TLS and Certificates

To establish connections it is some times necessary to sen the truststore to the remote server to identify the sender. This is done in iHub by toggle the Certificate select list and choosing one of the following;

  1. TLS (one-way)

  2. Mutual TLS (two-way)

 

Enabling one-way TLS

If the remote server requires the certificate to be sent with the call then you need to import it into the keystore used by the JVM that Jira uses. This is usually /opt/atlassian/jira/jre/lib/security/cacerts

Import the remote servers cert file into the keystore, this is called the truststore and enables iHub to trust the cert.

Import is done using keytool, example command

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore cacerts

If the cert is not in the truststore you will gen an error like below:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Require the client to identify itself (two-way TLS)

This will force the client to identify itself, and in that way, the server can also validate the identity of the client and whether or not it is a trusted one. 

This example describes how you can get the https://client.badssl.com/ to work with iHub mutual TLS.

  1. Download the badssl.com-client.p12 file fromhttps://badssl.com/download/

  2. Run. Note we called it truststore_from_p12.jks, enter badssl.com as password on all prompts

    /usr/bin/keytool -importkeystore -srckeystore badssl.com-client.p12 -srcstoretype PKCS12 -destkeystore truststore_from_p12.jks -deststoretype PKCS12
  3. Goto iHub settings and add the path to the jks file on the server

  4. Enter the password field and click save



This example describes how you can get the Visa Developer Center to work with iHub mutual TLS. For reference see this video Visa getting started

  1. Download the cert and private key from the dev portal

  2. Run this to convert certificate + private key to PKCS12 file

  3. Run this to make a JKS file with the combined cert+key

  4. List to verify

Java code examples is the source for the above steps

  1. Goto iHub settings and add the path to the jks file on the server

  2. Enter the password field and click save

Troubleshooting

  1. Test that you get an OK connection using SSLPoke from Atlassian https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html

  2. Verify the cert is in the truststore

  3. Go to Logging and profiling add a new log se.rixter with DEBUG as log level, execute an iHub action and check the logs.

Guide for SSL cert imports

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

https://knowledge.broadcom.com/external/article/136370/create-a-keystore-using-openssl.html

https://community.developer.visa.com/t5/Tutorials/HelloWorld-java-How-to-run-Java-Sample-Code-using-the-Hello/ba-p/16058

https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.2/html/security_guide/extract_a_self-signed_certificate_from_the_keystore