Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Connect JIRA Service Desk to MS SQL using Force Encryption

Ali El Banna
Ali El Banna July 5, 2017

Hi all,

I am using JIRA Service Desk 3.5.0 and I try to connect to my MS SQL Server using Force Encryption. The JIRA SErvice Desk is installed as Service on the same Server as MS SQL.

The problem is, that JSD don't connect to the MS SQL when I activate Force encryption and my company requiers me to enable "Force Encryption".

Can you help me to solve the problem?

Thanks a lot and best regards,

Ali

Answer
Watch
Like Be the first to like this
855 views

3 answers

0 votes
Ali El Banna
Ali El Banna July 7, 2017

I deleted it because of duplicate

Reply
0 votes
Ali El Banna
Ali El Banna July 7, 2017

I have now configered the dbconfig.xml with ssl=true and replaced the jtds-1.3.1.jar file with another one to be able to do the SSLHandshake with TLSv1.2. I also worte the following in the connector:

<Connector port="8081"
   maxHttpHeaderSize="8192" 
   maxThreads="150"
   minSpareThreads="25"
   connectionTimeout="20000"
   enableLookups="false"
   maxHttpHeaderSize="8192"
   protocol="HTTP/1.1"
   useBodyEncodingForURI="true"
   redirectPort="8443"
   acceptCount="100"
   proxyName="xxxxx"
   proxyPort="443"
   scheme="https"
   disableUploadTimeout="true"
   SSLEnabled="true"
   useCipherSuitesOrder="true"
   sslProtocol="TLSv1.2"
   sslEnabledProtocols = "TLSv1.2"
   secure="true"
   clientAuth="false"
   />

I think the connection is building now successfully but there is a problem while starting the plug-ins as you can in the following see in the atlassian log:

2017-07-07 09:50:45,694 xxxxxx.de-startStop-1 INFO      [c.a.jira.startup.JiraHomeStartupCheck] The jira.home directory 'I:\Program Files\Atlassian\Application Data\JIRA' is validated and locked for exclusive use by this instance.
2017-07-07 09:50:45,798 JIRA-Bootstrap INFO      [c.a.jira.startup.JiraStartupLogger] 
    
    ****************
    JIRA starting...
    ****************
    
.
.
.

**********************************************************************************
    JIRA 7.3.6 build: 73017 started. You can now access JIRA through your web browser.
    **********************************************************************************
    
