Running RMsis on SSL or HTTPS

In order to run RMsis on SSL (over https), a certificate must be created and registered with RMsis. Please note that

  • This document assumes Tomcat, while installing the security certificate.
  • JKS is supported from RMsis 1.3.0 - r.29 onwards.
  • PKCS#11 and PKCS#12 are supported from RMsis 1.4.1 - r.43 onwards.

Installing Certificate for RMsis, when JIRA is running on HTTPS

Note

For RMsis versions 1.5.2 and later, the system will automatically accept the default certificate configured for JIRA. The following steps may be optionally followed, in case of any unforeseen problems.

If JIRA is running on HTTPS, a Public Security Certificate is expected to be installed and accessed by RMsis. Else the system will raise a security exception and communication between RMsis and JIRA will fail. Here is a brief description of the background and action which needs to be taken.

Background
RMsis comprises of two components:
  • A Plugin which integrates with JIRA.
  • RMsis Server, which runs independently on Tomcat and communicates with JIRA through the RMsis-JIRA Plugin.
  • Secure communication channel requires RMsis access to public security certificate before establishing communication channel between 2 applications.
Recommendation
In case of an exception, you will need to add security certificate of JIRA Server in java trust store which resides at <JRE_PATH>\lib\security\cacerts. Below is a small how-to for certificate installation.
  • Ensure that JIRA Server is running.
  • Unzip and extract InstallCert.class and InstallCert$SavingTrustManager.class to some location (from where java path is accessible). [Download ZIP]
  • Run InstallCert binary (attached in e-mail) using command line.
    • $ java InstallCert <JIRA_SERVER>:<JIRA_SERVER_PORT>
    • In case you are using the default port, JIRA_SERVER_PORT parameter is optional
    • Follow the subsequent instructions in the program
  • This will create new file with name jssecacert in current directory. Just copy this file to <JRE_PATH>\lib\security\cacerts.
  • Restart JIRA and try again with RMsis.
Note

In some cases, the above process may have to be repeated for JIRA, when RMsis is configured for HTTPS.

 

Generating a Self Signed Certificate

If you are using RMsis within a closed group or Intranet, you can use a self signed certificate.

Run keytool on commend line, which is available with JAVA 1.6, and enter the responses against the prompt (a sample is shown here)

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

Enter keystore password: // Password for your java keystore, it is 'changeit' by default
What is your first and last name?
	RMSIS_SERVER // Enter fully qualified server name; for example jira-rmsis.optimizory.com
What is the name of your organizational unit?
  [Unknown]: ORG_UNIT_NAME
What is the name of your organization?
  [Unknown]: ORG_NAME
What is the name of your City or Locality?
  [Unknown]: CITY
What is the name of your State or Province?
  [Unknown]: STATE
What is the two-letter country code for this unit?
  [Unknown]: US
Is <CN=ORG_UNIT_NAME, OU=ORG_UNIT, O=ORG_NAME, L=CITY, ST=STATE, C=US> correct?
  [no]: yes

Enter the key password for <key-alias>
	<RETURN if same as keystore password>: <> // Press Return here and do not specify a password.

Now export the certificate to use it with Tomcat

$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer

 

Importing Certificate into Trust Store

If you already have an existing certificate available (for example from a CA like Verisign), please perform the following operation as root (or sudo)

$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer