Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-25755

Ability to provide own certificate for gRPC channel in Bamboo datacenter

XMLWordPrintable

    • 0

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Currently Bamboo Datacenter uses a self signed certificate for the ssl gRPC communication between nodes within the cluster. Bamboo will listen on the node.internal.communication.port port [9090] for the gRPC traffic. This leads some security scanners to complain that this is insecure as the issuer is not a known CA.

      The following certificate was at the top of the certificate
      chain sent by the remote host, but it is signed by an unknown
      certificate authority :

      |-Subject : CN=Local node
      |-Issuer : CN=Bamboo GRPC Root CA

      Affected Port:
      9090/tcp

      If the certificate does not exist then Bamboo will recreate a self-signed certificate when a cluster node is started.

      This request is to allow the Bamboo admin to provide their own certificate with CA of their choice rather than a self signed certificate.

            [BAM-25755] Ability to provide own certificate for gRPC channel in Bamboo datacenter

            Marcin Gardias added a comment - - edited

            Once a version containing this change is installed you can customise your gRPC certificate by performing the following steps:

            1. Prepare your certificate and key file. The file has to be in .PEM format and contain both the certificate and the private key. If your certificate and key are in separate files and are both in PEM format, you can create a joint file by concatenating them.
            2. Place the certificate file in the ssl folder in Bamboo shared home. If you name the file custom_ca.pem you can skip step 3.
            3. <optional> Configure the name of your certificate file by setting system property:
            -Dbamboo.grpc.authentication.root.ca.filename=<filename>
            1. <optional> If your key file is encrypted you need to provide the passphrase. This is done by passing the encrypted passhprase and passphrase cipher method as the following properties:
            -Dbamboo.grpc.authentication.root.ca.key.passphrase=<encrypted_passhprase>
-Dbamboo.grpc.authentication.root.ca.cipher=<encryption_algorithm>

            If cipher is not defined, Bamboo expect the passphrase to be encoded by com.atlassian.secrets.store.base64.Base64SecretStore

            Marcin Gardias added a comment - - edited Once a version containing this change is installed you can customise your gRPC certificate by performing the following steps: Prepare your certificate and key file. The file has to be in .PEM format and contain both the certificate and the private key. If your certificate and key are in separate files and are both in PEM format, you can create a joint file by concatenating them. Place the certificate file in the ssl folder in Bamboo shared home. If you name the file custom_ca.pem you can skip step 3. <optional> Configure the name of your certificate file by setting system property: -Dbamboo.grpc.authentication.root.ca.filename=<filename> <optional> If your key file is encrypted you need to provide the passphrase. This is done by passing the encrypted passhprase and passphrase cipher method as the following properties: -Dbamboo.grpc.authentication.root.ca.key.passphrase=<encrypted_passhprase> -Dbamboo.grpc.authentication.root.ca.cipher=<encryption_algorithm> If cipher is not defined, Bamboo expect the passphrase to be encoded by com.atlassian.secrets.store.base64.Base64SecretStore

            Steven Brannan added a comment - - edited

            Our ACAS scanners find this as a vulnerability. Need to fix this somehow. also our servers are single node and don't need this as they are not clustered.

             

            Steven Brannan added a comment - - edited Our ACAS scanners find this as a vulnerability. Need to fix this somehow. also our servers are single node and don't need this as they are not clustered.  

              mgardias Marcin Gardias
              cberry@atlassian.com Chris Berry (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: