Search the JIRA 5.0.x Beta and RCs Documentation:

Index
Downloads (PDF, HTML & XML formats)
Other versions

This documentation relates to JIRA 5.0.x Beta and RCs only.
The latest official version is JIRA 4.4.x
If you are using JIRA 4.4.x either view this page in the JIRA 4.4.x documentation or visit the JIRA 4.4.x documentation home page.
Skip to end of metadata
Go to start of metadata

The content on this page relates to platforms which are not supported by JIRA. Consequently, Atlassian can not guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.

This page describes using an SSL connection between Apache HTTP Server (httpd) and Tomcat, which is not a common configuration. This connection is usually unnecessary as it is behind the firewall and the SSL connection can terminate on 'httpd', and use an HTTP to connect to Tomcat. For information on integrating JIRA with 'httpd' without SSL, use the Integrating JIRA with Apache documentation. For the specific configuration of terminating the SSL connection at 'httpd', find the "Terminating an SSL connection at Apache" section.

If you want to use https (e.g. https://mycompany.com/jira/), then:

Step 1. In 'httpd', ensure SSLProxyEngine is on

  • In the 'httpd' config (/etc/apache2/sites-available/jira-mod_proxy), ensure you have SSLProxyEngine on specified, and redirect /jira to https://localhost:8443/jira:

  • Please ensure that the ProxyPass and ProxyPassReverse directives do not include a trailing '/'. There have been reports that this may cause problems in JIRA 3.7 and above when serving static resources (javascript and css).

Step 2. Configure Tomcat to use SSL ('recommended' distributions of JIRA)

Edit conf/server.xml, and at the bottom before the </Service> tag, add this section (or uncomment it where you find it):

This enables SSL access on port 8443 (the default for https is 443, but just as Tomcat uses 8080 instead of 80 to avoid conflicts, 8443 is used instead of 443 here).

Step 3. Import 'httpd's public SSL key into Tomcat's keystore

Obtain the server's public key:

To quote Microsoft; "consult your system administrator". The public/private key pair will live somewhere on the server. The public key should be located and copied to the server hosting JIRA/Confluence. For example:

scp root@mail.yourcompany.com:/etc/ssl/certs/httpd.pem .

If you have openssl installed locally, the key can be retrieved with a command like:

donna-mcgahans-macbook-pro:~ dmcgahan$ openssl s_client -connect support.atlassian.com:https
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=au/ST=NSW/L=Sydney/O=ATLASSIAN SOFTWARE SYSTEMS PROPRIETARY LIMITED/OU=IT/CN=*.atlassian.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGYDCCBUigAwIBAgIQCi1wR9xdR7qYjJaF4e+4YDANBgkqhkiG9w0BAQUFADBc
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJEaWdpQ2VydCBHbG9iYWwgQ0EwHhcN
MDgwMTEwMDAwMDAwWhcNMTEwMTEzMjM1OTU5WjCBjDELMAkGA1UEBhMCYXUxDDAK
BgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MTcwNQYDVQQKEy5BVExBU1NJQU4g
U09GVFdBUkUgU1lTVEVNUyBQUk9QUklFVEFSWSBMSU1JVEVEMQswCQYDVQQLEwJJ
VDEYMBYGA1UEAxQPKi5hdGxhc3NpYW4uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDKjT2WNJaRLC2q/QEndjdVtriS/qMQfeX+sXgz4tSN+jd1zupOzuDo
xUfTilVLIt8aR5/bSa+XY3ykj5RcNRxki7Q/rr30FANY3cKCxY2TYZjVoPYVipnW
VDubtpjvUywE6E5LwI33oFqqnhL+HzEOioXOBHdU2/tZHj8n0VR7hQIDAQABo4ID
bzCCA2swHwYDVR0jBBgwFoAUp8cToHoBPJ3vgkiCSNVzUbYSViowHQYDVR0OBBYE
FOibDc5A2xBHAf8MBqnaEFQJswQBMCkGA1UdEQQiMCCCDyouYXRsYXNzaWFuLmNv
bYINYXRsYXNzaWFuLmNvbTB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL3d3dy5k
aWdpY2VydC5jb20vQ0FDZXJ0cy9EaWdpQ2VydEdsb2JhbENBLmNydDAOBgNVHQ8B
Af8EBAMCBaAwDAYDVR0TAQH/BAIwADB/BgNVHR8EeDB2MDmgN6A1hjNodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxDQS0yMDA4YS5jcmwwOaA3
oDWGM2h0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBLTIw
MDhhLmNybDCCAcYGA1UdIASCAb0wggG5MIIBtQYLYIZIAYb9bAEDAAEwggGkMDoG
CCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9z
aXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAA
bwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMA
dABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgA
ZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgA
ZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4A
dAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAA
YQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIA
ZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAspPrcCoRqI94BaPB
vujILnWqhnAjGp9QAI08YKNtAXp6X65Ytl48f3VOLivqCwVesm7FM7lXpFf46Kbj
9kfii/003x8+0rJo34lJcTIPO0EEu1tbvHKDcueII16g8Sfnpm9xZNi8imVunB6K
r9ID9Bl+ROl3u9wf6JgYIVeMxMD8lGKqCckjOimErIuB3Ca/A+L6+8eAp0/Y0yyE
z7cCI7kllKdjTvu5Y/GoN/cyBYKv57LeUrrNr7uMuyk0TJq0bFUl4KRMY6u3Rihe
zYNouvdneLKqlOwk4tBPODGm6LN0ubQc9C3J4pkrHhzEGXsEnk21O9syQ7ym9/1B
5++R3Q==
-----END CERTIFICATE-----

Cut and paste the certificate (including BEGIN and END lines) into a local file (eg. httpd.pem).

