Mutual Client Server Authentication Broken on Gadget and Healthcheck Plugins

Our environment requires mutual client/server authentication.  There are times when Jira reaches back to itself to get information.  One of these is when you go to add gadgets and it calls to get information of them, another is during the healthcheck when the baseurl is said to be bad.

We are using the following variables in our installation for the certificates:
javax.net.ssl.trustStore
javax.net.ssl.trustStorePassword
javax.net.ssl.keyStore
javax.net.ssl.keyStorePassword

As of Jira 7.4.3, Jira's implementation of both of these uses the HttpClientBuilder (org.apache.http.impl.client.HttpClientBuilder).  In order for the HttpClientBuilder to supportthe keyStore and keyStorePassword variables the "useSystemProperties()" needs to be called during it's setup.  For some reason without specifying this, only some of the variables are supported like the trustStore/trustStorePassword variables.

Jira's implementation of the gadget plugin (atlassian-gadgets-opensocial-plugin v4.2.21) and the healthcheck plugin (plugin-jira v1.0.2 previously jira-healthcheck-plugin) does not use the "useSystemProperties()" method when building the HttpClient.  This prevents the keystore being loaded in needed for client authentication.  (Apparently the truststore is loaded in regardless, but that is a separate issue.)

Due to this, when the server tries to authenticate back to itself it does not provide it's certificate and the connection is rejected.  Therefore you get the "__MSG_gadget.activity" gadget names and invalid baseurl message from the health check plugin.

 

After taking down the two jar source files and inserting the line:

httpClientBuilder.useSystemProperties();

After line 77 (where the httpClientBuilder is intialized) in the com.atlassian.troubleshooting.jira.healthcheck.support.BaseUrlHealthCheck  class.

and After line 104 (where the httpClientBuilder is intialized) in the com.atlassian.gadgets.renderer.internal.http.HttpClientFetcher class.

and then repackaging and redeploying the jars to our server, everything is fixed.  This is too tedious to do on every update though.

 

I have seen similar issues on Atlassian's website on how to fix this issue, but none pointing to this solution.  Typically it refers to a misconfiguration of the server Jira is deployed on which is not the case here.  Would like to request this fix be applied to these classes where the HttpClientBuilder is used.

 

 

 

 

2 answers

0 votes

Hi Thomas,

Thank you for raising this issue.  I have created the Suggestion on your behalf and you can find it at JRASERVER-65887.  Please vote on the issue to add impact and you'll be notified of any changes to the ticket.

Cheers,

Branden

0 votes

We're also experiencing the same issue internally. Where did you get the source jars from for atlassian-gadgets-opensocial-plugin and plugin-jira? Did you decompile the jars?

Suggest an answer

Log in or Join to answer
Community showcase
Teodora [Botron]
Published Thursday in Marketplace Apps

Jira Inferno: The Nine Circles of Jira Administration Hell

If you spend enough time as a Jira admin - whether you are managing a single, mid-sized instance, a large enterprise one or juggling multiple instances at once - you will eventually find yourself in ...

504 views 1 15
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot