Simplest Enterprise Continuous Integration Solutions

Saturday, January 21, 2012

JIRA security: JIRA server runs over HTTPS

In order to encrypt JIRA login username & passsword instead of plain text in HTTP, configure JIRA Tomcat server (6.0) to run over HTTPS


1. Generate a private key

# login as root on JIRA Linux server.
[root@linux64-jira-server ~]#  id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# su to jira running user
[jira@linux64-jira-server ~]$ su - jira
[jira@linux64-jira-server ~]$ $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  linux64-jira-server.domain.com
What is the name of your organizational unit?
  [Unknown]:  my_unit
What is the name of your organization?
  [Unknown]:  my_org
What is the name of your City or Locality?
  [Unknown]:  my_city
What is the name of your State or Province?
  [Unknown]:  my_state
What is the two-letter country code for this unit?
  [Unknown]:  my_country
Is CN=linux64-jira-server.domain.com, OU=my_unit, O=my_org, L=my_city, ST=my_state, C=my_country correct?
  [no]:  y
Enter key password for <tomcat>
        (RETURN if same as keystore password):
# Make sure .keystore existence under JIRA running user (jira) home
[jira@linux64-jira-server ~]$ id
uid=501(jira) gid=501(jira) groups=501(jira) 
[jira@linux64-jira-server ~]$ ls -al ~/.keystore
-rw-rw-r--  1 jira jira 1362 Jun  5  2012 .keystore


2. Generate a CSR (Certificate Signing Request)

[jira@linux64-jira-server ~]$ $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore /home/jira/.keystore


3. Submit certreq.csr to a certificate authority

Submit the generated certreq.csr to Certificate Authority for a certificate chain (DER encoded or Base 64 encoded), save it as certnew.p7b

4. Import the signed certificate into local keystore

[jira@linux64-jira-server ~]$ $JAVA_HOME/bin/keytool -importcert -alias tomcat -keystore /home/jira/.keystore -file /home/jira/certnew.p7b

5. Configure HTTPS in Tomcat

Insert below session into server.xml (Default is /opt/atlassian/jira/conf/server.xml) before </service> tag
<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />


6. Enable 8443 port from JIRA server firewall

system-config-securitylevel


7. Redirecting certain pages to HTTPS


Insert below session into web.xml (Default is /opt/atlassian/jira/atlassian-jira/WEB-INF/web.xml) before </web-app> tag <security-constraint>
<security-constraint>
   <web-resource-collection>
      <web-resource-name>all-except-attachments</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <url-pattern>*.jspa</url-pattern>
      <url-pattern>/browse/*</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>


8. Debug JIRA Tomcat Server runs over HTTPS

[jira@linux64-jira-server ~]$ /opt/atlassian/jira/bin/start-jira.sh -fg


9. Restart JIRA Tomcat Server runs over HTTPS

[jira@linux64-jira-server ~]$  id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[jira@linux64-jira-server ~]$ service jira stop
[jira@linux64-jira-server ~]$ service jira start

No comments:

Post a Comment