DEV Community

loading...

How to run Jira application over https?

amezousan profile image harry ・3 min read

Intro

The instructions on this page describe how to run Jira applications over SSL or HTTPS by configuring Apache Tomcat with HTTPS.

[Test Environment]

  • Ubuntu 14.04
  • Jira 7.1.2
  • Apache Tomcat Version 8.0.17
  • Jira installed directory: /opt/atlassian/jira/

How to run Jira application over https

Generate the Java KeyStore using an existing certificate and private key

Jira application is running on Apache Tomcat, and you need to follow Tomcat's manners. For certificates, the Apache Tomcat uses the Java Keytool which is a command line tool which can generate public key / private key pairs and store them in a Java Key Store (JKS).

You need to take a workaround to import your cert and key to the KeyStore because...

"keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore."

Reference: How to import an existing x509 certificate and private key in Java keystore to use in SSL?

Import an existing certificate and private key into a KeyStore.

Please change the passwords in "()" to your favorite one.

  1. Place your cert (e.g. server.crt) and key (e.g. server.key) in your Jira installation directory. (e.g. Under the /opt/atlassian/jira/)

  2. Create a PKSC12 file with your cert and key.

root@localhost:/opt/atlassian/jira# openssl pkcs12 -inkey server.key -in server.crt -export -out keystore.pkcs12
Enter Export Password: (YourExportPassword)
Verifying - Enter Export Password: (YourExportPassword)
Enter fullscreen mode Exit fullscreen mode
  1. Convert the pkcs12 file to a java keystore.
root@localhost:/opt/atlassian/jira# ./jre/bin/keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks
Enter destination keystore password: (YourExportPassword)
Re-enter new password: (YourExportPassword)
Enter source keystore password: (YourKeystorePassword)
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
Enter fullscreen mode Exit fullscreen mode
  1. Confirm that your cert is imported.
root@localhost:/opt/atlassian/jira# ./jre/bin/keytool -list -v -keystore keystore.jks
Enter keystore password: (YourKeystorePassword)
...
Alias name: 1
Creation date: Jul 4, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=example.com
...
Enter fullscreen mode Exit fullscreen mode

Edit the server config to use https

You will also need to edit the Tomcat configuration files which are located in the "conf" sub-directory of your Jira installed directory, e.g. [/opt/atlassian/jira/conf/].

In the directory, there is a server.xml file. It includes an example to enable a "https" feature, but you need to change a bit when you use Apache Tomcat ver 8.0.x.

Reference: Configuring SSL on tomcat version 8.0.28

  1. Insert the Connector tag under the comment "To run JIRA via HTTPS".
[Path: /opt/atlassian/jira/conf/server.xml]

<!--
====================================================================================
To run JIRA via HTTPS:
...
====================================================================================
-->
        <Connector
            clientAuth="false"
            keystoreFile="/opt/atlassian/jira/keystore.jks" keystorePass="(YourKeystorePassword)"
            maxThreads="150"
            port="8443"
            protocol="org.apache.coyote.http11.Http11NioProtocol"
            scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS"/>
Enter fullscreen mode Exit fullscreen mode
  1. Stop and start Jira application to reload the configuration.
root@localhost:/opt/atlassian/jira# ./bin/stop-jira.sh
root@localhost:/opt/atlassian/jira# ./bin/start-jira.sh
Enter fullscreen mode Exit fullscreen mode

(Optional) Redirect http to https.

Reference Force Tomcat to redirect all HTTP traffic to HTTPS.

  1. Make sure redirectPort="8443" in the Connector of the http port (Default: 8080).
[Path: /opt/atlassian/jira/conf/server.xml]

<Connector port="8080"
           ...
           redirectPort="8443"
           ...
Enter fullscreen mode Exit fullscreen mode
  1. Insert the following at the very end of the file near and above the ending </webapp> tag.
[Path: /opt/atlassian/jira/conf/web.xml]

<!--
To force Tomcat to redirect and revert all requested HTTP traffic over to HTTPS, configure the `conf/web.xml` file with the below block.
This should be placed at the very end of the file near and above the ending `</webapp>` tag:
-->
    <security-constraint>
        <web-resource-collection>
        <web-resource-name>Automatic Forward to HTTPS/SSL
        </web-resource-name>
        <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
Enter fullscreen mode Exit fullscreen mode

Discussion (0)

pic
Editor guide