Simplest Enterprise Continuous Integration Solutions

Saturday, May 3, 2014

Bamboo security: Bamboo 5 5.0 Tomcat with SSL

Bamboo 5.5.0 runs on HTTP looks like




Configure Bamboo 5.5.0 runs over HTTPS

# Login as root on Bamboo Linux server.

[root@linux64-bamboo-server ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

# su to bamboo running user

[root@linux64-bamboo-server ~]# su - bamboo

# Change dir to bamboo install directory

[root@linux64-bamboo-server ~]$ cd /opt/atlassian-bamboo-5.5.0

# Generate a private key

[bamboo@linux64-bamboo-server atlassian-bamboo-5.5.0]$ $JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias tomcat
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  linux64-bamboo-server.domain.com
What is the name of your organizational unit?
  [Unknown]:  <my unit>
What is the name of your organization?
  [Unknown]:  <my organization>
What is the name of your City or Locality?
  [Unknown]:  <my city>
What is the name of your State or Province?
  [Unknown]:  <my state>
What is the two-letter country code for this unit?
  [Unknown]:  <my country>
Is CN=linux64-bamboo-server.domain.com, OU=<my unit>, O=<my organization>., L=<my city>, ST=<my state>, C=<my country> correct?
  [no]:  y

Enter key password for <tomcat>
        (RETURN if same as keystore password):

# Generate a CSR (Certificate Signing Request)

[bamboo@linux64-bamboo-server atlassian-bamboo-5.5.0]$ $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
Enter keystore password:

# Submit certreq.csr to a certificate authority

Submit the generated certreq.csr to a Certificate Authority (for example, MY-ENTCASERVER) with “Web Server” Certificate template and download certificate chain (DER encoded or Base 64 encoded), save it as bamboo550_Base64.p7b.

# Import signed certificate into keystore

[bamboo@linux64-bamboo-server atlassian-bamboo-5.5.0]$ $JAVA_HOME/bin/keytool -import -alias tomcat -file bamboo550_Der.p7b –keystore ~/.keystore

# Modify server.xml as below accordingly

[root@mtl-nvc-emea08 atlassian-bamboo-5.5.0]# diff -u /opt/atlassian-bamboo-5.5.0/conf/server.xml.orig /opt/atlassian-bamboo-5.5.0/conf/server.xml
--- /opt/atlassian-bamboo-5.5.0/conf/server.xml.orig    2014-08-29 12:05:04.000000000 -0400
+++ /opt/atlassian-bamboo-5.5.0/conf/server.xml 2014-08-29 12:24:14.000000000 -0400
@@ -61,7 +61,6 @@
                    redirectPort="8443"
                    acceptCount="100"
                    disableUploadTimeout="true"/>
-
         <!--
         ====================================================================================

@@ -127,5 +126,20 @@
                    pattern="%a %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot;"/>

         </Engine>
+<Connector port="8443"
+    maxHttpHeaderSize="8192"
+    SSLEnabled="true"
+        maxThreads="150"
+    minSpareThreads="25"
+    maxSpareThreads="75"
+        enableLookups="false"
+    disableUploadTimeout="true"
+    useBodyEncodingForURI="true"
+        acceptCount="100"
+    scheme="https"
+    secure="true"
+        clientAuth="false"
+  sslProtocol="TLS"
+  keystoreFile="/home/bamboo/.keystore" />
     </Service>
 </Server>

# Restart bamboo service

# Secutiry Bamboo 5.5.0 with Tomcat SSL runs over HTTPS looks like

# Bamboo signed own SSL certificate looks like