Bamboo 3.4 : Running Bamboo over HTTPS

This document is a guide to configuring the Bamboo distribution (not EAR-WAR) with basic HTTPS authentication. For further reference please visit the Jetty page on configuring SSL with Jetty.

1. Adding Certificate to your Keystore

Option 1. Using a self-signed Certificate

The simplest way to generate keys and certificates is to use the keytool application that comes with the JDK, as it generates keys and certificates directly into the keystore.

The following command will generate a key pair and certificate directly into a keystore:

keytool -keystore keystore -alias jetty -genkey -keyalg RSA

This command will prompt for information about the certificate and for passwords to protect both the keystore and the keys within it. The only mandatory response is to provide the fully qualified host name of the server at the "first and last name" prompt.

Option 2. Using Certificate issued by an Certificate Authority

Certificate Option 2 – Use a Certificate Issued by a Certificate Authority

When running Bamboo in a production environment, you will need a certificate issued by a certificate authority (CA, sometimes also called a 'certification authority') such as VeriSignThawte or TrustCenter. The instructions below are adapted from the Tomcat documentation.

First you will generate a local certificate and create a 'certificate signing request' (CSR) based on that certificate. You will submit the CSR to your chosen certificate authority. The CA will use that CSR to generate a certificate for you.

  1. Use Java's keytool utility to generate a local certificate, as described in the previous section.
  2. Use the keytool utility to generate a CSR, replacing the text <MY_KEYSTORE_FILENAME> with the path to and file name of the .keystorefile generated for your local certificate:

     

    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <MY_KEYSTORE_FILENAME>
  3. Submit the generated file called certreq.csr to your chosen certificate authority. Refer to the documentation on the CA's website to find out how to do this.
  4. The CA will send you a certificate.
  5. Import the new certificate into your local keystore:

     

    keytool -importcert -alias tomcat -keystore <MY_KEYSTORE_FILENAME> -file <MY_CERTIFICATE_FILENAME>

 

Now, we need to configure configure an SSL listener.

2. Configuring Jetty

Using the Sun JVM, add the SunJsseListener as a HttpListeners, In the ../<Bamboo_Application_Directory>/webapp/WEB-INF/classes/jetty.xml file add the following lines.
This will make Bamboo accessible in port 8443 on https://localhost:8443/

If you are using Bamboo 1.2.4 (or earlier)
<Call name="addListener">
    <Arg>
      <New class="org.mortbay.http.SunJsseListener">
        <Set name="Port">8443</Set>
        <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/keystore</Set>

	<Set name="Password">password</Set>
	<Set name="KeyPassword">password</Set>
      </New>
    </Arg>
  </Call>
If you are using Bamboo 2.0 (or newer version)
<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Set name="Port">8443</Set>
        <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/keystore</Set>

	<Set name="Password">password</Set>
	<Set name="KeyPassword">password</Set>
      </New>
    </Arg>
  </Call>

The keystore file in this example is given relative to the Bamboo Application Directory. 

Please ensure that jcert.jar, jnet.jar and jsse.jar are on your classpath.

3. Getting Bamboo to use the jetty.xml file

Follow this Knowledge Base article, to instruct Bamboo to use the jetty.xml file configured in step 2.