Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira Align and SSL/TLS

April 30, 2021

Purpose

This article is designed to explain some of the specifics around SSL and TLS within the Jira Align infrastructure and product.

The Jira Align infrastructure includes multiple service tiers. The Jira Align Web Application deals with inbound traffic only while the Jira Align Connectors are outbound traffic only.

 

Outbound Requests from Jira Align Cloud / On-Prem to Your Product

For outbound requests, Jira Align only supports TLS 1.2 as the secure standard.

More specifically, these are the TLS 1.2 ciphers that Jira Align supports:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 

Mutual TLS from Jira Align to Jira Server/Data Center

SSL.png

Figure 1.1: Example of Jira Align to Jira/Proxy with Mutual TLS

Mutual TLS goes hand-in-hand with Outbound Requests as the client certificate is enabled by default. 

The server that is hosting Jira or the Proxy in front of Jira is responsible for enforcing Mutual TLS. The enforcer of Mutual TLS will request Jira Align to provide the Client Certificate. Jira Align will then use the client certificate as part of the process and the private key for the signature as part of the CertificateVerify message. 

Jira Align requires a Trusted 3rd Party Certificate (ex: DigiCert, Sectigo, GoDaddy, etc.) to be used with Mutual TLS.

There are 3 certificate types that can be used:

  • Wildcard Jira Align Certificate, owned by Atlassian (*.jiraalign.com)

  • Non-Wildcard Jira Align Certificate, owned by Atlassian (Ex: customer.jiraalign.com )

  • Custom Certificate, owned by Customer (Ex: jiraalign.customer.com )

 

NOTE: Regarding Custom SSL Certificates that are owned by the Customer: The Customer is responsible for renewing this certificate before the expiration date, notifying us via a Jira Align Support ticket, and working with Jira Align Support to coordinate the certificate swap.

NOTE2: When generating a Customer-owned Custom certificate, please check with your Network Security Team to ensure that you are following your organization's policies and procedures.

 

Inbound Requests from End User to Jira Align

For inbound requests, Jira Align only supports TLS 1.2 as the secure standard.

More specifically, these are the TLS 1.2 ciphers that Jira Align supports:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

 

Certificate Validation

As part of certificate validation, Jira Align will validate:

  • The certificate has not expired

  • The issuer of the server/client certificate is signed from a valid trusted 3rd party CA

  • Issuer’s digital signature contained in server certificate is valid

  • The domain name on the certificate matches the domain of the server

  • Certificate is not revoked

 

Comment
Watch
Like # people like this
3103 views

0 comments

Comment

Log in or Sign up to comment
James McCulley

James McCulley

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

Network & Security Solutions Architect

Atlassian

25 total posts

View profile
jira-align
Jira Align
TAGS
AUG Leaders

Atlassian Community Events

    See all events