Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-25755

Ability to provide own certificate for gRPC channel in Bamboo datacenter

XMLWordPrintable

    • 0

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Currently Bamboo Datacenter uses a self signed certificate for the ssl gRPC communication between nodes within the cluster. Bamboo will listen on the node.internal.communication.port port [9090] for the gRPC traffic. This leads some security scanners to complain that this is insecure as the issuer is not a known CA.

      The following certificate was at the top of the certificate
      chain sent by the remote host, but it is signed by an unknown
      certificate authority :

      |-Subject : CN=Local node
      |-Issuer : CN=Bamboo GRPC Root CA

      Affected Port:
      9090/tcp

      If the certificate does not exist then Bamboo will recreate a self-signed certificate when a cluster node is started.

      This request is to allow the Bamboo admin to provide their own certificate with CA of their choice rather than a self signed certificate.

            [BAM-25755] Ability to provide own certificate for gRPC channel in Bamboo datacenter

            Mateusz Szmal made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Waiting for Release [ 12075 ] New: Closed [ 6 ]

            Marcin Gardias added a comment - - edited

            Once a version containing this change is installed you can customise your gRPC certificate by performing the following steps:

            1. Prepare your certificate and key file. The file has to be in .PEM format and contain both the certificate and the private key. If your certificate and key are in separate files and are both in PEM format, you can create a joint file by concatenating them.
            2. Place the certificate file in the ssl folder in Bamboo shared home. If you name the file custom_ca.pem you can skip step 3.
            3. <optional> Configure the name of your certificate file by setting system property:
            -Dbamboo.grpc.authentication.root.ca.filename=<filename>
            1. <optional> If your key file is encrypted you need to provide the passphrase. This is done by passing the encrypted passhprase and passphrase cipher method as the following properties:
            -Dbamboo.grpc.authentication.root.ca.key.passphrase=<encrypted_passhprase>
-Dbamboo.grpc.authentication.root.ca.cipher=<encryption_algorithm>

            If cipher is not defined, Bamboo expect the passphrase to be encoded by com.atlassian.secrets.store.base64.Base64SecretStore

            Marcin Gardias added a comment - - edited Once a version containing this change is installed you can customise your gRPC certificate by performing the following steps: Prepare your certificate and key file. The file has to be in .PEM format and contain both the certificate and the private key. If your certificate and key are in separate files and are both in PEM format, you can create a joint file by concatenating them. Place the certificate file in the ssl folder in Bamboo shared home. If you name the file custom_ca.pem you can skip step 3. <optional> Configure the name of your certificate file by setting system property: -Dbamboo.grpc.authentication.root.ca.filename=<filename> <optional> If your key file is encrypted you need to provide the passphrase. This is done by passing the encrypted passhprase and passphrase cipher method as the following properties: -Dbamboo.grpc.authentication.root.ca.key.passphrase=<encrypted_passhprase> -Dbamboo.grpc.authentication.root.ca.cipher=<encryption_algorithm> If cipher is not defined, Bamboo expect the passphrase to be encoded by com.atlassian.secrets.store.base64.Base64SecretStore
            Mateusz Szmal made changes -
            Fix Version/s New: 10.2.1 [ 110796 ]
            Fix Version/s New: 11.0.0 [ 110791 ]
            Fix Version/s New: 9.6.10 [ 110356 ]
            Mateusz Szmal made changes -
            Status Original: In Progress [ 3 ] New: Waiting for Release [ 12075 ]
            Mateusz Szmal made changes -
            Status Original: Gathering Interest [ 11772 ] New: In Progress [ 3 ]
            Mateusz Szmal made changes -
            Assignee New: Marcin Gardias [ mgardias ]
            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            SET Analytics Bot made changes -
            UIS Original: 8 New: 1
            SET Analytics Bot made changes -
            UIS Original: 1 New: 8
            Dominique Cardin made changes -
            Remote Link New: This issue links to "ANTM-666 (Advisory Services JIRA)" [ 971793 ]

              mgardias Marcin Gardias
              cberry@atlassian.com Chris Berry (Inactive)
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: