This article applies to: Deskzilla 1.x-2.x, JIRA Client 1.x-2.x, and connecting to Bugzilla and JIRA servers via https://... connections. |
You need to use a client SSL certificate to connect to the server. In most cases, client certificate is not used. But in some high-security configurations it may be required.
When a connection is attempted to a server that requires a client certificate, it may result in the following error from JIRA Client:
Connection problem: Software caused connection abort: recv failed |
JIRA Client does not have a direct way to specify a certificate. This article explains how to set up JIRA Client for using client certificate with standard Java tools.
The server certificate, which is used by the server to authenticate the connection, may be self-signed. In that case you will also need to apply the solution for self-signed server certificate. |
The solution is to create a secure file for storing your client certificate and specify it in command-line properties for JIRA Client.
You may already have it, but if you don't, it's easy to export the certificate from your browser. (We are assuming that you can access JIRA with your browser, hence the browser does have the certificate.)
To export client certificate from Firefox, open Tools | Options menu, Advanced tab, and click on View Certificates. Select certificate that matches your server and click Backup button. Enter a file name for .p12 file, and then backup password. Remember backup password.
To export client certificate from Internet Explorer, open Tools | Internet Options dialog, Content tab, then click on Certificates button. Find your certificate and click Export. Follow the wizard. Include private key in export. Select PKCS 12 format (although the extension will be PFX, you can rename it to P12). Don't include extra options. Enter password and remember it.
As a result of this step, you should have .p12 file, let's call it my-certificate.p12 and the password for it.
Use "keytool" program to transform the .p12 file. Keytool may be found in <JIRA Client Install Dir>\jre\bin (C:\Program Files\JIRA Client\jre\bin), or in any Java installation on your computer.
Run the following command:
keytool -importkeystore -srckeystore c:\path\to\p12\my-certificate.p12 -srcstoretype pkcs12 -destkeystore c:\temporary\path\jiraclient.jks -deststoretype jks |
Substitute path to the exported .p12 file instead of c:\path\to\p12\my-certificate.p12, and any temporary directory instead of c:\temporary\path.
Keytool will ask for password two times - for the source and destination keystores. You should enter the password you created on the previous step - every time. It will be the same password for both key stores.
If passwords are different, it may result in the same errors on the client side and the following error in the server logs:
|
As a result of this step, you should have file jiraclient.jks in a temporary directory.
Copy jiraclient.jks from the previous step to C:\Program Files\JIRA Client, or whereever you have JIRA Client installed.
Then, in the same install directory, create a text file named "jiraclient.properties" (if it's already there - edit it). In jiraclient.properties, place the following lines:
force.http.jre.executor=true javax.net.ssl.keyStore=jiraclient.jks javax.net.ssl.keyStorePassword=<your password created at step 1> |
For Deskzilla, the file should be named deskzilla.properties. |
If the server uses a self-signed certificate (or a certificate signed by an unknown CA), you will need to explicitly import server's certificate into the Java's trust keystore. (See instructions.) By default, the trust keystore is called cacerts and it resides in C:\Program Files\JIRA Client\jre\lib\security\cacerts. Using jiraclient.properties, it's possible to specify a different location for cacerts using the following line:
|
If you have to write character "\" in jiraclient.properties file, use double-backslash " |
Start JIRA Client. Try to connect. If it doesn't work, double-check that
If all looks correct but it doesn't work, please contact support.