How to customize your gRPC certificate in Bamboo Data Center

Summary

This guide provides step-by-step instructions for configuring custom gRPC certificates in Bamboo Data Center. It covers preparing certificate files, configuring Bamboo, and handling encrypted private keys to ensure secure and effective integration. By default, Bamboo Data Center uses a self-signed certificate for SSL gRPC communication between nodes in a cluster, listening on port 9090. Security scanners can flag this as insecure because the issuer is not a known Certificate Authority (CA). If a custom certificate is not provided, Bamboo will generate a self-signed certificate when a node starts.

Environment

The solution has been validated in Bamboo Data Center version 10.2.3 but may be applicable to other versions. This only affects Bamboo Data Center running on a Bamboo Cluster.

Solution

Step 1: Prepare Your Certificate and Key

1. Ensure your certificate and private key are in the PEM format Bamboo requires to read and utilize the files correctly.

   • You can follow this external article to validate how to create your certificate.

2. If your certificate and key are separate, combine them into a single .pem file using the following command: cat certificate.pem key.pem > combined.pem

3. This combined file should contain the certificate and the private key for smooth integration.

4. If your private key is encrypted, have the passphrase ready for later configuration steps.

5. Transfer the combined .pem file (for example, combined.pem) to the $BAMBOO_HOME/shared/ssl/ directory. Bamboo looks for SSL certificates in this location.

Step 2: Configure Bamboo

Custom filename

Suppose your combined certificate and key file are not named custom_ca.pem, update Bamboo's configuration to recognize your custom filename. Add the following to your JVM arguments in <bamboo-install>/bin/setenv.sh:

• JVM_SUPPORT_RECOMMENDED_ARGS="${JVM_SUPPORT_RECOMMENDED_ARGS} -Dbamboo.grpc.authentication.root.ca.filename=<your_filename.pem>"

Passphrase and cipher method

Specify the passphrase and optional cipher method if your private key is encrypted.

No cipher method

If no cipher is defined, Bamboo assumes the passphrase is encoded using the default com.atlassian.secrets.store.base64.Base64SecretStore. However, you can specify a different encryption method if needed.

1. Add the following to your setenv.sh to include the passphrase and cipher: JVM_SUPPORT_RECOMMENDED_ARGS="${JVM_SUPPORT_RECOMMENDED_ARGS} -Dbamboo.grpc.authentication.root.ca.key.passphrase=<base64_encoded_passphrase> -Dbamboo.grpc.authentication.root.ca.cipher=<cipher_class>"

Encryption methods

Bamboo supports several encryption methods for handling passphrases. Choose the one that best suits your security needs:

Step 3: Restart Bamboo

1. Restart all Bamboo server instances to apply the changes. This step ensures the new configuration takes effect across your environment.

2. While the nodes are online, validate the certificate configuration using OpenSSL.

   • openssl s_client -connect localhost:9090 -showcerts

3. Verify that the output displays your custom certificate rather than the default self-signed certificate. Server certificate subject=CN=<your-CN> issuer=CN=<your-cert-name>