Bamboo 4.2 : Running Bamboo over HTTPS

This document is a guide to configuring the Bamboo Standalone distribution (not EAR-WAR) with basic HTTPS authentication. For further reference please visit the Jetty page on configuring SSL with Jetty.

1. Adding Certificate to your Keystore

Option 1. Using a self-signed Certificate

The simplest way to generate keys and certificates is to use the keytool application that comes with the JDK, as it generates keys and certificates directly into the keystore.

The following command will generate a key pair and certificate directly into a keystore:

keytool -keystore keystore -alias jetty -genkey -keyalg RSA

This command will prompt for information about the certificate and for passwords to protect both the keystore and the keys within it. The only mandatory response is to provide the fully qualified host name of the server at the "first and last name" prompt.

Option 2. Using Certificate issued by an Certificate Authority

Certificate Option 2 – Use a Certificate Issued by a Certificate Authority

When running Bamboo in a production environment, you will need a certificate issued by a certificate authority (CA, sometimes also called a 'certification authority') such as VeriSignThawte or TrustCenter. The instructions below are adapted from the Tomcat documentation.

First you will generate a local certificate and create a 'certificate signing request' (CSR) based on that certificate. You will submit the CSR to your chosen certificate authority. The CA will use that CSR to generate a certificate for you.

  1. Use Java's keytool utility to generate a local certificate, as described in the previous section.
  2. Use the keytool utility to generate a CSR, replacing the text <MY_KEYSTORE_FILENAME> with the path to and file name of the .keystorefile generated for your local certificate:

     

    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <MY_KEYSTORE_FILENAME>
  3. Submit the generated file called certreq.csr to your chosen certificate authority. Refer to the documentation on the CA's website to find out how to do this.
  4. The CA will send you a certificate.
  5. Import the new certificate into your local keystore:

     

    keytool -importcert -alias tomcat -keystore <MY_KEYSTORE_FILENAME> -file <MY_CERTIFICATE_FILENAME>

Now, we need to configure an SSL listener.

NOTE: If you're running a Bamboo EAR-WAR distribution deployed in Tomcat, please follow these instructions. Otherwise, go to Step 2 below.

2. Configuring Jetty

Using the Sun JVM, add the SunJsseListener as a HttpListeners, In the ../<Bamboo_Application_Directory>/webapp/WEB-INF/classes/jetty.xml file add the following lines.
This will make Bamboo accessible in port 8443 on https://localhost:8443/

If you are using Bamboo 1.2.4 (or earlier)
<Call name="addListener">
    <Arg>
      <New class="org.mortbay.http.SunJsseListener">
        <Set name="Port">8443</Set>
        <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/keystore</Set>

	<Set name="Password">password</Set>
	<Set name="KeyPassword">password</Set>
      </New>
    </Arg>
  </Call>
If you are using Bamboo 2.0 (or newer version)
<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Set name="Port">8443</Set>
        <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/keystore</Set>

	<Set name="Password">password</Set>
	<Set name="KeyPassword">password</Set>
      </New>
    </Arg>
  </Call>

 

  1. Please note that Password and KeyPassword indicate the passwords you entered when you imported the certificate to the keystore. 
  2. The keystore file in this example is given relative to the Bamboo Application Directory, so copy your keystore file to BAMBOO_INSTALL directory.

  3. Also, you might need an extra "." (dot) at ./keystore.
  4. Clear out the context path at (<Arg name="contextPath">/bamboo</Arg>), so it now looks like (<Arg name="contextPath">/</Arg>) if you are not using a context URL.
  5. Please ensure that jcert.jar, jnet.jar and jsse.jar files are on your classpath (http://docs.oracle.com/javase/6/docs/technotes/tools/windows/classpath.html).

Your jetty.xml file should look like this:

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<!-- =============================================================== -->
<!-- Configure the Jetty Server                                      -->
<!--                                                                 -->
<!-- Documentation of this file format can be found at:              -->
<!-- http://wiki.eclipse.org/Jetty/Reference/jetty.xml_syntax        -->


<Configure id="Server" class="org.eclipse.jetty.server.Server">

    <!-- =========================================================== -->
    <!-- Server Thread Pool                                          -->
    <!-- =========================================================== -->
    <!-- Set name="ThreadPool" -->
    <!-- Default queued blocking threadpool -->
    <!--New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
        <Set name="minThreads">10</Set>
        <Set name="maxThreads">200</Set>
      </New>
    </Set-->

    <!-- =========================================================== -->
    <!-- Set connectors                                              -->
    <!-- =========================================================== -->
    <!-- Add and configure a Connector to port 8085               -->
    <!-- The default port can be changed using: java -Djetty.port=8085   -->
    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->


    <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Set name="Port">8443</Set>
        <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>keystore</Set>
 
    <Set name="Password">password</Set>
    <Set name="KeyPassword">password</Set>
            </New>
        </Arg>
    </Call>

    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->
    <!-- For SSL Connextions use:                                         -->
    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->

    <!--<Call name="addConnector">-->
    <!--<Arg>-->
    <!--<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">-->

    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->
    <!-- Add web applications Context.                                    -->
    <!-- The default location can be changed using: java -Dbamboo.webapp= -->
    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->

    <Call name="setHandler">
        <Arg>
            <New class="org.eclipse.jetty.webapp.WebAppContext">
                <Arg name="webApp">
                    <!--SystemProperty name="bamboo.webapp" default="/opt/dev/src/atlassian/bamboo-trunk/components/bamboo-web-app/src/main/webapp"/-->
                    <SystemProperty name="bamboo.webapp" default="./webapp"/>
                </Arg>
                <Arg name="contextPath">/</Arg>
                <!--<Set name="parentLoaderPriority">true</Set>-->
                <Set name="defaultsDescriptor">webdefault.xml</Set>
                <Get name="sessionHandler">
                    <Set name="sessionManager">
                        <New class="org.eclipse.jetty.server.session.HashSessionManager">
                            <Set name="httpOnly">true</Set>        <!-- use M$ http only cookies? -->
                        </New>
                    </Set>
                </Get>
            </New>
        </Arg>
    </Call>
    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->
    <!-- Add Any JNDI Resources                                           -->
    <!-- The default location can be changed using: java -Dbamboo.webapp= -->
    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->

    <!--New id="resourceID" class="org.eclipse.jetty.plus.jndi.Resource">
    <Arg>resourceName</Arg>
    <Arg>
      <New class="org.eclipse.jetty.jndi.factories.MailSessionReference">
        <Set name="user">name</Set>
        <Set name="password">password</Set>
        <Set name="properties">
          <New class="java.util.Properties">
            <Put name="mail.smtp.host">host</Put>
            <Put name="mail.from">fromaddress@example.com</Put>
          </New>
        </Set>
      </New>
    </Arg>
  </New-->

    <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->
    <!-- Uncomment to enable AJP Support                                  -->

    <!--
    <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.ajp.Ajp13SocketConnector">
                <Set name="port">8009</Set>
            </New>
        </Arg>
    </Call>
    -->

  
</Configure>

Also, modify C:\Atlassian\atlassian-bamboo-4.0\Bamboo\conf\wrapper.conf by:

  • Replacing the argument which specifies the port number "wrapper.app.parameter.2=8085" with "wrapper.app.parameter.2=../webapp/WEB-INF/classes/jetty.xml".
  • Commenting out the other arguments: "wrapper.app.parameter.3=../webapp" and "wrapper.app.parameter.4=/".
  • Please not that using this part might fail for Windows: "<SystemProperty name="bamboo.webapp"default="./webapp"/>". In that case use 2 dots before "/webapp":

    ...
    <SystemProperty name="bamboo.webapp" default="../webapp"/>
    ...

After following the steps mentioned above, you should be able to start your Bamboo instance by reaching it at https://127.0.0.1:8443

3. Getting Bamboo to use the jetty.xml file

Follow this Knowledge Base article, to instruct Bamboo to use the jetty.xml file configured in step 2.

Running Bamboo EAR-WAR over HTTPS

After adding a certificate to your Keystore (Step 1), please follow these steps:

  1. Open Tomcat's server.xml, located at <Tomcat_Installation_Directory>/conf
  2. Uncomment this section:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" 
               clientAuth="false" sslProtocol="TLS" />
  3. Edit it so it looks like this:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" 
               clientAuth="false" sslProtocol="TLS" 
               keystorePass="<keystore_password_defined>" 
               keystoreFile="<keystore_file_location>" />

     

  4. Start Tomcat
  5. Access Bamboo at https://host_name:8443/bamboo_context