This section is valid for RMsis 1.7.5-r.201 onwards.
In the older versions, if reverse proxy was configured, the connection from JIRA to RMsis was through the reverse proxy. This required installation of Public Certificate on JIRA side as well.
A key point related to mixed use of HTTP and HTTPS.
- Some of the browsers are now blocking HTTP calls from HTTPS pages.
- As per some problems reported recently, the users are not able to use RMsis from recent versions of Chrome OR Firefox.
- A solution is to
- run both RMsis and JIRA on HTTPS
- OR run both JIRA and RMsis on HTTP
HTTPS Setup Overview
- RMsis Server, which runs independently on Tomcat
- RMsis communicates with JIRA through the JIRA Internal URL specified in the configuration.
- A Plugin which integrates with JIRA.
- This plugin communicates with a specific (auto configured) port of RMsis.
It may be noted that RMsis and JIRA could be using the same JRE OR different JRE. If they are running on different JRE, adequate care should be taken to ensure that the certificates are installed at the right locations.
Installing Public Certificate for RMsis, when JIRA is running on HTTPS
If JIRA is running on HTTPS, a Public Security Certificate is expected to be installed and accessed by RMsis. For RMsis versions 1.5.2 and later, the system will automatically accept the default certificate configured for JIRA. In case of an exception, you will need to add security certificate of JIRA Server in java trust store which resides at <JRE_PATH>/lib/security/cacerts. Below is a small how-to for certificate installation.
- Ensure that JIRA Server is running.
- Unzip and extract InstallCert.class and InstallCert$SavingTrustManager.class to some location (from where java path is accessible). [Download ZIP]
- Run InstallCert binary using command line.
- $ java InstallCert <JIRA_SERVER>:<JIRA_SERVER_PORT>
- In case you are using the default port, JIRA_SERVER_PORT parameter is optional
- Follow the subsequent instructions in the program
- This will create new file with name jssecacert in current directory. Just copy this file to <JRE_PATH>/lib/security/cacerts.
- Restart JIRA and try again with RMsis.
SSL Certificate for RMsis
In order to run RMsis on SSL (over https), a certificate must be created and registered with RMsis. Please note that
- This document assumes Tomcat, while installing the security certificate.
- JKS is supported from RMsis 1.3.0 - r.29 onwards.
- PKCS#11 and PKCS#12 are supported from RMsis 1.4.1 - r.43 onwards.
Generating a Self Signed Certificate
If you are using RMsis within a closed group or Intranet, you can use a self signed certificate.
Run keytool on commend line, which is available with JAVA 1.6, and enter the responses against the prompt (a sample is shown here)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: // Password for your java keystore, it is 'changeit' by default What is your first and last name? RMSIS_SERVER // Enter fully qualified server name; for example jira-rmsis.optimizory.com What is the name of your organizational unit? [Unknown]: ORG_UNIT_NAME What is the name of your organization? [Unknown]: ORG_NAME What is the name of your City or Locality? [Unknown]: CITY What is the name of your State or Province? [Unknown]: STATE What is the two-letter country code for this unit? [Unknown]: US Is <CN=ORG_UNIT_NAME, OU=ORG_UNIT, O=ORG_NAME, L=CITY, ST=STATE, C=US> correct? [no]: yes Enter the key password for <key-alias> <RETURN if same as keystore password>: <> // Press Return here and do not specify a password.
Now export the certificate to use it with Tomcat
$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer
Importing Certificate into Trust Store
If you already have an existing certificate available (for example from a CA like Verisign), please perform the following operation as root (or sudo)
$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer
- Apache Tomcat 7 - SSL Configuration : http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
- Running JIRA over SSL or HTTPS : http://confluence.atlassian.com/display/JIRA044/Running+JIRA+over+SSL+or+HTTPS