Message-ID: <1933737228.5541.1710836876212.JavaMail.appbox@confluence> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_5540_344837778.1710836876212" ------=_Part_5540_344837778.1710836876212 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This article applies to: Deskzilla 1.x-2.x, JIRA Client 1.x-2.x<=
/strong>, and connecting to Bugzilla and JIRA servers via https://... conne=
ctions.
For clarity, this article is written about JIRA Client and JIRA=
, but it applies to Deskzilla / Bugzilla as well.
You need to use a client SSL certificate to connect to the server. In mo= st cases, client certificate is not used. But in some high-security configu= rations it may be required.
=20When a connection is attempted to a server that requires a client certif= icate, it may result in the following error from JIRA Client:
=20Connection problem: Software caused connection abort: recv failed
=20JIRA Client does not have a direct way to specify a certificate. This ar= ticle explains how to set up JIRA Client for using client certificate with = standard Java tools.
=20The server certificate, which is used by the server to authenticate the = connection, may be self-signed. In that case you will also need to apply th= e solution for self-signed server certificate.<= /p>
The solution is to create a secure file for storing your client certific= ate and specify it in command-line properties for JIRA Client.
=20You may already have it, but if you don't, it's easy to export the certi= ficate from your browser. (We are assuming that you can access JIRA with yo= ur browser, hence the browser does have the certificate.)
=20When specifying password for the exported certificate, enter at = least 6 characters, and also without any space or special = characters. Otherwise you may not be able to proceed later.
To export client certificate from Firefox, open Tools |= Options menu, Advanced tab, and click on View Certificates. Select certifi= cate that matches your server and click Backup button. Enter a file name fo= r .p12 file, and then backup password. Remember backup password.
=20To export client certificate from Internet Explorer, op= en Tools | Internet Options dialog, Content tab, then click on Certificates= button. Find your certificate and click Export. Follow the wizard. Include= private key in export. Select PKCS 12 format (although the extension will = be PFX, you can rename it to P12). Don't include extra options. Enter passw= ord and remember it.
=20As a result of this step, you should have .p12 file, let's call it my-ce= rtificate.p12 and the password for it.
=20Use "keytool" program to transform the .p12 file. Keytool may be found i= n <JIRA Client Install Dir>\jre\bin (C:\Program Files\JIRA Client\jre= \bin), or in any Java installation on your computer.
=20Run the following command:
=20keytool= -importkeystore -srckeystore c:\path\to\p12\my-certificate.p12 -srcstorety= pe pkcs12 -destkeystore c:\temporary\path\jiraclient.jks -deststoretype jk= s=20
Substitute path to the exported .p12 file instead of c:\path\to\p12\my-c= ertificate.p12, and any temporary directory instead of c:\temporary\path.= p>=20
Keytool will ask for password two times - for the source and destination= keystores. You should enter the password you created on the previous step = - every time. It will be the same password for both key st= ores.
=20If passwords are different, it may result in the same errors on the clie= nt side and the following error in the server logs:
=20SSL Lib= rary Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICA= TE: peer did not return a certificate No CAs known to server for verification?<= /pre>=20
As a result of this step, you should have file jiraclient.jks in a tempo= rary directory.
=20Copy jiraclient.jks from the previous step to C:\Program Files\JIRA Clie= nt, or whereever you have JIRA Client installed.
=20To run JIRA Client with the client certificate, you will need to pass th= ree additional parameters via command-line. To avoid typing them each time,= you will need to modify the shortcut or script that you use to start JIRA = Client.
=20Find "JIRA Client" start menu item (or other shortcut that you use to la= unch JIRA Client), Right-Click on it and select Properties. The Shortcut tab will appear, with the Target field co= ntaining something like "C:\Program Files\JIRA Client\bin\jiraclient.ex= e".
=20Click on the Target field and modify it so it says
=20"C:\Pro= gram Files\JIRA Client\bin\jiraclient.exe" -J-Dforce.http.jre.executor=3Dtr= ue -J-Djavax.net.ssl.keyStore=3Djiraclient.jks -J-Djavax.net.ssl.keyStorePa= ssword=3D<your password created at step 1>=20
Use copy&paste from this article to avoid typos. Substitute your pas= sword in place of <your password created at step 1>.
=20Note the quotes in this example. Don't put additional parameters inside = the quotes around the .exe file path.
Modify "jiraclient.sh" script. Find line that says JAVA_OPTIONS=3D"-= Xmx600m -Duse.metal=3Dtrue". Modify it so it says
=20JAVA_OPTIONS=3D"-Xmx600m -Duse.metal=3Dtrue -Dforce.http.jre.executor=3Dtru= e -Djavax.net.ssl.keyStore=3D/path/to/jiraclient.jks -Djavax.net.ssl.keySto= rePassword=3D<your password created at step 1>"=20
Note the quotes are around all the line. Use full path to specify the lo= cation of jiraclient.jks.
=20Right-click on JIRA Client application and select Show Package Conte= nts. Open Contents folder. Double-click on the Info.plist= file. Plist editor should start. Open Java section, then Properties subsection. Use "+" button to add the following properties= :
=20Name | =20
Value | =20
---|---|
force.http.jre.executor | =20
true | =20
javax.net.ssl.keyStore | =20
/path/to/jiraclient.jks | =20
javax.net.ssl.keyStorePassword | =20
<your password created at step 1> = td>=20 |
Use full path to specify the location of jiraclient.jks.
=20If the server uses a self-signed certificate (or a certificate signed by= an unknown CA), you will need to explicitly import server's certificate in= to the Java's trust keystore. (See instructions= .) By default, the trust keystore is called cacerts and it resides= in C:\Program Files\JIRA Client\jre\lib\security\cacerts. With the same me= thod you used for setting the three properties described above, it's possib= le to specify a different location for cacerts: you need to set javax.n= et.ssl.trustStore property to </path/to/your/cacerts>, = and, if the password is not default (changeit), set javax.net.= ssl.trustStorePassword property.
=20Start JIRA Client. Try to connect. If it doesn't work, double-check that=
=20If all looks correct but it doesn't work, please contact support.