How to restrict cryptographic protocols used by Bamboo's JMS broker for remote agent communication

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After Securing your remote agents with SSL, further hardening of the JMS broker used by Bamboo for remote agent communication may be desired. The purpose of this guide is to show you how you can restrict the SSL / TLS protocols and Cipher Suites supported by the broker endpoint once SSL has already been enabled.

Solution

  1. Shutdown Bamboo

  2. Modify your <bamboo-home>/bamboo.cfg.xml

  3. Add the transport.enabledProtocols property to the transport in the bamboo.jms.broker.uri property. The example below enables onlyTLSv1.2 on the broker:

    1 <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?transport.enabledProtocols=TLSv1.2&amp;wireFormat.maxInactivityDuration=300000</property>

  4. If restriction of the cipher suite is also required, add the transport.enabledCipherSuites property to the transport. The example below enables onlySSL_RSA_WITH_RC4_128_SHA and SSL_DH_anon_WITH_3DES_EDE_CBC_SHA cipher suites.

    1 <property name="bamboo.jms.broker.uri">ssl://0.0.0.0:54663?transport.enabledProtocols=TLSv1.2&amp;transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA&amp;wireFormat.maxInactivityDuration=300000</property>

  5. Start Bamboo

Source:

Bamboo utilizes Apache's ActiveMQ for it's Java Messaging. More can be found about the SSL Transport in Apache's documentation below:

From the documentation:

Any SSLServerSocket option may be set on a TransportConnection via ?transport.XXX,

SSLServerSocket options are documented in the below Java 8 API reference below:

Values for each option can be found in the below Standard Name documentation:

Updated on April 2, 2025
Platform
Data Center only
Product
Bamboo Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community