Assets - Azure import integration connection test fails with SSLHandshakeException

   

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When configuring Azure import and testing the connection, the connection test can fail with "SSLHandshakeException". The user is not able to finish the configuration and save the import.

Environment

  • JSM 9.x
  • Assets standalone application

Diagnosis

The following error is logged to atlassian-jira.log:

2024-03-04 10:48:36,142+0100 pool-105-thread-1 ERROR admin 648x1398359x1 p2sddi 10.210.110.18,10.208.5.56 /rest/insight/1.0/import/module/test/insight-azure-import [c.m.aad.adal4j.AuthenticationContext] [Correlation ID: a4c1d8ec-4d04-40e1-a688-fb6a91e64fca] Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)

Cause

Outgoing connections from Jira use the same principle of trusting the remote applications when connecting to remote SSL services. Whilst establishing trust, Jira is looking into certificate trust store (typically $JAVA_HOME/lib/security/cacerts path) to check if the remote SSL connection's CA chain is located in the Java trust store. If the CA chain is not in the trust store, the error gets logged, meaning Jira is not able to establish trust with the remote service.

More information is available here: Connecting to SSL services

Solution

The solution is to import the relevant CA certificate chains into the Java trust store:

  1. Fetch and export certificate chains from the following domains:
    1. graph.microsoft.com
    2. login.microsoftonline.com
    3. login.live.com
    4. management.azure.com
  2. Follow How to import a public SSL certificate into a JVM to import those certificate chains into Java's trust store
  3. After restarting Jira, configure the Azure integration again.


Last modified on Mar 20, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.