Connect JIRA Service Desk to MS SQL using Force Encryption

Hi all,

I am using JIRA Service Desk 3.5.0 and I try to connect to my MS SQL Server using Force Encryption. The JIRA SErvice Desk is installed as Service on the same Server as MS SQL.

The problem is, that JSD don't connect to the MS SQL when I activate Force encryption and my company requiers me to enable "Force Encryption".

Can you help me to solve the problem?

Thanks a lot and best regards,

Ali

3 answers

0 vote

How are you enabling the encryption in the Tomcat SQL driver?

I didn't I just activated Force Encryption in the MS SQL and saw that I couldn't start JIRA Service Desk anymore.

So you told your database to accept only encrypted connections but did not tell the database user (The Tomcat running JIRA) to encrypt anything. 

You'll need to work out how to tell Tomcat to use encryption for the jtds driver.

I am sorry I didn't know that I have to configure the Tomcat. I am new in all this things. I will try to solve the Problem and give my feedback. Thank you!

If anyone can help me with the configuration I would appreciate it.

 

I changed the jtds-1.3.1.jar to be able to connect with Force Encryption on with TLSv1.2 and changed the server.xml connector like this:

<Connector port="8081"
     maxHttpHeaderSize="8192" 
     maxThreads="150"
     minSpareThreads="25"
     connectionTimeout="20000"
     enableLookups="false"
     maxHttpHeaderSize="8192"
     protocol="HTTP/1.1"
     useBodyEncodingForURI="true"
     redirectPort="8443"
     acceptCount="100"
     proxyName="xxxxx.de"
     proxyPort="443"
     scheme="https"
     disableUploadTimeout="true"
     SSLEnabled="true"
     useCipherSuitesOrder="true"
     sslProtocol="TLSv1.2"
     sslEnabledProtocols = "TLSv1.2"
     secure="true"
     clientAuth="false"
     />

I also changed the dbconfig.xml (ssl=true), but unfortunatly I can't connect to JIRA via browser. The altassian.log is saying this:

**********************************************************************************
    JIRA 7.3.6 build: 73017 started. You can now access JIRA through your web browser.
    **********************************************************************************

but I just can't connect to JIRA.

can you help me one more time?

Regards,

Ali El Banna

I have now configered the dbconfig.xml with ssl=true and replaced the jtds-1.3.1.jar file with another one to be able to do the SSLHandshake with TLSv1.2. I also worte the following in the connector:

<Connector port="8081"
   maxHttpHeaderSize="8192" 
   maxThreads="150"
   minSpareThreads="25"
   connectionTimeout="20000"
   enableLookups="false"
   maxHttpHeaderSize="8192"
   protocol="HTTP/1.1"
   useBodyEncodingForURI="true"
   redirectPort="8443"
   acceptCount="100"
   proxyName="xxxxx"
   proxyPort="443"
   scheme="https"
   disableUploadTimeout="true"
   SSLEnabled="true"
   useCipherSuitesOrder="true"
   sslProtocol="TLSv1.2"
   sslEnabledProtocols = "TLSv1.2"
   secure="true"
   clientAuth="false"
   /> 

I think the connection is building now successfully but there is a problem while starting the plug-ins as you can in the following see in the atlassian log:

2017-07-07 09:50:45,694 xxxxxx.de-startStop-1 INFO      [c.a.jira.startup.JiraHomeStartupCheck] The jira.home directory 'I:\Program Files\Atlassian\Application Data\JIRA' is validated and locked for exclusive use by this instance.
2017-07-07 09:50:45,798 JIRA-Bootstrap INFO      [c.a.jira.startup.JiraStartupLogger] 
    
    ****************
    JIRA starting...
    ****************
    
.
.
.

