Connecting to LDAP or JIRA applications or Other Services via SSL
This page documents configuration of SSL, rather than of Confluence itself. Atlassian will support Confluence with this configuration, but we cannot guarantee to help you debug problems with SSL. Please be aware that this material is provided for your information only, and that you use it at your own risk.
This page describes how to get Confluence connecting to external servers over SSL, via the various SSL-wrapped protocols.
Here are some examples of when you may need to connect to an external server over SSL/HTTPS:
- You need to connect to an LDAP server, such as Active Directory, if the LDAP server is running over SSL.
For specific instructions for Active Directory, see Configuring an SSL Connection to Active Directory.
- You want to set up your JIRA application as a trusted application in Confluence, when JIRA is running over SSL.
- You want to refer to an https://... URL in a Confluence macro.
If you want to run Confluence itself over SSL, see Running Confluence Over SSL or HTTPS.
There's a Confluence SSL plugin that facilitates this process.
Importing SSL Certificates
The following commands apply to JDK 1.5. For commands/syntax relevant to JDK 1.6, please refer to this document from Oracle.
Add the root certificate to your default Java keystore with the following command. This is the certificate that was used to authorise the LDAP server's certificate. It will be either the one that was used for signing it, or will come from further up in the trust chain, possibly the root certificate. This is often a self-signed certificate, when both ends of the SSL connection are within the same network. Again, the exact alias is not important.
keytool -import -alias serverCert -file RootCert.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts (Windows) keytool -import -alias serverCert -file RootCert.crt -keystore $JAVA_HOME/jre/lib/security/cacerts (Linux/Unix/Mac)
Import your LDAP or JIRA server's public certificate into the JVM Keystore. This is the certificate that the LDAP server will use to set up the SSL encryption. You can use any alias of your choosing in place of "JIRAorLDAPServer.crt".
keytool -import -alias ldapCert -file JIRAorLDAPServer.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts (Windows) keytool -import -alias ldapCert -file JIRAorLDAPServer.crt -keystore $JAVA_HOME/jre/lib/security/cacerts (Linux/Unix/Mac)
Verify that the certificate has been added successfully by entering the following command:
keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts (Windows) keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts (Unix/Linux) keytool -list -keystore /Library/Java/Home/lib/security/cacerts (Mac)
- Ensure that you have updated JAVA_OPTS to specify the path to the keystore, as specified in Connecting to SSL services before restarting Tomcat/Confluence.
There is no need to specify an alias for Confluence to use. On connecting to the LDAP server, it will search through the keystore to find a certificate to match the key being presented by the server.
Check the following knowledge base articles: