1. Generate a private key
# login as root on JIRA Linux server.[root@linux64-jira-server ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# su to jira running user
[jira@linux64-jira-server ~]$ su - jira
[jira@linux64-jira-server ~]$ $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: linux64-jira-server.domain.com
What is the name of your organizational unit?
[Unknown]: my_unit
What is the name of your organization?
[Unknown]: my_org
What is the name of your City or Locality?
[Unknown]: my_city
What is the name of your State or Province?
[Unknown]: my_state
What is the two-letter country code for this unit?
[Unknown]: my_country
Is CN=linux64-jira-server.domain.com, OU=my_unit, O=my_org, L=my_city, ST=my_state, C=my_country correct?
[no]: y
Enter key password for <tomcat>
(RETURN if same as keystore password):
# Make sure .keystore existence under JIRA running user (jira) home
[jira@linux64-jira-server ~]$ id
uid=501(jira) gid=501(jira) groups=501(jira)
[jira@linux64-jira-server ~]$ ls -al ~/.keystore
-rw-rw-r-- 1 jira jira 1362 Jun 5 2012 .keystore
2. Generate a CSR (Certificate Signing Request)
[jira@linux64-jira-server ~]$ $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore /home/jira/.keystore3. Submit certreq.csr to a certificate authority
Submit the generated certreq.csr to Certificate Authority for a certificate chain (DER encoded or Base 64 encoded), save it as certnew.p7b4. Import the signed certificate into local keystore
[jira@linux64-jira-server ~]$ $JAVA_HOME/bin/keytool -importcert -alias tomcat -keystore /home/jira/.keystore -file /home/jira/certnew.p7b5. Configure HTTPS in Tomcat
Insert below session into server.xml (Default is /opt/atlassian/jira/conf/server.xml) before </service> tag<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
6. Enable 8443 port from JIRA server firewall
system-config-securitylevel7. Redirecting certain pages to HTTPS
Insert below session into web.xml (Default is /opt/atlassian/jira/atlassian-jira/WEB-INF/web.xml) before </web-app> tag <security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>all-except-attachments</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspa</url-pattern>
<url-pattern>/browse/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
8. Debug JIRA Tomcat Server runs over HTTPS
[jira@linux64-jira-server ~]$ /opt/atlassian/jira/bin/start-jira.sh -fg9. Restart JIRA Tomcat Server runs over HTTPS
[jira@linux64-jira-server ~]$ iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[jira@linux64-jira-server ~]$ service jira stop
[jira@linux64-jira-server ~]$ service jira start
No comments:
Post a Comment