How to secure your remote agent (Bamboo Server)
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
The following describes Securing your remote agents documentation providing further information.
Before going through the steps below, please make sure you have:
- Bamboo server up.
- At least one Bamboo remote agent set up.
Create keys, stores, and certificates
The following steps should be done on Bamboo's server box.
Run the following commands to create the certificates.
[root@localhost ssl]# keytool -genkey -alias bamboo.secure.server -keyalg RSA -keystore bamboo.secure.server.ks Enter keystore password: Re-enter new password: They don't match. Try again Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: bamboo.secure.server What is the name of your organizational unit? [Unknown]: OU What is the name of your organization? [Unknown]: O What is the name of your City or Locality? [Unknown]: City What is the name of your State or Province? [Unknown]: State What is the two-letter country code for this unit? [Unknown]: CC Is CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC correct? [no]: y Enter key password for <bamboo.secure.server> (RETURN if same as keystore password): Re-enter new password:
[root@localhost ssl]# keytool -export -alias bamboo.secure.server -keystore bamboo.secure.server.ks -file bamboo.secure.server.crt Enter keystore password: Certificate stored in file <bamboo.secure.server.crt>
[root@localhost ssl]# keytool -genkey -alias bamboo.secure.client -keyalg RSA -keystore bamboo.secure.client.ks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: bamboo.secure.client What is the name of your organizational unit? [Unknown]: OU What is the name of your organization? [Unknown]: O What is the name of your City or Locality? [Unknown]: City What is the name of your State or Province? [Unknown]: State What is the two-letter country code for this unit? [Unknown]: CC Is CN=bamboo.secure.client, OU=OU, O=O, L=City, ST=State, C=CC correct? [no]: y Enter key password for <bamboo.secure.client> (RETURN if same as keystore password): Re-enter new password:
[root@localhost ssl]# keytool -import -alias bamboo.secure.server -keystore bamboo.secure.client.ts -file bamboo.secure.server.crt Enter keystore password: Re-enter new password: Owner: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC Issuer: CN=bamboo.secure.server, OU=OU, O=O, L=City, ST=State, C=CC Serial number: 26ce7cbb Valid from: Fri Jun 19 11:46:46 EDT 2015 until: Thu Sep 17 11:46:46 EDT 2015 Certificate fingerprints: MD5: 2B:9F:5A:72:98:49:88:A7:C0:F5:3C:4A:16:3F:D6:53 SHA1: 92:A6:AF:C2:22:92:04:89:E1:CE:82:4A:B2:AC:FB:71:69:B4:41:27 SHA256: 04:E3:E1:29:4A:97:83:C4:91:A2:B1:9A:4E:A0:0E:A8:48:5B:05:4B:DA:C6:D1:B9:36:05:BD:52:A3:B6:16:73 Signature algorithm name: SHA256withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 73 E5 CC 9E 1F 70 D0 21 9B 7B 22 8D 71 A4 7E 6B s....p.!..".q..k 0010: 5A 92 70 2D Z.p- ] ] Trust this certificate? [no]: y Certificate was added to keystore
As a result, you would have:
[root@localhost ssl]# ls -l -rw-r--r--. 1 root root 2246 Jun 19 11:49 bamboo.secure.client.ks -rw-r--r--. 1 root root 958 Jun 19 11:50 bamboo.secure.client.ts -rw-r--r--. 1 root root 879 Jun 19 11:48 bamboo.secure.server.crt -rw-r--r--. 1 root root 2247 Jun 19 11:46 bamboo.secure.server.ks
Go to the Bamboo installation directory:
[root@localhost atlassian-bamboo-x.x.x]# cat bin/setenv.sh
# place the certificates as per follows: JVM_SUPPORT_RECOMMENDED_ARGS="-Djavax.net.ssl.keyStore=/opt/atlassian/ssl/bamboo.secure.server.ks -Djavax.net.ssl.keyStorePassword=changeit"
Copy the certificates to the Bamboo remote agent box.
