JIRA Archives - Technology short and sweet

In this post I’m going to cover using SSH between FishEye and your BitBucket server. When you configure BitBucket Server you have the option to enable SSH and HTTPS connections. Although you can use BitBucket without SSH there are scenarios where it is better to use SSH, one of them is connecting BitBucket and FishEye.

If you use HTTPS only connections with FishEye you will experience the following problems.

You won’t see the repositories it discovered automatically in the BitBucket Repositories Tab. When you add an Application Link to BitBucket and enable SSH it will automatically scan the repositories and show them here. Technically you can live without this functionality and manually add the repositories using Native Repository access but that is more involved.
If you add a repository link using HTTPS the user name and password is stored in plain text in the config.xml file of your FishEye instance. If you use SSH only the name of the key is stored.

Security
I was pleasantly surprised to find out an SSH server is already bundled with BitBucket, and if you have an existing SSH service already running, this one should not interfere with it. I was also weary to open up even more ports on our servers for security reasons but it looks like bundled SSH server is locked down pretty well, you can’t use it to execute arbitrary SSH commands and it is not open to existing users on the system. You can read more here in the official documentation.

Keys
Generating the keys are done automatically if you have the application link between FishEye and BitBucket configured. When you see the repository in the BitBucket Server repositories list, click on the Add button. The repository will now show Added next to its name and it will also appear in the Native repository access list. You can confirm this by clicking on the repository name in FishEye and in BitBucket by clicking on the cog icon in the repository.

Using SSH Between FishEye And Your BitBucket Server — FishEye

NOTE: Make sure you choose the correct option when you install GIT on your FishEye server and confirm that you can run ssh.exe and git.exe from the command prompt. If it doesn’t work check your PATH variable and try restarting the FishEye service to pick up the changed PATH. You can specify the path to git.exe in FishEye but not ssh.exe, it must be able to get to it from the PATH.

If this isn’t configured properly you will receive errors in FishEye that it can’t find the ssh executable.

About

Latest Posts

Francois Delport

I am a cloud and devops consultant, technology fan and previously a professional C# developer with a keen interest in system design and architecture. Currently I am involved in projects using Azure, the Microsoft stack and DevOps. I am based in Melbourne, Australia. Email: [email protected]

Latest posts by Francois Delport (see all)

How To Convert A Linux Disk Or Image File To VMDK File - July 8, 2020

Read SMART Attributes Using PowerShell And Smartmontools - February 10, 2020

How To Install OMS Agent On Server Core - June 25, 2018

In this post I’m going to show you how to setup SSL in JIRA with an existing SSL certificate.

If you setup SSL in JIRA from scratch by requesting a new certificate the official instructions work well but when you have an existing certificate the instructions are not very clear, especially to someone that is not familiar with Java and Tomcat. If you read further down in the comments and google a bit you can piece it together but I want to bring it all together in a single post to make it easier next time I have to do it. These instructions are for windows but should work for any OS since the tools used are ports from Linux anyway.

Tools

Before we start you’ll need a few things:

If you want to know what .pem, pkcs12 and .key files are please read this first.
Your SSL certificate, private key pair and the password that was used to create the private key. If you received it as text in a email instead of file attachments you can copy and paste them into separate files but remember to include the –begin***— and —end***– parts for the certificate and the private key. The extensions does not really matter when you run the tools but I named mine .key and .pem to make it easier.
OpenSSL: You can download it from sourceforge.
Jave JRE: You will have this one already since it is part of the JIRA installation in my case it was in C:\Program Files\Atlassian\JIRA\jre\bin\ and the tool you need is keytool.exe

Steps

Export your certificate to pkcs12, the format the Java key tool understands. You will find openssl in C:\Program Files (x86)\GnuWin32\bin, run openssl.exe to get the openssl command prompt then run:

pkcs12 -export -in c:\cert\your_ssl.pem -inkey c:\cert\your_keyfile.key -out newfile.p12 -name alias

The alias is optional and if you don’t provide one the tool will assign a number as the alias, starting from 1. If you want to see the alias for existing files have a look at the command line parameters for openssl. You will be prompted for the password used to generate the private key pair. If successful you will see the newfile.p12 created in the output folder.

Next step is to create the java key store, I called this one jira.jks.

"%java_home%\bin\keytool.exe" -importkeystore -srckeystore newfile.p12 -destkeystore jira.jks -srcstoretype pkcs12 -alias alias

You will be prompted to create a new password for this keystore and then you will be prompted for the private key password used to create the exported certificate. It is imported the use the private key password as the new password for this key store or else JIRA will complain, example of the error message below.

Now you can configure JIRA to use this Java keystore for SSL by running config.bat it is located in the bin folder of your JIRA installation.

If you want to have a look what is inside existing Java keystore certificates you can use openssl.exe to view them or you can use portecle if you prefer a GUI.

Side Note: To manually configure a Tomcat connector for SSL, edit <tomcat_dir>/conf/server/xml and add the following:

<Connector port="8443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="path/to/your/keystore" keystorePass="YourKeystorePassword" clientAuth="false" keyAlias="alias" sslProtocol="TLS"/>

Tip: I had endless trouble creating application links between JIRA and BitBucket with SSL enabled. BitBucket was able to use the JIRA user directory but application links were throwing certificate errors and http 500 errors on the application links screen. In the end I had to change JIRA to use port 443 instead of 8443 and it solved the problem.

About

Latest Posts

Francois Delport

Latest posts by Francois Delport (see all)

Tag: JIRA

Using SSH Between FishEye And Your BitBucket Server

Setup SSL In JIRA With An Existing SSL Certificate

Tools

Steps