Encrypt passwords in server.xml

To add extra security to your Jira instance, you can encrypt passwords that you use to configure Connectors in Tomcat’s server.xml file.

Before you begin

This solution involves the utilization of the protocol with a productEncryptionKey and encrypted passwords, which may not guarantee complete security, as the configuration in Tomcat's server.xml will contain all the necessary information to decrypt the password. An attacker could potentially impersonate Jira to gain access to the password. To enhance security, we recommend to safeguard the server where Jira and the productEncryptionKey are located.

Jira provides the following protocols that extend Tomcat protocols with support for password encryption.

Protocol class

Tomcat protocol on which the protocol class is based

Attributes for which password encryption is supported

com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryptionHttp11NioProtocol
  • KeystorePass

  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryptionHttp11Nio2Protocol
  • KeystorePass

  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryptionHttp11AprProtocol
  • KeystorePass

  • KeyPass
  • SSLPassword
  • TruststorePass
com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryptionAjpNioProtocol

secret

com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryptionAjpNio2Protocol

secret

com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryptionAjpAprProtocol

secret

Encrypting a single password

  1. Go to <Jira-installation-directory>/bin.

  2. Run the following command to encrypt your password:
    java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool

    Additionally, you can use optional arguments described below.

  3. Enter your password when prompted. The encryption tool will generate two files: encryptedPassword and encryptionKey. Move those files to a safe location. You can also rename the files if you want.

Encrypting multiple passwords for a single Connector

If you want to encrypt more than one password for a single Connector, you must use the same encryption key for all passwords. After you encrypt your first password, use the generated encryptionKey to encrypt the subsequent password by passing the path to the key to the encryption tool:

java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool /path/to/encryptionKey

The encryption tool will generate only the encryptedPassword file.


Using encrypted passwords in the Connector configuration

Exception error

For Jira 9.11.0, you can encounter an exception error in the catalina.out file. We’re currently working on the fix and we’ll deliver it as part of the upcoming bugfix releases. For the temporary workaround:

  1. Go to <Jira-installation-directory>.

  2. To copy the atlassian-secrets-api library to the Tomcat lib/ directory, run the following command: cp atlassian-jira/WEB-INF/lib/atlassian-secrets-api-<version>.jar lib/.

You can track this issue at: JRASERVER-76246 - Getting issue details... STATUS


To use encrypted passwords in the Connector configuration, you need to set up the following properties:

  • protocol - use one of the protocol classes described above

  • productEncryptionKey - specify a path to the encryptionKey file

Then you can use path to a proper encryptedPassword file in place of plain text password in the Connector configuration.


For example, in Jira conf/server.xml configuration of a Http11Nio2 Connector with encrypted keystore and key passwords might look similarly to this:

<Connector
    protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
    port="8443"

    (...)

    keystoreFile="/var/secrets/keystore/keystore"
    keystorePass="/var/secrets/keystore/encryptedKeystorePass"
    keyPass="/var/secrets/keystore/encryptedKeyPass"

    productEncryptionKey="/var/secrets/encryptionKey"
/>

Note that only one productEncryptionKey is specified, and both keystorePass and keyPass had to be encrypted with the same key.



Last modified on Jul 1, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.