[root@localhost ssl]# scp -r bamboo.secure* root@192.168.10.87:/opt/atlassian/remote-agent/ssl/ root@192.168.10.87's password: bamboo.secure.client.ks 100% 2246 2.2KB/s 00:00 bamboo.secure.client.ts 100% 958 0.9KB/s 00:00 bamboo.secure.server.crt 100% 879 0.9KB/s 00:00 bamboo.secure.server.ks 100% 2247 2.2KB/s 00:00
Go to the "
<bamboo-home>
" directory, edit "bamboo.cfg.xml
" and replace "tcp" with "ssl".# 192.168.10.101, this is the IP address to Bamboo's server box # please, notice in both brokers "tcp" has been replaced by "ssl" <property name="bamboo.jms.broker.client.uri">failover:(ssl://192.168.10.101:54663?wireFormat.maxInactivityDuration=300000)?initialReconnectDelay=15000&maxReconnectAttempts=10</property> <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?wireFormat.maxInactivityDuration=300000</property>
- Start Bamboo.
- Please, go to "
Bamboo administration >>Build resources >> Agents
" and make sure you have "Enable Remote Agent Support
".
The following steps should be done on Bamboo's remote agent box.
Go to the Bamboo remote agent directory and edit "
<bamboo-agent-home>/conf/wrapper.conf
".#wrapper.java.additional.3=-agentlib:yjpagent wrapper.java.additional.3=-Djavax.net.ssl.keyStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ks wrapper.java.additional.4=-Djavax.net.ssl.keyStorePassword=changeit wrapper.java.additional.5=-Djavax.net.ssl.trustStore=/opt/atlassian/remote-agent/ssl/bamboo.secure.client.ts #wrapper.java.additional.6=-Djavax.net.debug=all # Application parameters. Add parameters as needed starting from 1 wrapper.app.parameter.1=com.atlassian.bamboo.agent.bootstrap.AgentBootstrap wrapper.app.parameter.2=http://192.168.10.101:8085/agentServer/
Start the Bamboo remote agent.
<bamboo-agent-home>/bin/bamboo-agent.sh start
To manage server certificate for JMS SSL connection manually, follow the instructions from the How to secure your remote agent guide.
There’s a limitation regarding the javax.net.ssl.keyStorePassword, as it's stored in plain text can be accessed by any user who has access to the process list or the setenv.sh/setenv.bat
files
Since BAM-21714 fix, user can encode credentials to keystore/truststore
files and provide them in encrypted form to Bamboo process.
Follow these steps to manage server certificate for JMS SSL connection manually in Bamboo 10.1 onwards.
Create keystore and put necessary certificates as described at https://confluence.atlassian.com/bamkb/how-to-secure-your-remote-agent-bamboo-server-757465762.html
$BAMBOO_INSTALL_DIR/tools/atlassian-password
に移動します。Run java -jar atlassian-secrets-cli.jar -config=db command
Type password you want to encrypt
Check output. You need content of XML tag
<property name="hibernate.connection.password">
, e.g. for<property name="hibernate.connection.password">MTIzNDU=</property>
encrypted password isMTIzNDU=
Edit
$BAMBOO_INSTALL_DIR/setenv.shor setenv.bat
file and provide the following system properties in the required section# # Occasionally Atlassian Support may recommend that you set some specific JVM arguments. You can use this variable below to do that. # : ${JVM_SUPPORT_RECOMMENDED_ARGS:="-Dbamboo.jms.ssl.keyStore=/etc/store.ks -Dbamboo.jms.ssl.keyStorePassword=MTIzNDU="}
wherebamboo.jms.ssl.keyStore
is path to keystore file,bamboo.jms.ssl.keyStorePassword
is an encrypted passwordThe same logic applies to truststore file in the agent environment. Follow the instructions at https://confluence.atlassian.com/bamkb/how-to-secure-your-remote-agent-bamboo-server-757465762.html to create truststore on the agent side and encrypt password with
atlassian-secrets-cli.jar
Provide path to truststore file and password at agent’s wrapper.conf
wrapper.java.additional.5=-Dbamboo.jms.ssl.trustStore=/etc/trust.ts wrapper.java.additional.6=-Dbamboo.jms.ssl.trustStorePassword=MTIzNDU=
It’s also possible to use more advanced algorithms of password encryption, see details at https://confluence.atlassian.com/security/advanced-database-password-encryption-in-bamboo-1402421091.html . Follow provided instructions to encrypt password and then use property
bamboo.jms.ssl.cipher
to pass required class name. At provided output, take content of<property name="jdbc.password.decrypter.classname">
tag, e.g. for<property name="jdbc.password.decrypter.classname">com.atlassian.secrets.store.algorithm.AlgorithmSecretStore</property>
the value iscom.atlassian.secrets.store.algorithm.AlgorithmSecretStore