.
.
.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
 at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
 at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
 at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
 at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
 at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
 at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
 at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
 at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
 at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
 at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
 at com.atlassian.jira.plugins.healthcheck.support.BaseUrlHealthCheck.doCheck(BaseUrlHealthCheck.java:52)
 at com.atlassian.jira.plugins.healthcheck.support.AbstractSupportHealthCheck.check(AbstractSupportHealthCheck.java:23)
 at com.atlassian.support.healthcheck.impl.PluginSuppliedSupportHealthCheck.check(PluginSuppliedSupportHealthCheck.java:41)
 at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:32)
 at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:15)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
 at sun.security.validator.Validator.validate(Validator.java:260)
 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
 ... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
 at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
 ... 35 more
2017-07-07 09:53:38,104 Caesium-1-1 WARN      [c.a.a.c.hash.reader.RemoteHashingInstructionsReader] Unable to read remote instructions with key 'uid.onewayhash'.
2017-07-07 09:53:38,104 Caesium-1-1 WARN      [c.a.a.client.hash.BcryptAnalyticsEmailHasher] No instructions for hashing could be found.
2017-07-07 09:53:38,519 hipchat-plugin-tasks-executor-0 DEBUG      [c.a.activeobjects.osgi.ActiveObjectsServiceFactory] getService bundle [com.atlassian.plugins.base-hipchat-integration-plugin-api]
2017-07-07 09:54:04,885 SupportHealthCheckThread-2 WARN ServiceRunner     [c.a.j.p.healthcheck.util.SupportEolCheckUtil] Not able to retrieve the JIRA version information from MPAC
2017-07-07 09:54:04,885 SupportHealthCheckThread-2 ERROR ServiceRunner     [c.a.j.p.healthcheck.support.EolSupportHealthCheck] An error occurred when performing the EOL check, see the exceptions for more info
org.apache.http.conn.HttpHostConnectException: Connect to marketplace.atlassian.com:443 [marketplace.atlassian.com/104.192.142.45, marketplace.atlassian.com/104.192.142.44, marketplace.atlassian.com/104.192.142.43] failed: Connection timed out: connect
.
.
. 
... 20 more
2017-07-07 10:51:38,331 Caesium-1-1 DEBUG ServiceRunner     [c.a.activeobjects.osgi.ActiveObjectsServiceFactory] getService bundle [com.atlassian.plugins.authentication.atlassian-authentication-plugin]
2017-07-07 10:53:01,495 SupportHealthCheckThread-6 ERROR ServiceRunner     [c.a.j.p.healthcheck.support.BaseUrlHealthCheck] An error occurred when performing the Base URL healthcheck: 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
 at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
 at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
 at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
 at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
 at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
 at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
 at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
 at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
 at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
 at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
 at com.atlassian.jira.plugins.healthcheck.support.BaseUrlHealthCheck.doCheck(BaseUrlHealthCheck.java:52)
 at com.atlassian.jira.plugins.healthcheck.support.AbstractSupportHealthCheck.check(AbstractSupportHealthCheck.java:23)
 at com.atlassian.support.healthcheck.impl.PluginSuppliedSupportHealthCheck.check(PluginSuppliedSupportHealthCheck.java:41)
 at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:32)
 at com.atlassian.support.healthcheck.thread.HealthCheckCallable.call(HealthCheckCallable.java:15)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
 at sun.security.validator.Validator.validate(Validator.java:260)
 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
 ... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
 at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
 ... 35 more
.
.
.
Caused by: java.net.ConnectException: Connection timed out: connect
 at java.net.DualStackPlainSocketImpl.connect0(Native Method)
 at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
 at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
 at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
 at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
 at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
 at java.net.Socket.connect(Socket.java:589)
 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:337)
 at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
 ... 20 more

but I can't connect to Jira through browser.

Can someon help me?

Thanks,

Ali

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 7, 2017

>but I can't connect to Jira through browser.

That's because it is not starting.  The errors you see in the logs are preventing it. 

If I remember it right, then that error means your Certificate Authority doesn't trust your certificates.  https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html might help explain it a bit more.

Like
Reply
0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 5, 2017

How are you enabling the encryption in the Tomcat SQL driver?

View More Comments
Ali El Banna
Ali El Banna July 5, 2017

I didn't I just activated Force Encryption in the MS SQL and saw that I couldn't start JIRA Service Desk anymore.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 5, 2017

So you told your database to accept only encrypted connections but did not tell the database user (The Tomcat running JIRA) to encrypt anything. 

You'll need to work out how to tell Tomcat to use encryption for the jtds driver.

Like
Ali El Banna
Ali El Banna July 5, 2017

I am sorry I didn't know that I have to configure the Tomcat. I am new in all this things. I will try to solve the Problem and give my feedback. Thank you!

If anyone can help me with the configuration I would appreciate it.

 

Like
Ali El Banna
Ali El Banna July 7, 2017

I changed the jtds-1.3.1.jar to be able to connect with Force Encryption on with TLSv1.2 and changed the server.xml connector like this:

<Connector port="8081"
     maxHttpHeaderSize="8192" 
     maxThreads="150"
     minSpareThreads="25"
     connectionTimeout="20000"
     enableLookups="false"
     maxHttpHeaderSize="8192"
     protocol="HTTP/1.1"
     useBodyEncodingForURI="true"
     redirectPort="8443"
     acceptCount="100"
     proxyName="xxxxx.de"
     proxyPort="443"
     scheme="https"
     disableUploadTimeout="true"
     SSLEnabled="true"
     useCipherSuitesOrder="true"
     sslProtocol="TLSv1.2"
     sslEnabledProtocols = "TLSv1.2"
     secure="true"
     clientAuth="false"
     />

I also changed the dbconfig.xml (ssl=true), but unfortunatly I can't connect to JIRA via browser. The altassian.log is saying this:

**********************************************************************************
    JIRA 7.3.6 build: 73017 started. You can now access JIRA through your web browser.
    **********************************************************************************

but I just can't connect to JIRA.

can you help me one more time?

Regards,

Ali El Banna

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events