...
- This document assumes Tomcat, while installing the security certificate.
- JKS is supported from RMsis 1.3.0 - r.29 onwards.
- PKCS#11 and PKCS#12 are supported from RMsis 1.4.1 - r.43 onwards.
Installing Certificate for RMsis, when JIRA is running on HTTPS
If JIRA is running on HTTPS, a Public Security Certificate is expected to be installed and accessed by RMsis. Else the system will raise a security exception and communication between RMsis and JIRA will fail. Here is a brief description of the background and action which needs to be taken.
Background
RMsis comprises of two components:
- A Plugin which integrates with JIRA.
- RMsis Server, which runs independently on Tomcat and communicates with JIRA through the RMsis-JIRA Plugin.
- Secure communication channel requires RMsis access to public security certificate before establishing communication channel between 2 applications.
Recommendation
In case of an exception, you will need to add security certificate of JIRA Server in java trust store which resides at <JRE_PATH>\lib\security\cacerts. Below is a small how-to for certificate installation.
- Ensure that JIRA Server is running.
- Unzip and extract InstallCert.class and InstallCert$SavingTrustManager.class to some location (from where java path is accessible). [Download ZIP]
- Run InstallCert binary (attached in e-mail) using command line.
- $ java InstallCert <JIRA_SERVER>:<JIRA_SERVER_PORT>
- In case you are using the default port, JIRA_SERVER_PORT parameter is optional
- Follow the subsequent instructions in the program
- This will create new file with name jssecacert in current directory. Just copy this file to <JRE_PATH>\lib\security\cacerts.
- Restart JIRA and try again with RMsis.
Generating a Self Signed Certificate
If you are using RMsis within a closed group or Intranet, you can use a self signed certificate.
Run keytool on commend line, which is available with JAVA 1.6, and enter the responses against the prompt (a sample is shown here)
| Code Block |
|---|
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password: <Password for your java keystore, it is 'changeit' by default>
What is your first and last name?
RMSIS_SERVER // Enter fully qualified server name; for example jira-rmsis.optimizory.com
What is the name of your organizational unit?
[Unknown]: ORG_UNIT_NAME
What is the name of your organization?
[Unknown]: ORG_NAME
What is the name of your City or Locality?
[Unknown]: CITY
What is the name of your State or Province?
[Unknown]: STATE
What is the two-letter country code for this unit?
[Unknown]: US
Is <CN=ORG_UNIT_NAME, OU=ORG_UNIT, O=ORG_NAME, L=CITY, ST=STATE, C=US> correct?
[no]: yes
Enter the key password for <key-alias>
<RETURN if same as keystore password>: <> // Press Return here and do not specify a password. |
Now export the certificate to use it with Tomcat
| Code Block |
|---|
$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer |
Importing Certificate into Trust Store
If you already have an existing certificate available (for example from a CA like Verisign), please perform the following operation as root (or sudo)
| Code Block |
|---|
$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer |
| Panel | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
|
...