This article applies to: Deskzilla 1.x-2.x, JIRA Client 1.x-2.x, and connecting to Bugzilla and JIRA servers via https://... connections.
For clarity, this article is written about JIRA Client and JIRA, but it applies to Deskzilla / Bugzilla as well.
Problem
You need to use a client SSL certificate to connect to the server. In most cases, client certificate is not used. But in some high-security configurations it may be required.
When a connection is attempted to a server that requires a client certificate, it may result in the following error from JIRA Client:
Connection problem: Software caused connection abort: recv failed
JIRA Client does not have a direct way to specify a certificate. This article explains how to set up JIRA Client for using client certificate with standard Java tools.
The server certificate, which is used by the server to authenticate the connection, may be self-signed. In that case you will also need to apply the solution for self-signed server certificate.
Solution
The solution is to create a secure file for storing your client certificate and specify it in command-line properties for JIRA Client.
1. Obtain PKCS12 (.p12) file with the client certificate
You may already have it, but if you don't, it's easy to export the certificate from your browser. (We are assuming that you can access JIRA with your browser, hence the browser does have the certificate.)
To export client certificate from Firefox, open Tools | Options menu, Advanced tab, and click on View Certificates. Select certificate that matches your server and click Backup button. Enter a file name for .p12 file, and then backup password. Remember backup password.
To export client certificate from Internet Explorer, open Tools | Internet Options dialog, Content tab, then click on Certificates button. Find your certificate and click Export. Follow the wizard. Include private key in export. Select PKCS 12 format (although the extension will be PFX, you can rename it to P12). Don't include extra options. Enter password and remember it.
As a result of this step, you should have .p12 file, let's call it my-certificate.p12 and the password for it.
2. Create Java keystore using keytool
Use "keytool" program to transform the .p12 file. Keytool may be found in <JIRA Client Install Dir>\jre\bin (C:\Program Files\JIRA Client\jre\bin), or in any Java installation on your computer.
Run the following command:
keytool -importkeystore -srckeystore c:\path\to\p12\my-certificate.p12 -srcstoretype pkcs12 -destkeystore c:\temporary\path\jiraclient.jks -deststoretype jks
Substitute path to the exported .p12 file instead of c:\path\to\p12\my-certificate.p12, and any temporary directory instead of c:\temporary\path.
Keytool will ask for password two times - for the source and destination keystores. You should enter the password you created on the previous step - every time. It will be the same password for both key stores.
If passwords are different, it may result in the same errors on the client side and the following error in the server logs:
SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate No CAs known to server for verification?
As a result of this step, you should have file jiraclient.jks in a temporary directory.
3. Place jiraclient.jks into installation directory and set up command-line properties.
Copy jiraclient.jks from the previous step to C:\Program Files\JIRA Client, or whereever you have JIRA Client installed.
Then, in the same install directory, create a text file named "jiraclient.properties" (if it's already there - edit it). In jiraclient.properties, place the following lines:
force.http.jre.executor=true javax.net.ssl.keyStore=jiraclient.jks javax.net.ssl.keyStorePassword=<your password created at step 1>
For Deskzilla, the file should be named deskzilla.properties.
If the server uses a self-signed certificate (or a certificate signed by an unknown CA), you will need to explicitly import server's certificate into the Java's trust keystore. (See instructions.) By default, the trust keystore is called cacerts and it resides in C:\Program Files\JIRA Client\jre\lib\security\cacerts. Using jiraclient.properties, it's possible to specify a different location for cacerts using the following line:
javax.net.ssl.trustStore=c:/path/to/cacerts
If you have to write character "\" in jiraclient.properties file, use double-backslash "
" for each backslash you need to have in the resulting value.
This is it!
Start JIRA Client. Try to connect. If it doesn't work, double-check that
- jiraclient.jks file exists and has at least 500 bytes;
- cacerts contains your server's certificate (use keytool -list -keystore cacerts and look for alias my_jira_server);
If all looks correct but it doesn't work, please contact support.