Encrypt passwords in server.xml
To add extra security to your Jira instance, you can encrypt passwords that you use to configure Connectors in Tomcat’s server.xml file.
Before you begin
productEncryptionKey
and encrypted passwords, which may not guarantee complete security, as the configuration in Tomcat's server.xml will contain all the necessary information to decrypt the password. An attacker could potentially impersonate Jira to gain access to the password. To enhance security, we recommend to safeguard the server where Jira and the productEncryptionKey
are located.
Jira provides the following protocols that extend Tomcat protocols with support for password encryption.
Protocol class | Tomcat protocol on which the protocol class is based | Attributes for which password encryption is supported |
---|---|---|
com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryption | Http11NioProtocol |
|
com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption | Http11Nio2Protocol |
|
com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption | Http11AprProtocol |
|
com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryption | AjpNioProtocol |
|
com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryption | AjpNio2Protocol |
|
com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption | AjpAprProtocol |
|
Encrypting a single password
Go to
<Jira-installation-directory>/bin
.Run the following command to encrypt your password:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool
Additionally, you can use optional arguments described below.Enter your password when prompted. The encryption tool will generate two files:
encryptedPassword
andencryptionKey
. Move those files to a safe location. You can also rename the files if you want.
Encrypting multiple passwords for a single Connector
If you want to encrypt more than one password for a single Connector, you must use the same encryption key for all passwords. After you encrypt your first password, use the generated encryptionKey
to encrypt the subsequent password by passing the path to the key to the encryption tool:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool /path/to/encryptionKey
encryptedPassword
file.
Using encrypted passwords in the Connector configuration
Exception error
For Jira 9.11.0, you can encounter an exception error in the catalina.out
file. We’re currently working on the fix and we’ll deliver it as part of the upcoming bugfix releases. For the temporary workaround:
Go to
<Jira-installation-directory>
.To copy the
atlassian-secrets-api
library to the Tomcatlib/
directory, run the following command:cp atlassian-jira/WEB-INF/lib/atlassian-secrets-api-<version>.jar lib/
.
You can track this issue at: JRASERVER-76246 - Getting issue details... STATUS
To use encrypted passwords in the Connector configuration, you need to set up the following properties:
protocol
- use one of the protocol classes described aboveproductEncryptionKey
- specify a path to theencryptionKey
file
Then you can use path to a proper encryptedPassword
file in place of plain text password in the Connector configuration.
For example, in Jira conf/server.xml
configuration of a Http11Nio2
Connector with encrypted keystore and key passwords might look similarly to this:
<Connector
protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
port="8443"
(...)
keystoreFile="/var/secrets/keystore/keystore"
keystorePass="/var/secrets/keystore/encryptedKeystorePass"
keyPass="/var/secrets/keystore/encryptedKeyPass"
productEncryptionKey="/var/secrets/encryptionKey"
/>
Note that only one productEncryptionKey
is specified, and both keystorePass
and keyPass
had to be encrypted with the same key.