Import the public key

To do this, you need to use the keytool program that comes with Java. If you haven't already, add $JAVA_HOME/bin to your PATH, and then run the following:

jturner@teacup:~$ sudo keytool -import -alias mail.yourcompany.com -keystore $JAVA_HOME/jre/lib/security/cacerts -file imapd.pem
Enter keystore password:  changeit
Owner: EMAILADDRESS=info@atlassian.com, CN=atlassian.com, O=Atlassian, L=Sydney, ST=NSW, C=AU
Issuer: EMAILADDRESS=info@atlassian.com, CN=atlassian.com, O=Atlassian, L=Sydney, ST=NSW, C=AU
Serial number: 0
Valid from: Fri Feb 11 14:09:05 EST 2005 until: Sat Feb 11 14:09:05 EST 2006
Certificate fingerprints:
MD5:  CB:AE:7D:5D:1A:08:06:77:93:3B:0F:53:BB:40:C0:D4
SHA1: 7C:02:44:0D:A9:8F:F9:FB:BB:7B:C6:F1:52:DE:CA:00:17:D9:3A:A0
Trust this certificate? [no]:  yes
Certificate was added to keystore

This will import the public key (imapd.pem) into Java's default keystore, and marks it as trusted.

On Windows the command is similar, eg.:

C:\Program Files\Java\jre1.6.0_05>bin\keytool -import -file c:\certs\imapd.pem -alias mail.yourcompany.com -keystore lib\security\cacerts
Enter keystore password:
Owner: CN=*.atlassian.com, OU=IT, O=ATLASSIAN SOFTWARE SYSTEMS PROPRIETARY LIMITED, L=Sydney, ST=NSW, C=au
Issuer: CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: a2d7047dc5d47ba988c9685e1efb860
Valid from: Thu Jan 10 11:00:00 EST 2008 until: Fri Jan 14 10:59:59 EST 2011
Certificate fingerprints:
         MD5:  9D:B4:9F:3D:0A:DE:6A:BD:BC:3D:95:BE:60:BD:70:02
         SHA1: 67:C6:E9:C8:3F:F1:7A:3C:66:E2:CE:62:78:A1:66:84:35:5E:62:1E
         Signature algorithm name: SHA1withRSA
         Version: 3
.....

Trust this certificate? [no]:  yes
Certificate was added to keystore

C:\Program Files\Java\jre1.6.0_05>

Step 4. Restart the app server

Restart, and if everything is correct, your webapp should now connect to the SSL resource without problems.

Note: Alternative keystore locations

Java will normally use a system-wide keystore in $JAVA_HOME/jre/lib/security/cacerts, but it is possible to use a different keystore by specifying a parameter, -Djavax.net.ssl.trustStore=/path/to/keystore, where '/path/to/keystore' is the absolute file path of the alternative keystore.

Setting this is not recommended, however, because if Java is told to use a custom keystore (eg. containing a self-signed certificate), then Java will not have access to the root certificates of signing authorities found in $JAVA_HOME/jre/lib/security/cacerts, and accessing most CA-signed SSL sites will fail. It is better to add new certificates (eg. self-signed) to the system-wide keystore (as above).

There is also a per-user truststore (~/.keystore) but (at least on Linux), but its contents do not appear to be logically appended to those in the system-wide keystore; ie. it is entirely separate, and only used if one specifies -Djavax.net.ssl.trustStore=/home/<user>/.keystore. This has the same disadvantage described above with custom keystores, so the per-user truststore is best avoided.

Note: Alternative configuration if HTTPS is terminated on the proxy server

If HTTPS is terminated on the proxy server, i.e.:

    Client Browser --> HTTPS --> Apache proxy --> HTTP --> Tomcat/JIRA

then you will need to configure steps 1 and 2 slightly differently.

Specifically a HTTP Connector needs to be defined (identical to the default 8080 Connector) with the addition of the following attributes: scheme="https", proxyName="<proxy_server>", proxyPort="<proxy_port>"

Default connector:

Connector that supports HTTPS terminated on the proxy server:

In this scenario, the 'httpd' httpd.conf file needs to be modified from:

ProxyPass              /jira       https://localhost:8443/jira
ProxyPassReverse       /jira       https://localhost:8443/jira

to

ProxyPass              /jira       http://localhost:8080/jira
ProxyPassReverse       /jira       http://localhost:8080/jira

(Note the changes to the scheme and port).

