Wiki Markup |
---|
Panel |
This article applies to: Deskzilla 1.x-2.x, JIRA Client 1.x-2.x *, and connecting to Bugzilla and JIRA servers via https://... connections.
clarity, this article is written about JIRA Client and JIRA, but it applies to Deskzilla / Bugzilla as well. {panel} h3. Problem You need to use a client SSL certificate to connect to the server. In most cases, client certificate is not used. But in some high-security configurations it may be required. When a connection is attempted to a server that requires a client certificate, it may result in the following error from JIRA Client: {panel}Connection problem: Software caused connection abort: recv failed{panel} JIRA Client does not have a direct way to specify a certificate. This article explains how to set up JIRA Client for using client certificate with standard Java tools. {tip}The server certificate, which is used by the server to authenticate the connection, may be self-signed. In that case you will also need to apply the [solution for self-signed server certificate|Connecting to a Bugzilla, JIRA server with a self-signed SSL certificate].{tip} h3. Solution The solution is to create a secure file for storing your client certificate and specify it in command-line properties for JIRA Client. h4. 1. Obtain PKCS12 (.p12) file with the client certificate You may already have it, but if you don't, it's easy to export the certificate from your browser. (We are assuming that you can access JIRA with your browser, hence the browser does have the certificate.) {note}When specifying password for the exported certificate, enter *at least 6 characters*, and also *without any space or special characters*. Otherwise you may not be able to proceed later.{note} To export client certificate from *Firefox*, open Tools | Options menu, Advanced tab, and click on View Certificates. Select certificate that matches your server and click Backup button. Enter a file name for .p12 file, and then backup password. Remember backup password. To export client certificate from *Internet Explorer*, open Tools | Internet Options dialog, Content tab, then click on Certificates button. Find your certificate and click Export. Follow the wizard. Include private key in export. Select PKCS 12 format (although the extension will be PFX, you can rename it to P12). Don't include extra options. Enter password and remember it. As a result of this step, you should have .p12 file, let's call it my-certificate.p12 and the password for it. h4. 2. Create Java keystore using keytool Use "keytool" program to transform the .p12 file. Keytool may be found in <JIRA Client Install Dir>\jre\bin (C:\Program Files\JIRA Client\jre\bin), or in any Java installation on your computer. Run the following command: {code} |
Problem
You need to use a client SSL certificate to connect to the server. In most cases, client certificate is not used. But in some high-security configurations it may be required.
When a connection is attempted to a server that requires a client certificate, it may result in the following error from JIRA Client:
Panel |
---|
Connection problem: Software caused connection abort: recv failed |
JIRA Client does not have a direct way to specify a certificate. This article explains how to set up JIRA Client for using client certificate with standard Java tools.
Tip |
---|
The server certificate, which is used by the server to authenticate the connection, may be self-signed. In that case you will also need to apply the solution for self-signed server certificate. |
Solution
The solution is to create a secure file for storing your client certificate and specify it in command-line properties for JIRA Client.
1. Obtain PKCS12 (.p12) file with the client certificate
You may already have it, but if you don't, it's easy to export the certificate from your browser. (We are assuming that you can access JIRA with your browser, hence the browser does have the certificate.)
Note |
---|
When specifying password for the exported certificate, enter at least 6 characters, and also without any space or special characters. Otherwise you may not be able to proceed later. |
To export client certificate from Firefox, open Tools | Options menu, Advanced tab, and click on View Certificates. Select certificate that matches your server and click Backup button. Enter a file name for .p12 file, and then backup password. Remember backup password.
To export client certificate from Internet Explorer, open Tools | Internet Options dialog, Content tab, then click on Certificates button. Find your certificate and click Export. Follow the wizard. Include private key in export. Select PKCS 12 format (although the extension will be PFX, you can rename it to P12). Don't include extra options. Enter password and remember it.
As a result of this step, you should have .p12 file, let's call it my-certificate.p12 and the password for it.
2. Create Java keystore using keytool
Use "keytool" program to transform the .p12 file. Keytool may be found in <JIRA Client Install Dir>\jre\bin (C:\Program Files\JIRA Client\jre\bin), or in any Java installation on your computer.
Run the following command:
Code Block |
---|
keytool -importkeystore -srckeystore c:\path\to\p12\my-certificate.p12 -srcstoretype pkcs12 -destkeystore c:\temporary\path\jiraclient.jks -deststoretype jks{code}
|
Substitute
...
path
...
to
...
the
...
exported
...
.p12
...
file
...
instead
...
of
...
c:\path\to\p12\my-certificate.p12,
...
and
...
any
...
temporary
...
directory
...
instead
...
of
...
c:\temporary\path.
...
Keytool
...
will
...
ask
...
for
...
password
...
two
...
times
...
-
...
for
...
the
...
source
...
and
...
destination
...
keystores.
...
You
...
should
...
enter
...
the
...
password
...
you
...
created
...
on
...
the
...
previous
...
step
...
-
...
every
...
time.
...
It
...
will
...
be
...
the
...
same
...
password
...
for
...
both
...
key
...
stores.
...
Note | |||
---|---|---|---|
If passwords are different, it may result in the same errors on the client side and the following error in the server logs:
|
As a result of this step, you should have file jiraclient.jks
...
in
...
a
...
temporary
...
directory.
