This document is a guide to configuring the Bamboo distribution (not EAR-WAR) with basic HTTPS authentication. For further reference please visit the Jetty page on configuring SSL with Jetty.
1. Adding Certificate to your Keystore
Option 1. Using a self-signed Certificate
The simplest way to generate keys and certificates is to use the keytool application that comes with the JDK, as it generates keys and certificates directly into the keystore.
The following command will generate a key pair and certificate directly into a keystore:
keytool -keystore keystore -alias jetty -genkey -keyalg RSA
This command will prompt for information about the certificate and for passwords to protect both the keystore and the keys within it. The only mandatory response is to provide the fully qualified host name of the server at the "first and last name" prompt.
Option 2. Using Certificate issued by an Certificate Authority
Certificate Option 2 – Use a Certificate Issued by a Certificate Authority
When running Bamboo in a production environment, you will need a certificate issued by a certificate authority (CA, sometimes also called a 'certification authority') such as VeriSign, Thawte or TrustCenter. The instructions below are adapted from the Tomcat documentation.
First you will generate a local certificate and create a 'certificate signing request' (CSR) based on that certificate. You will submit the CSR to your chosen certificate authority. The CA will use that CSR to generate a certificate for you.
- Use Java's
keytool
utility to generate a local certificate, as described in the previous section. Use the
keytool
utility to generate a CSR, replacing the text<MY_KEYSTORE_FILENAME>
with the path to and file name of the.keystore
file generated for your local certificate:keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <MY_KEYSTORE_FILENAME>
- Submit the generated file called
certreq.csr
to your chosen certificate authority. Refer to the documentation on the CA's website to find out how to do this. - The CA will send you a certificate.
Import the new certificate into your local keystore:
keytool -importcert -alias tomcat -keystore <MY_KEYSTORE_FILENAME> -file <MY_CERTIFICATE_FILENAME>
Now, we need to configure configure an SSL listener.
2. Configuring Jetty
Using the Sun JVM, add the SunJsseListener as a HttpListeners, In the ../<Bamboo_Application_Directory>/webapp/WEB-INF/classes/jetty.xml file add the following lines.
This will make Bamboo accessible in port 8443 on https://localhost:8443/
If you are using Bamboo 1.2.4 (or earlier)
<Call name="addListener"> <Arg> <New class="org.mortbay.http.SunJsseListener"> <Set name="Port">8443</Set> <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/keystore</Set> <Set name="Password">password</Set> <Set name="KeyPassword">password</Set> </New> </Arg> </Call>
If you are using Bamboo 2.0 (or newer version)
<Call name="addConnector"> <Arg> <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <Set name="Port">8443</Set> <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/keystore</Set> <Set name="Password">password</Set> <Set name="KeyPassword">password</Set> </New> </Arg> </Call>
The keystore file in this example is given relative to the Bamboo Application Directory.
Please ensure that jcert.jar, jnet.jar and jsse.jar are on your classpath.
3. Getting Bamboo to use the jetty.xml file
Follow this Knowledge Base article, to instruct Bamboo to use the jetty.xml
file configured in step 2.