In order to run RMsis on SSL (over https), a certificate must be created and registered with RMsis. Please note that
- This document assumes Tomcat, while installing the security certificate.
- JKS is supported from RMsis 1.3.0 - r.29 onwards.
- PKCS#11 and PKCS#12 are supported from RMsis 1.4.1 - r.43 onwards.
Installing Certificate for RMsis, when JIRA is running on HTTPS
If JIRA is running on HTTPS, a Public Security Certificate is expected to be installed and accessed by RMsis. Else the system will raise a security exception and communication between RMsis and JIRA will fail. Here is a brief description of the background and action which needs to be taken.
Background
RMsis comprises of two components:
- A Plugin which integrates with JIRA.
- RMsis Server, which runs independently on Tomcat and communicates with JIRA through the RMsis-JIRA Plugin.
- Secure communication channel requires RMsis access to public security certificate before establishing communication channel between 2 applications.
Recommendation
In case of an exception, you will need to add security certificate of JIRA Server in java trust store which resides at <JRE_PATH>\lib\security\cacerts. Below is a small how-to for certificate installation.
- Ensure that JIRA Server is running.
- Unzip and extract InstallCert.class and InstallCert$SavingTrustManager.class to some location (from where java path is accessible). [Download ZIP]
- Run InstallCert binary (attached in e-mail) using command line.
- $ java InstallCert <JIRA_SERVER>:<JIRA_SERVER_PORT>
- In case you are using the default port, JIRA_SERVER_PORT parameter is optional
- Follow the subsequent instructions in the program
- This will create new file with name jssecacert in current directory. Just copy this file to <JRE_PATH>\lib\security\cacerts.
- Restart JIRA and try again with RMsis.
Note
In some cases, the above process may have to be repeated for JIRA, when RMsis is configured for HTTPS.
Generating a Self Signed Certificate
If you are using RMsis within a closed group or Intranet, you can use a self signed certificate.
Run keytool on commend line, which is available with JAVA 1.6, and enter the responses against the prompt (a sample is shown here)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: // Password for your java keystore, it is 'changeit' by default What is your first and last name? RMSIS_SERVER // Enter fully qualified server name; for example jira-rmsis.optimizory.com What is the name of your organizational unit? [Unknown]: ORG_UNIT_NAME What is the name of your organization? [Unknown]: ORG_NAME What is the name of your City or Locality? [Unknown]: CITY What is the name of your State or Province? [Unknown]: STATE What is the two-letter country code for this unit? [Unknown]: US Is <CN=ORG_UNIT_NAME, OU=ORG_UNIT, O=ORG_NAME, L=CITY, ST=STATE, C=US> correct? [no]: yes Enter the key password for <key-alias> <RETURN if same as keystore password>: <> // Press Return here and do not specify a password.
Now export the certificate to use it with Tomcat
$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer
Importing Certificate into Trust Store
If you already have an existing certificate available (for example from a CA like Verisign), please perform the following operation as root (or sudo)
$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer
References
- Apache Tomcat 7 - SSL Configuration : http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
- Running JIRA over SSL or HTTPS : http://confluence.atlassian.com/display/JIRA044/Running+JIRA+over+SSL+or+HTTPS