The instructions on this page describe how to run Jira applications over SSL or HTTPS by configuring Apache Tomcat with HTTPS.
- Ubuntu 14.04
- Jira 7.1.2
- Apache Tomcat Version 8.0.17
- Jira installed directory: /opt/atlassian/jira/
Jira application is running on Apache Tomcat, and you need to follow Tomcat's manners. For certificates, the Apache Tomcat uses the Java Keytool which is a command line tool which can generate public key / private key pairs and store them in a Java Key Store (JKS).
You need to take a workaround to import your cert and key to the KeyStore because...
"keytool does not provide such basic functionality like importing private key to keystore. You can try this workaround with merging PKSC12 file with private key to a keystore."
Please change the passwords in "()" to your favorite one.
Place your cert (e.g. server.crt) and key (e.g. server.key) in your Jira installation directory. (e.g. Under the /opt/atlassian/jira/)
Create a PKSC12 file with your cert and key.
root@localhost:/opt/atlassian/jira# openssl pkcs12 -inkey server.key -in server.crt -export -out keystore.pkcs12 Enter Export Password: (YourExportPassword) Verifying - Enter Export Password: (YourExportPassword)
- Convert the pkcs12 file to a java keystore.
root@localhost:/opt/atlassian/jira# ./jre/bin/keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks Enter destination keystore password: (YourExportPassword) Re-enter new password: (YourExportPassword) Enter source keystore password: (YourKeystorePassword) Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
- Confirm that your cert is imported.
root@localhost:/opt/atlassian/jira# ./jre/bin/keytool -list -v -keystore keystore.jks Enter keystore password: (YourKeystorePassword) ... Alias name: 1 Creation date: Jul 4, 2018 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner: CN=example.com ...
You will also need to edit the Tomcat configuration files which are located in the "conf" sub-directory of your Jira installed directory, e.g.
In the directory, there is a
server.xml file. It includes an example to enable a "https" feature, but you need to change a bit when you use Apache Tomcat ver 8.0.x.
Reference: Configuring SSL on tomcat version 8.0.28
- Insert the Connector tag under the comment "To run JIRA via HTTPS".
[Path: /opt/atlassian/jira/conf/server.xml] <!-- ==================================================================================== To run JIRA via HTTPS: ... ==================================================================================== --> <Connector clientAuth="false" keystoreFile="/opt/atlassian/jira/keystore.jks" keystorePass="(YourKeystorePassword)" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS"/>
- Stop and start Jira application to reload the configuration.
root@localhost:/opt/atlassian/jira# ./bin/stop-jira.sh root@localhost:/opt/atlassian/jira# ./bin/start-jira.sh
- Make sure
redirectPort="8443"in the Connector of the http port (Default: 8080).
[Path: /opt/atlassian/jira/conf/server.xml] <Connector port="8080" ... redirectPort="8443" ...
- Insert the following at the very end of the file near and above the ending
[Path: /opt/atlassian/jira/conf/web.xml] <!-- To force Tomcat to redirect and revert all requested HTTP traffic over to HTTPS, configure the `conf/web.xml` file with the below block. This should be placed at the very end of the file near and above the ending `</webapp>` tag: --> <security-constraint> <web-resource-collection> <web-resource-name>Automatic Forward to HTTPS/SSL </web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>