Mutual Client Server Authentication Broken on Gadget and Healthcheck Plugins

Our environment requires mutual client/server authentication.  There are times when Jira reaches back to itself to get information.  One of these is when you go to add gadgets and it calls to get information of them, another is during the healthcheck when the baseurl is said to be bad.

We are using the following variables in our installation for the certificates:
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword

As of Jira 7.4.3, Jira's implementation of both of these uses the HttpClientBuilder (org.apache.http.impl.client.HttpClientBuilder).  In order for the HttpClientBuilder to supportthe keyStore and keyStorePassword variables the "useSystemProperties()" needs to be called during it's setup.  For some reason without specifying this, only some of the variables are supported like the trustStore/trustStorePassword variables.

Jira's implementation of the gadget plugin (atlassian-gadgets-opensocial-plugin v4.2.21) and the healthcheck plugin (plugin-jira v1.0.2 previously jira-healthcheck-plugin) does not use the "useSystemProperties()" method when building the HttpClient.  This prevents the keystore being loaded in needed for client authentication.  (Apparently the truststore is loaded in regardless, but that is a separate issue.)

Due to this, when the server tries to authenticate back to itself it does not provide it's certificate and the connection is rejected.  Therefore you get the "__MSG_gadget.activity" gadget names and invalid baseurl message from the health check plugin.

 

After taking down the two jar source files and inserting the line:

httpClientBuilder.useSystemProperties();

After line 77 (where the httpClientBuilder is intialized) in the com.atlassian.troubleshooting.jira.healthcheck.support.BaseUrlHealthCheck  class.

and After line 104 (where the httpClientBuilder is intialized) in the com.atlassian.gadgets.renderer.internal.http.HttpClientFetcher class.

and then repackaging and redeploying the jars to our server, everything is fixed.  This is too tedious to do on every update though.

 

I have seen similar issues on Atlassian's website on how to fix this issue, but none pointing to this solution.  Typically it refers to a misconfiguration of the server Jira is deployed on which is not the case here.  Would like to request this fix be applied to these classes where the HttpClientBuilder is used.

 

 

 

 

2 answers

This widget could not be displayed.

Hi Thomas,

Thank you for raising this issue.  I have created the Suggestion on your behalf and you can find it at JRASERVER-65887.  Please vote on the issue to add impact and you'll be notified of any changes to the ticket.

Cheers,

Branden

This widget could not be displayed.

We're also experiencing the same issue internally. Where did you get the source jars from for atlassian-gadgets-opensocial-plugin and plugin-jira? Did you decompile the jars?

Sorry, just saw this.  If you didn't find them already, when you pull down the Jira source, they have a folder called dependencySources in there.  There they have all the source jars for the plugin jars.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

149 views 1 3
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you