Encrypt passwords in server.xml
To add extra security to your Jira instance, you can encrypt passwords that you use to configure Connectors in Tomcat’s server.xml file.
Before you begin
productEncryptionKey and encrypted passwords, which may not guarantee complete security, as the configuration in Tomcat's server.xml will contain all the necessary information to decrypt the password. An attacker could potentially impersonate Jira to gain access to the password. To enhance security, we recommend to safeguard the server where Jira and the productEncryptionKey are located.
Jira provides the following protocols that extend Tomcat protocols with support for password encryption.
Protocol class | Tomcat protocol on which the protocol class is based | Attributes for which password encryption is supported |
|---|---|---|
com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryption | Http11NioProtocol |
|
com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption | Http11Nio2Protocol |
|
com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption | Http11AprProtocol |
|
com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryption | AjpNioProtocol |
|
com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryption | AjpNio2Protocol |
|
com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption | AjpAprProtocol |
|
Encrypting a single password
Go to
<Jira-installation-directory>/bin.Run the following command to encrypt your password:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool
Additionally, you can use optional arguments described below.Enter your password when prompted. The encryption tool will generate two files:
encryptedPasswordandencryptionKey. Move those files to a safe location. You can also rename the files if you want.
Encrypting multiple passwords for a single Connector
If you want to encrypt more than one password for a single Connector, you must use the same encryption key for all passwords. After you encrypt your first password, use the generated encryptionKey to encrypt the subsequent password by passing the path to the key to the encryption tool:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool /path/to/encryptionKey
encryptedPassword file.
Using encrypted passwords in the Connector configuration
Exception error
For Jira 9.11.0, you can encounter an exception error in the catalina.out file. We’re currently working on the fix and we’ll deliver it as part of the upcoming bugfix releases. For the temporary workaround:
Go to
<Jira-installation-directory>.To copy the
atlassian-secrets-apilibrary to the Tomcatlib/directory, run the following command:cp atlassian-jira/WEB-INF/lib/atlassian-secrets-api-<version>.jar lib/.
You can track this issue at: JRASERVER-76246 - Getting issue details... STATUS
To use encrypted passwords in the Connector configuration, you need to set up the following properties:
protocol- use one of the protocol classes described aboveproductEncryptionKey- specify a path to theencryptionKeyfile
Then you can use path to a proper encryptedPassword file in place of plain text password in the Connector configuration.
For example, in Jira conf/server.xml configuration of a Http11Nio2 Connector with encrypted keystore and key passwords might look similarly to this:
<Connector
protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
port="8443"
(...)
keystoreFile="/var/secrets/keystore/keystore"
keystorePass="/var/secrets/keystore/encryptedKeystorePass"
keyPass="/var/secrets/keystore/encryptedKeyPass"
productEncryptionKey="/var/secrets/encryptionKey"
/>Note that only one productEncryptionKey is specified, and both keystorePass and keyPass had to be encrypted with the same key.