp;maxReconnectAttempts=10</property>
    <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?wireFormat.maxInactivityDuration=300000</property>
    
  5. Start Bamboo.
  6. Please, go to "Bamboo administration >>Build resources >> Agents" and make sure you have "Enable Remote Agent Support".

(info)   The following steps should be done on Bamboo's remote agent box.

  1. Go to the Bamboo remote agent directory and edit "<bamboo-agent-home>/conf/wrapper.conf".

    #wrapper.java.additional.3=-agentlib:yjpagent
    wrapper.java.additional.3=-Djavax.net.ssl.keyStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ks
    wrapper.java.additional.4=-Djavax.net.ssl.keyStorePassword=changeit
    wrapper.java.additional.5=-Djavax.net.ssl.trustStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ts
    #wrapper.java.additional.6=-Djavax.net.debug=all
    
    # Application parameters.  Add parameters as needed starting from 1
    wrapper.app.parameter.1=com.atlassian.bamboo.agent.bootstrap.AgentBootstrap
    wrapper.app.parameter.2=http://192.168.10.101:8085/agentServer/
    
  2. Start the Bamboo remote agent.

    <bamboo-agent-home>/bin/bamboo-agent.sh start
    

To manage server certificate for JMS SSL connection manually, follow the instructions from the How to secure your remote agent guide.

There’s a limitation regarding the javax.net.ssl.keyStorePassword, as it's stored in plain text can be accessed by any user who has access to the process list or the setenv.sh/setenv.bat files

Since BAM-21714 fix, user can encode credentials to keystore/truststore files and provide them in encrypted form to Bamboo process.

Follow these steps to manage server certificate for JMS SSL connection manually in Bamboo 10.1 onwards.

  1. Create keystore and put necessary certificates as described at https://confluence.atlassian.com/bamkb/how-to-secure-your-remote-agent-bamboo-server-757465762.html

  2. $BAMBOO_INSTALL_DIR/tools/atlassian-password に移動します。

  3. Run java -jar atlassian-secrets-cli.jar -config=db command

  4. Type password you want to encrypt

  5. Check output. You need content of XML tag <property name="hibernate.connection.password">, e.g. for <property name="hibernate.connection.password">MTIzNDU=</property> encrypted password is MTIzNDU=

  6. Edit $BAMBOO_INSTALL_DIR/setenv.shor setenv.bat file and provide the following system properties in the required section

    #
    #  Occasionally Atlassian Support may recommend that you set some specific JVM arguments.  You can use this variable below to do that.
    #
    : ${JVM_SUPPORT_RECOMMENDED_ARGS:="-Dbamboo.jms.ssl.keyStore=/etc/store.ks -Dbamboo.jms.ssl.keyStorePassword=MTIzNDU="} 


    where bamboo.jms.ssl.keyStore is path to keystore file, bamboo.jms.ssl.keyStorePassword is an encrypted password
  7. The same logic applies to truststore file in the agent environment. Follow the instructions at https://confluence.atlassian.com/bamkb/how-to-secure-your-remote-agent-bamboo-server-757465762.html to create truststore on the agent side and encrypt password with atlassian-secrets-cli.jar

  8. Provide path to truststore file and password at agent’s wrapper.conf

    wrapper.java.additional.5=-Dbamboo.jms.ssl.trustStore=/etc/trust.ts
    wrapper.java.additional.6=-Dbamboo.jms.ssl.trustStorePassword=MTIzNDU=

    It’s also possible to use more advanced algorithms of password encryption, see details at https://confluence.atlassian.com/security/advanced-database-password-encryption-in-bamboo-1402421091.html . Follow provided instructions to encrypt password and then use property bamboo.jms.ssl.cipher to pass required class name. At provided output, take content of <property name="jdbc.password.decrypter.classname"> tag, e.g. for <property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property> the value is com.atlassian.secrets.store.algorithm.AlgorithmSecretStore

最終更新日 2024 年 11 月 20 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.