In order to run RMsis on SSL (over https), a certificate must be created and registered with RMsis. Please note that
- This document assumes Tomcat, while installing the security certificate.
- JKS is supported from RMsis 1.3.0 - r.29 onwards.
- PKCS#11 and PKCS#12 are supported from RMsis 1.4.1 - r.43 onwards.
Installing Certificate for RMsis, when JIRA is running on HTTPS
For RMsis versions 1.5.2 and later, the system will automatically accept the default certificate configured for JIRA. The following steps may be optionally followed, in case of any unforeseen problems.
If JIRA is running on HTTPS, a Public Security Certificate is expected to be installed and accessed by RMsis. Else the system will raise a security exception and communication between RMsis and JIRA will fail. Here is a brief description of the background and action which needs to be taken.
- A Plugin which integrates with JIRA.
- RMsis Server, which runs independently on Tomcat and communicates with JIRA through the RMsis-JIRA Plugin.
- Secure communication channel requires RMsis access to public security certificate before establishing communication channel between 2 applications.
- Ensure that JIRA Server is running.
- Unzip and extract InstallCert.class and InstallCert$SavingTrustManager.class to some location (from where java path is accessible). [Download ZIP]
- Run InstallCert binary (attached in e-mail) using command line.
- $ java InstallCert <JIRA_SERVER>:<JIRA_SERVER_PORT>
- In case you are using the default port, JIRA_SERVER_PORT parameter is optional
- Follow the subsequent instructions in the program
- This will create new file with name jssecacert in current directory. Just copy this file to <JRE_PATH>\lib\security\cacerts.
- Restart JIRA and try again with RMsis.
In some cases, the above process may have to be repeated for JIRA, when RMsis is configured for HTTPS.
Generating a Self Signed Certificate
If you are using RMsis within a closed group or Intranet, you can use a self signed certificate.
Run keytool on commend line, which is available with JAVA 1.6, and enter the responses against the prompt (a sample is shown here)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: // Password for your java keystore, it is 'changeit' by default What is your first and last name? RMSIS_SERVER // Enter fully qualified server name; for example jira-rmsis.optimizory.com What is the name of your organizational unit? [Unknown]: ORG_UNIT_NAME What is the name of your organization? [Unknown]: ORG_NAME What is the name of your City or Locality? [Unknown]: CITY What is the name of your State or Province? [Unknown]: STATE What is the two-letter country code for this unit? [Unknown]: US Is <CN=ORG_UNIT_NAME, OU=ORG_UNIT, O=ORG_NAME, L=CITY, ST=STATE, C=US> correct? [no]: yes Enter the key password for <key-alias> <RETURN if same as keystore password>: <> // Press Return here and do not specify a password.
Now export the certificate to use it with Tomcat
$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer
Importing Certificate into Trust Store
If you already have an existing certificate available (for example from a CA like Verisign), please perform the following operation as root (or sudo)
$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer
- Apache Tomcat 7 - SSL Configuration : http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
- Running JIRA over SSL or HTTPS : http://confluence.atlassian.com/display/JIRA044/Running+JIRA+over+SSL+or+HTTPS