Simplest Enterprise Continuous Integration Solutions

Saturday, July 20, 2013

Bamboo security: Bamboo 5.0 runs over HTTPS

Bamboo 5.0 runs on http looks like


Configure Bamboo 5.0 runs over HTTPS

# Login as root on Bamboo Linux server.

[root@linux64-bamboo-server ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

# su to bamboo running user

[root@linux64-bamboo-server ~]# su - bamboo

# Change dir to bamboo install directory

[root@linux64-bamboo-server ~]$ cd /opt/atlassian-bamboo-5.0

# Generate a private key

[bamboo@linux64-bamboo-server atlassian-bamboo-5.0]$ $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias jetty
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  linux64-bamboo-server.domain.com
What is the name of your organizational unit?
  [Unknown]:  <my unit>
What is the name of your organization?
  [Unknown]:  <my organization>
What is the name of your City or Locality?
  [Unknown]:  <my city>
What is the name of your State or Province?
  [Unknown]:  <my state>
What is the two-letter country code for this unit?
  [Unknown]:  <my country>
Is CN=linux64-bamboo-server.domain.com, OU=<my unit>, O=<my organization>., L=<my city>, ST=<my state>, C=<my country> correct?
  [no]:  y

Enter key password for <jetty>
        (RETURN if same as keystore password):

# Generate a CSR (Certificate Signing Request)

[bamboo@linux64-bamboo-server atlassian-bamboo-5.0]$ $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias jetty -file certreq.csr
Enter keystore password:

# Submit certreq.csr to a certificate authority

Submit the generated certreq.csr to a Certificate Authority (for example, MY-ENTCASERVER) with “Web Server” Certificate template and download certificate chain (DER encoded or Base 64 encoded), save it as bamboo_Base64.p7b.

# Import signed certificate into keystore

[bamboo@linux64-bamboo-server atlassian-bamboo-5.0]$ $JAVA_HOME/bin/keytool -importcert -alias jetty -file bamboo_Base64.p7b -keystore keystore

# Modify wrapper.conf and jetty.xml as below accordingly

[bamboo@linux64-bamboo-server ~]$ diff -u /opt/atlassian-bamboo-5.0/conf/wrapper.conf.orig /opt/atlassian-bamboo-5.0/conf/wrapper.conf
--- /opt/atlassian-bamboo-5.0/conf/wrapper.conf.orig    2014-08-28 17:48:40.000000000 -0400
+++ /opt/atlassian-bamboo-5.0/conf/wrapper.conf 2014-08-28 17:48:46.000000000 -0400
@@ -7,15 +7,16 @@

# The Bamboo port number - this is the port number the Bamboo web server listens on.
#
-wrapper.app.parameter.2=8085
+#wrapper.app.parameter.2=8085
+wrapper.app.parameter.2=../webapp/WEB-INF/classes/jetty.xml

# The location of the Bamboo web application files
#
-wrapper.app.parameter.3=../webapp
+#wrapper.app.parameter.3=../webapp

# The webapp context path. Which must be of form / or /your-context
#
-wrapper.app.parameter.4=/
+#wrapper.app.parameter.4=/

# Specify which version of java you use to run Bamboo
#


[bamboo@linux64-bamboo-server ~]$ diff -u /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml.orig /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml
--- /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml.orig     2014-08-28 17:06:03.000000000 -0400
+++ /opt/atlassian-bamboo-5.0/webapp/WEB-INF/classes/jetty.xml  2014-08-28 17:39:03.000000000 -0400
@@ -30,9 +30,17 @@

     <Call name="addConnector">
         <Arg>
+<!--
             <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
                 <Set name="host"><Property name="jetty.host" /></Set>
                 <Set name="port"><Property name="jetty.port" default="8085"/></Set>
+-->
+            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
+                <Set name="Port">8443</Set>
+                <Set name="Keystore"><SystemProperty name="jetty.home" default=""/>keystore</Set>
+
+                <Set name="Password">bamboo</Set>
+                <Set name="KeyPassword">bamboo</Set>
                 <!--<Set name="Host">127.0.0.1</Set>-->
                 <!--<Set name="ConfidentialPort">8443</Set>-->
                 <!--<Set name="IntegralPort">8443</Set>-->
@@ -60,7 +68,7 @@
                     <!--SystemProperty name="bamboo.webapp" default="/opt/dev/src/atlassian/bamboo-trunk/components/bamboo-web-app/src/main/webapp"/-->
                     <SystemProperty name="bamboo.webapp" default="./webapp"/>
                 </Arg>
-                <Arg name="contextPath">/bamboo</Arg>
+                <Arg name="contextPath">/</Arg>
                 <!--<Set name="parentLoaderPriority">true</Set>-->
                 <Set name="defaultsDescriptor">webdefault.xml</Set>
                 <Get name="sessionHandler">

# Restart bamboo service

# Bamboo runs over HTTPS looks like


# Bamboo signed own SSL certificate looks like




No comments:

Post a Comment