**********************************************************************************
    JIRA 7.3.6 build: 73017 started. You can now access JIRA through your web browser.
    **********************************************************************************
    
.
.
.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
 at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
 at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
 at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
 at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
 at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
 at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
 at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
 at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
 at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
 at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
 at com.atlassian.jira.plugins.healthcheck.support.BaseUrlHealthCheck.doCheck(BaseUrlHealthCheck.java:52)
 at com.atlassian.jira.plugins.healthcheck.support.AbstractSupportHealthCheck.check(AbstractSupportHealthCheck.java:23)
 at com.atlassian.support.healthcheck.impl.PluginSuppliedSupportHealthCheck.check(PluginSuppliedSupportHealthCheck.java:41)
 at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:32)
 at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:15)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
 at sun.security.validator.Validator.validate(Validator.java:260)
 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
 ... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
 at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
 ... 35 more
2017-07-07 09:53:38,104 Caesium-1-1 WARN      [c.a.a.c.hash.reader.RemoteHashingInstructionsReader] Unable to read remote instructions with key 'uid.onewayhash'.
2017-07-07 09:53:38,104 Caesium-1-1 WARN      [c.a.a.client.hash.BcryptAnalyticsEmailHasher] No instructions for hashing could be found.
2017-07-07 09:53:38,519 hipchat-plugin-tasks-executor-0 DEBUG      [c.a.activeobjects.osgi.ActiveObjectsServiceFactory] getService bundle [com.atlassian.plugins.base-hipchat-integration-plugin-api]
2017-07-07 09:54:04,885 SupportHealthCheckThread-2 WARN ServiceRunner     [c.a.j.p.healthcheck.util.SupportEolCheckUtil] Not able to retrieve the JIRA version information from MPAC
2017-07-07 09:54:04,885 SupportHealthCheckThread-2 ERROR ServiceRunner     [c.a.j.p.healthcheck.support.EolSupportHealthCheck] An error occurred when performing the EOL check, see the exceptions for more info
org.apache.http.conn.HttpHostConnectException: Connect to marketplace.atlassian.com:443 [marketplace.atlassian.com/104.192.142.45, marketplace.atlassian.com/104.192.142.44, marketplace.atlassian.com/104.192.142.43] failed: Connection timed out: connect
.
.
.
... 20 more 2017-07-07 10:51:38,331 Caesium-1-1 DEBUG ServiceRunner [c.a.activeobjects.osgi.ActiveObjectsServiceFactory] getService bundle [com.atlassian.plugins.authentication.atlassian-authentication-plugin] 2017-07-07 10:53:01,495 SupportHealthCheckThread-6 ERROR ServiceRunner [c.a.j.p.healthcheck.support.BaseUrlHealthCheck] An error occurred when performing the Base URL healthcheck: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at com.atlassian.jira.plugins.healthcheck.support.BaseUrlHealthCheck.doCheck(BaseUrlHealthCheck.java:52) at com.atlassian.jira.plugins.healthcheck.support.AbstractSupportHealthCheck.check(AbstractSupportHealthCheck.java:23) at com.atlassian.support.healthcheck.impl.PluginSuppliedSupportHealthCheck.check(PluginSuppliedSupportHealthCheck.java:41) at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:32) at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:15) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 29 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 35 more .
.
. Caused by: java.net.ConnectException: Connection timed out: connect at java.net.DualStackPlainSocketImpl.connect0(Native Method) at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:337) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) ... 20 more

but I can't connect to Jira through browser.

Can someon help me?

Thanks,

Ali

>but I can't connect to Jira through browser.

That's because it is not starting.  The errors you see in the logs are preventing it. 

If I remember it right, then that error means your Certificate Authority doesn't trust your certificates.  https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html might help explain it a bit more.

I deleted it because of duplicate

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Bridget Sauer
Published Mar 09, 2018 in Jira Service Desk

E.L. Fridge's take on education, Jira Service Desk, and creative Jira use cases

...word of mouth, so by 2016, we were working with several other entities on campus to implement Jira Service Desk . The Atlassian motto of “for every team” has really come true for us in this case. We...

974 views 2 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you