Labels:
None
Edit Labels

10 Comments

Hide/Show Comments

  1. Jan 28, 2011

    Anonymous

    I tried to setup this as defined in Note: Alternative configuration if HTTPS is terminated on the proxy server but I can only get this request :

     

    <html><head><title>Apache Tomcat/5.5.27 - Error report</title><style><!-H1

    Unknown macro: {font-family}

    H2

    Unknown macro: {font-family}

    H3

    Unknown macro: {font-family}

    BODY

    Unknown macro: {font-family}

    B

    Unknown macro: {font-family}

    P

    Unknown macro: {font-family}

    A

    Unknown macro: {color }

    A.name

    Unknown macro: {color }

    HR

    Unknown macro: {color }

    -></style> </head><body><h1>HTTP Status 401 - Basic Authentication Failure - Reason : AUTHENTICATION_DENIED</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Basic Authentication Failure - Reason : AUTHENTICATION_DENIED</u></p><p><b>description</b> <u>This request requires HTTP authentication (Basic Authentication Failure - Reason : AUTHENTICATION_DENIED).</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/5.5.27</h3></body></html>

    I can access other applications on my https://server/ but https://server/jira returns always this message :

    <Connector port="8080" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                   enableLookups="false" redirectPort="8443" acceptCount="100"
                   connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" />
    <Connector port="8080" maxHttpHeaderSize="8192" protocol="HTTP/1.1"

                   maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

                   enableLookups="false" redirectPort="8443" acceptCount="100"

                   connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"

                   scheme="https"

                   proxyname="server"

                   proxyPort="443"/>

    in my apache proxy conf I already have this :

    ProxyPass / http://localhost:8080/
    ProxyPassReserve / http://localhost:8080/

    1. Feb 03, 2011

      Anonymous

      Check this... - http://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache

  2. Apr 04, 2011

    Raul Galvan

    Hi friends

    I'm integrating jira and some others applications (all of them working in the same tomcat 6.0) with an apache 2.2 server over a ssl layer. The jira is mounted like a war-ear application, but i can't make it work.

    If i access the app like http://localhost:8080/jira every works fine, but when someone else access the app from apache I got the next error. UrlSchemeMismatchException: Detected URL scheme, 'http', does not match expected scheme 'https'.

    I know that is necesary do some aditional configuration to make jira work with an ssl layer. I read the documentation but all is focused in the standalone version.

    Can you tell me which are the steps, or where can i found the information???

    Regards. Raul

  3. Jun 19, 2011

    Hieu Le Trung

    Hi,

    In case that I didn't use SSL between Apache and Tomcat, do I need to uncomment the Connector 8443 inside server.xml?

    Thanks,

    -Hieu

    1. Aug 12, 2011

      Toshinao Ishii

      Hi.

      In case of 4.3.x on Linux and MacOSX, using http (not https) (see reverse proxy setting of apache below) worked fine without problem. In this case, apache takes care all about https and Tomcat (JIRA) do not have know about it. You do not have to duplicate the pem setting. It is a way simpler, therefore better, than that documented above. However, JIRA 4.4 does not allow this. JIRA do not want to show dashboard page because the "scheme" of request is not just what JIRA expected. For me it seems JIRA (design) is becoming no better.

      1. Aug 12, 2011

        Toshinao Ishii

        Woops, I just skipped the part "Note: Alternative configuration if HTTPS is terminated on the proxy server". Sorry.

  4. Jul 06, 2011

    Troy Murray

    If I want to use Application Links between Confluence and JIRA, both of which are running behind Apache using SSL, does it matter which of the two above methods I use?  Do they both work?

    1. Sep 03, 2011

      Michael Brinson

      That's exactly what I wanted to do Troy and finally got it working.

      NO, the above method WILL NOT WORK (at least in my experience) for setting up Application Links between Confluence and JIRA with both of them running behind Apache using SSL.

      The method that DID work for me with that scenario was to use the AJP protocol instead of http to communicate between Jira and Confluence.

      This link provided the information I needed to get it working:

      http://confluence.atlassian.com/display/JIRA/Configuring+Apache+Reverse+Proxy+Using+the+AJP+Protocol

      You'll need to enable the proxy_ajp module if it isn't already.  In debian systems this is done via:

      a2enmod proxy_ajp

      It may be the same in other linux distros.

      1. Feb 08, 2012

        Anonymous

        How do you get confluence to talk to JIRA over AJP?

        When I enable AJP in JIRA and try to enter the application link as ajp://localhost:8009 I get the error message "The application at URL 'http://ajp://localhost:8009/' is not responding. Please confirm that you want to use this URL."  Which of course makes no sense, but it seems to indicate that any connector between Confluence and JIRA requires HTTP and not AJP.

         

  5. Nov 04, 2011

    Anonymous

    So I have everything set up and working with this configuration: Client Browser --> HTTPS --> Apache proxy --> HTTP --> Tomcat/JIRA.  However, with this setup, JIRA won't be able to serve both SSL & non-SSL incoming requests.  I think that's due to these attributes in tomcat:

    scheme="https"
    proxyName="jira-stage.bscdev.bscal.com"
    proxyPort="443"

    How do I make JIRA to serve both ssl & non-ssl via the apache proxy server?