Perforce Public Knowledge Base - P4DTG JIRA SSL Support
Perforce Software logo
Reset Search
 

 

Article

P4DTG JIRA SSL Support

« Go Back

Information

 
Problem

You may configure a JIRA defect tracking source to a secure JIRA server by using the secure URL (https).

You must use the full https URL in P4DTG's server field.

For the JIRA-REST plugin, use:
 
    https://<jira-host:port>/

For the old JIRA (SOAP based) plugin, use:
 
    https://<jira-host:port>/rpc/soap/jirasoapservice-v2
Solution

Troubleshooting Connection Failure

Failure to connect to the JIRA https source results in the same generic error as a non-SSL connection failure: 

Unable to connect to server:
Unable to open connection to JIRA. Please make sure Java (JRE/JDK) 
is installed and the JIRA server URL, username and password are correct.
 
  1. First, verify that you can connect to the https JIRA URL in your browser when specifying the port number
For example,
 
https://<JIRA name>:443
https://<JIRA name>:
8443

You will need the port for the urltester lines below.
  1.  Next, use the test program to connect to your secure JIRA URL.  Save and run this program from the same environment and directory that the P4DTG replication process runs from.   The jar can be obtained here:  https://swarm.workshop.perforce.com/files/guest/joel_brown/urltester/dist

This sample program opens a connection, just like the P4DTG JIRA plug-in, and prints the information retrieved from that URL.

The successful result for the JIRA-REST url test will be pages of html code (and not a Java exception):
 
C:\client\src\urltester\dist>java -jar urltester.jar https://jira.perforce.com:8443/
Connecting to https://jira.perforce.com:8443/:

<!DOCTYPE html>
<html lang="en">
<head>
...

An example with a successful result for the SOAP url:

$ java -jar urltester.jar https://jirahost/rpc/soap/jirasoapservice-v2
<h1>jirasoapservice-v2</h1>
<p>Hi there, this is an AXIS service!</p>
<i>Perhaps there will be a form for invoking the service here...</i>


Should you need to pass any additional properties to this java program, such as the keystore location and password, you also then need to give these properties to the JIRA plug-in. This is done by editing your JIRA Defect Tracking Source, "Edit attributes..." button.  A sample is shown below.
 

Common Exceptions

1) Exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present 

This typically means the host name in your https URL does not match the host name in the Certificate.  For your URL, use the same host name as present in the JIRA web server's Certificate. 

2) Exception: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty 

Double check your javax.net.ssl.trustStore and javax.net.ssl.keyStore values. 

3) Exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 

The JIRA web server's certificate is not trusted.  Import the certificate into your truststore. 
 
4) Exception:  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake 
and Caused by: java.io.EOFException: SSL peer shut down incorrectly
 
This can also be caused by an untrusted server certificate.  Import the certificate into your truststore.
 
5) Exception:  unable to find valid certification path to requested
 
This can also be caused by an untrusted server certificate.  Import the certificate into your truststore. 

6) Exception: Exception in thread "main" java.net.ConnectException: Connection timed out: connect
  at java.net.DualStackPlainSocketImpl.connect(Native Method)

  <snip>

This may be an incorrect port..  Open your browser and insert the port number such as 443.
Use a the port number that does not time out.  For example, if 443 does not time out, but 8443 does time out, specify 443 when you run the urltester command.

https://<JIRA name>:443
 

Common Certificate Related Java Properties

You may receive the error in P4DTG

Perforce Defect Tracking Gateway

Unable to connect to server:
Unable to connect to the JIRA plugin: Error occurred while logging into the JIRA
server.  Please make sure the JIRA server URL, username and password are correct.
Failure initializing default SSL context

If you use a certificate that is not from a trusted Certificate Authority, you will need to import that certificate into your java installations default store or create another store with the certificate.  You can point to the alternate trust store using these properties: 

javax.net.ssl.trustStrore=<truststore file>
javax.net.ssl.trustStorePassword=<password>

See "Import a Certificate to your TrustStore" below.
 

Import Certificate Into your TrustStore

The below is a sample of how you can add your JIRA site's certificate to a java trustStore.  Note that you might  have to adjust this procedure for your p4dtg platform and java installation.

The trustStore file resides on your p4dtg machine. 

1.  Get your Site's Certificate

Firefox instructions:
  1. Navigate to your JIRA https site in the browser.
  2. Click the secure lock icon to the left of the site address
  3. Dialog appears: click the right arrow, then click "More Information" (Chrome: click details)
  4. On the Page Info dialog, security tab, website Identity, click View Certificate
  5. On the certificate viewer dialog, go to the Details tab. Select your site's cert (the bottom one) and click Export button (Chrome: click Copy to File, use DER encoding).
  6. Select a file name and finish the export. 
Chrome instructions:
  1. Navigate the your JIRA https site in Chome.
  2. Click the secure lock icon just to the left of the URL
  3. Note the name of your JIRA server and the words "Your connection to this server is private."  Click Details.
  4. Under Security Overview, click View Certificate
  5. On the certificate viewer dialog, go to the Details tab. Select your site's cert (scroll down to the bottom one) and click Export button.   Save it as a file in DER in a name you choose..  Save it as a .cer file or .crt file, for example, jira.perforce.com.crt.

2.   Import the Certificate into a TrustStore

Recommended:   Create a new trustStore file so that you don't have to be concerned with java upgrades altering the default truststore location.

For this example, I exported to file jira.perforce.com.crt in directory c:\p4dtg with password changeit.

cd /D c:\p4dtg
keytool -import -file jira.perforce.com.crt -alias JiraAlias -keystore truststore.ts -storepass changeit


This creates the file c:\p4dtg\truststore.ts with password 'changeit'
Another example:

cd <directory with name.cer>
"C:\Program Files\Java\jdk1.8.0_102\bin\keytool.exe" -import -file name.cer -alias JiraAlias2 -keystore truststore.ts -storepass changeit

 

3.  Test your new TrustStore

Run the urltester test while pointing at your truststore:

java -Djavax.net.ssl.trustStore=c:\p4dtg\truststore.ts -Djavax.net.ssl.trustStorePassword=changeit -jar urltester.jar https://jira.perforce.com:8443/

If you see HTML output and not an exception, continue. 
 

4.  Define the TrustStore Attributes for JIRA's Source

Add the same two -D java system properties from your test above to your "Java Options" on the jira source's attributes page.  For the trustStore, use the full path to the file.  See the section on specifying additional connection properties above.

Advanced:  Edit your jira source's src-<JIRA>.xml file.   You'll add the Attributes element as a child to the DataSource element.
    <DataSource .......>
        <Attributes>
            <DataAttr
                name="java_opts"
                value="-Xms128m -Xmx768m -Djavax.net.ssl.trustStore=c:\p4dtg\truststore.ts -Djavax.net.ssl.trustStorePassword=changeit" />
        </Attributes>
    </DataSource>

5. Specify Additional Connection Properties in P4DTG

Specifying the properties such as keyStore and trustStore is done by editing your JIRA Defect Tracking Source, "Edit attributes..." button, then add your properties to the Java Options attribute.   Individual java options should be space delimited with properties preceeded with "-D". 

For example, "-Djavax.net.ssl.trustStorePassword=changeme".

Example of where to set alternate Java Options


kA0F0000000CqN1KAK_en_US_4_0

For example, in the Java options you would add:

-Djavax.net.ssl.trustStore="C:\Users\UserName\Documents\truststore.ts" -Djavax.net.ssl.trustStorePassword=password


Related Links

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255