...
3.
...
Place
...
jiraclient.jks
...
into
...
installation
...
directory
...
and
...
adjust
...
shortcut
...
for
...
launching
...
JIRA
...
Client
...
Copy
...
jiraclient.jks
...
from
...
the
...
previous
...
step
...
to
...
C:\Program
...
Files\JIRA
...
Client,
...
or
...
whereever
...
you
...
have
...
JIRA
...
Client
...
installed.
...
To
...
run
...
JIRA
...
Client
...
with
...
the
...
client
...
certificate,
...
you
...
will
...
need
...
to
...
pass
...
three
...
additional
...
parameters
...
via
...
command-line.
...
To
...
avoid
...
typing
...
them
...
each
...
time,
...
you
...
will
...
need
...
to
...
modify
...
the
...
shortcut
...
or
...
script
...
that
...
you
...
use
...
to
...
start
...
JIRA
...
Client.
...
On
...
Windows
...
Find
...
"JIRA
...
Client"
...
start
...
menu
...
item
...
(or
...
other
...
shortcut
...
that
...
you
...
use
...
to
...
launch
...
JIRA
...
Client),
...
Right-Click
...
on
...
it
...
and
...
select
...
Properties
...
.
...
The
...
Shortcut
...
tab
...
will
...
appear,
...
with
...
the
...
Target
...
field
...
containing
...
something
...
like
...
"C:\Program
...
Files\JIRA
...
Client\bin\jiraclient.exe"
...
.
...
Click
...
on
...
the
...
Target
...
field
...
and
...
modify
...
it
...
so
...
it
...
says
...
Code Block |
---|
"C:\Program Files\JIRA Client\bin\jiraclient.exe" -J-Dforce.http.jre.executor=true -J-Djavax.net.ssl.keyStore=jiraclient.jks -J-Djavax.net.ssl.keyStorePassword=<your password created at step 1>{code}
|
Use
...
copy&paste
...
from
...
this
...
article
...
to
...
avoid
...
typos.
...
Substitute
...
your
...
password
...
in
...
place
...
of
...
<your
...
password
...
created
...
at
...
step
...
1>.
...
Tip |
---|
Note the quotes in this example. Don't put additional parameters inside the quotes around the .exe file path. {tip} h5. On Linux Modify |
On Linux
Modify "jiraclient.sh"
...
script.
...
Find
...
line
...
that
...
says
...
JAVA_OPTIONS="-Xmx600m
...
-Duse.metal=true"
...
.
...
Modify
...
it
...
so
...
it
...
says
...
Code Block |
---|
JAVA_OPTIONS="-Xmx600m -Duse.metal=true -Dforce.http.jre.executor=true -Djavax.net.ssl.keyStore=/path/to/jiraclient.jks -Djavax.net.ssl.keyStorePassword=<your password created at step 1>"
{code}
|
Note
...
the
...
quotes
...
are
...
around
...
all
...
the
...
line.
...
Use
...
full
...
path
...
to
...
specify
...
the
...
location
...
of
...
jiraclient.jks.
...
On
...
Mac
...
Right-click
...
on
...
JIRA
...
Client
...
application
...
and
...
select
...
Show
...
Package
...
Contents
...
.
...
Open
...
Contents
...
folder.
...
Double-click
...
on
...
the
...
Info.plist
...
file.
...
Plist
...
editor
...
should
...
start.
...
Open
...
Java
...
section,
...
then
...
Properties
...
subsection.
...
Use
...
"+"
...
button
...
to
...
add
...
the
...
following
...
properties:
...
Name | Value |
---|---|
force.http.jre.executor |
...
true |
...
javax.net.ssl.keyStore |
...
/path/to/jiraclient.jks |
...
javax.net.ssl.keyStorePassword |
...
<your |
...
password |
...
created |
...
at |
...
step |
...
1> |
...
Use
...
full
...
path
...
to
...
specify
...
the
...
location
...
of
...
jiraclient.jks.
...
Panel | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
| =
|
|
|
| }||||||||
If the server uses a self-signed certificate (or a certificate signed by an unknown CA), you will need to explicitly import server's certificate into the Java's trust keystore. (See [|Connecting to a Bugzilla, JIRA server with a self-signed SSL certificate].) By default, the trust keystore is called _cacerts _and it resides in C:\Program Files\JIRA Client\jre\lib\security\cacerts. With the same method you used for setting the three properties described above, it's possible to specify a different location for cacerts: you need to set _javax.net.ssl.trustStore _property to _</path/to/your/cacerts> _, and, if the password is not default ( _changeit _), set _javax.net.ssl.trustStorePassword _property. {panel} h4. This is it! Start JIRA Client. Try to connect. If it doesn't work, double-check that * jiraclient.jks file exists and has at least 500 bytes; * It is correctly pointed to using command-line properties; * you really launch the same shortcut / script that you have edited. If all looks correct but it doesn't work, please contact support. |
This is it!
Start JIRA Client. Try to connect. If it doesn't work, double-check that
- jiraclient.jks file exists and has at least 500 bytes;
- It is correctly pointed to using command-line properties;
- you really launch the same shortcut / script that you have edited.
If all looks correct but it doesn't work, please contact support.