stash over ssl

Great I'm going to work out the processes and try to implement within the next few days. I'll ping back here with the results!

Does setting up ssl only on Stash and JIRA have any effect on the application connection between Stash and JIRA?

Hi Patrick, If the Application Link is already created, it must be re-created, using the new Base URLs of both apps. You also need to make sure they'll be able to communicate via SSL, so the proper certificates need to be imported into the truststore used by each app. Regards, Gustavo Refosco

Thanks Gustavo, Yes I had the non-ssl http environment working including application links between Stash and JIRA. I got SSL working on both JIRA and Stash, and I went to Application Links and put the new https url in after clicking Relocate. But both now say that the link is not responding. OK seeing I'm made my big SSL change that would make sense. But I'm not sure how to import the proper certificates to enable this communcitation between the two apps. You say I need to do this in the truststore (keystore?) used by each Stash and Jira? I'm not sure how I do that. The environment -> each app uses the keystore call /opt/atlassian-common/atlassian.jks with only one key named either stash or jira. Could you advise what I need to do to get them communicating with each other?

Is the truststore different then the keystore?

Say for JIRA I tried exporting the Stash cert from the chrome that was connected to stash using Export-DER cert. Then using portecle, I imported the it as Trusted Certificate. Then I did the Examine SSL/TSL of the stash system port 8443 and this appeared to have worked fine as it showed me the cert from stash. I did the same for Stash for the JIRA connection. Then I re-started both Stash and JIRA. Checked the app links but neither connect to the https url. BTW I can cut and paste the app links url into a browser and it works. Next I tried the above with a cert exported from Portecle-Export-Head-DER. This also had the same result. So I think I'm still not able to get the Stash and JIRA servers to SSL with each other. What am I missing? Is the truststore different then the keystore?

Hi Patrick, Yes, they are different. I'd like to point you to the document https://confluence.atlassian.com/display/FISHKB/PKIX+Path+Building+Failed+-+Cannot+Set+Up+Trusted+Applications+To+SSL+Services as it may help you importing the certificates. It basically gives you steps on how to import your certs into your truststores. To clarify, you need to find out the JVM being used by each application, and them import the certs as needed in its truststore. You should be able to find out the JVM being used by each application in the app's Administration > Atlassian Support Tools > System Information. The default truststore for the JVM is then JAVA_HOME/jre/lib/security/cacerts - the default password for cacerts is "changeit". Regards, Gustavo Refosco

I did some searching and just found out about cacerts is the truststore and had come back hoping you had a clearer answer. You did and with your info I hopefully will locate the truststore and import the certs. I will ping back when I have tried it!

OK that did it. The SSLPoke really helped (gonna keep that one handy...). We use Oracle Java so the truststore is /usr/java/default/jre/lib/security/cacerts. I noticed that I didn't have to restart Stash and JIRA once I got the certs imported. Either exported certs work (exported in Portecle or Chrome). Thanks Gustavo!