How-to setup a secured Jira Software 8 on openSUSE Tumbleweed in less than 30 minutes

Summary

Exactly one year ago, I wrote the article How-to setup a secured Jira Software 7.9.0 on Ubuntu 16.04.4 in less than 30 minutes. Now its time for its successor. This article is about to install Jira Software 8.1.0 from scratch on an out-of-the-box openSUSE Tumbleweed server, that will listen on HTTPS. Downloading the packaged does not count to the 30 minutes. Of cause you can take this article to install another version combination, but then not all commands will work with copy & paste.

Changes to previous article

• openSUSE Tumbleweed instead of Ubuntu
• PostgreSQL instead of MySQL
• http/2 protocol instead of http/1.1
• Jira 8 instead of Jira 7
• AdoptOpenJDK instead of Oracle Java

Requirements

• remote linux server with openSUSE Tumbleweed installed (minimal non-transactional server setup, unmodified, out-of-the-box with just OpenSSH active and no firewall active)
• root access to Tumbleweed remote server
• internet connection from remote server to download Tumbleweed packages or an offline repository
• min. 2 Gb free disk space at /opt (has to be more for production use)
• computer with any graphical browser (eg. Firefox/Chromium) and SSH (PuTTY on Win)
• a DNS name (in this how-to jira.mycompany.com is used - replace it with yours)
• already downloaded JIRA located at /root/atlassian-jira-software-8.1.0.tar.gz (wget https://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-software-8.1.0.tar.gz)
• already downloaded AdoptOpenJDK located at /root/OpenJDK8U-jre_x64_linux_hotspot_8u212b03.tar.gz (wget https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u212-b03/OpenJDK8U-jre_x64_linux_hotspot_8u212b03.tar.gz)
• a valid Jira Software license from Atlassian

Your skills

• you know how to login to a (remote) Linux server
• you know how to edit configuration files with nano, vim, emacs, ...

How  to use this article

You can copy and paste all the commands (in code blocks) just to your root shell. The text around is for explaining the "why". If there are important instructions to read, then the text is bold.

Are you ready? 

Part 1 - Prepare PostgreSQL

Download and install PostgreSQL from repository. (Confirm with 'Y')

zypper install postgresql96-server

Unluckily also version 11.2 is in parallel installed to version 9.6. Jira doesn't support version 11.2 so we have to tune the installation manually.

cd /etc/alternatives/
rm clusterdb createdb createuser dropdb dropuser initdb pg_basebackup pg_controldata pg_ctl pg_dump pg_dumpall pg_isready pg_receivewal pg_recvlogical pg_resetwal pg_restore pg_rewind pg_verify_checksums pg_waldump postgres reindexdb vacuumdb psql postmaster postgresql

This will delete a couple of symbolic links pointing to version 11.2 binaries.

ln -s /usr/lib/postgresql96 postgresql
ln -s /usr/lib/postgresql96/bin/postmaster
ln -s /usr/lib/postgresql96/bin/psql
ln -s /usr/lib/postgresql96/bin/clusterdb
ln -s /usr/lib/postgresql96/bin/createdb
ln -s /usr/lib/postgresql96/bin/createuser
ln -s /usr/lib/postgresql96/bin/dropdb
ln -s /usr/lib/postgresql96/bin/dropuser
ln -s /usr/lib/postgresql96/bin/initdb
ln -s /usr/lib/postgresql96/bin/pg_basebackup
ln -s /usr/lib/postgresql96/bin/pg_controldata
ln -s /usr/lib/postgresql96/bin/pg_ctl
ln -s /usr/lib/postgresql96/bin/pg_dump
ln -s /usr/lib/postgresql96/bin/pg_dumpall
ln -s /usr/lib/postgresql96/bin/pg_isready
ln -s /usr/lib/postgresql96/bin/pg_recvlogical
ln -s /usr/lib/postgresql96/bin/pg_restore
ln -s /usr/lib/postgresql96/bin/pg_rewind
ln -s /usr/lib/postgresql96/bin/postgres
ln -s /usr/lib/postgresql96/bin/reindexdb
ln -s /usr/lib/postgresql96/bin/vacuumdb

Now we create new symbolic links pointing to the binaries of version 9.6.

systemctl enable postgresql.service
systemctl start postgresql.service
systemctl stop postgresql.service

PostgreSQL is made persistent to run at startup, then it is started. It will create its DB structure. afterwards we stop it.

vim /var/lib/pgsql/data/pg_hba.conf

Edit the file (in this case with vim) and modify its content as:

• at line 80 (the one with local): change "peer" to "trust"
• at line 82 (the one with host): change "ident" to "md5"
• Save and exit the editor.

This will allow Jira connect to it later.

systemctl start postgresql.service
sudo su postgres
psql

Start the DB again and open PostgreSQL client.

The next 4 commands have to be pasted into the psql shell. Use another password for the 'jira' db user than for 'root'.

create user jira password '**********';

create database jiradb WITH ENCODING 'UNICODE' LC_COLLATE 'C' LC_CTYPE 'C' TEMPLATE template0 OWNER jira;

grant all on database jiradb to jira;

\q

Close the session of user postgres:

exit

Part 2 - Java Installation

Change to the directory, where everything gets installed.

cd /opt

Extract the JRE tar-ball.

tar xzf /root/OpenJDK8U-jre_x64_linux_hotspot_8u212b03.tar.gz

Create a sym-link. Avoids changing configurations when upgrading the Java version.

ln -s jdk8u212-b03-jre java

Make the files' owner "root":

chown -R 0:0 jdk8u212-b03-jre

Part 3 - nginx and SSL 

Download and install nginx from Tumbleweed repositories. (Confirm with Y)

zypper install nginx

Create the nginx proxy configuration. This will forward calls to 443 to internal port 8080 where Jira's tomcat is listening. Additionally SSL is configured and the maximum size of an uploaded attachment is set to 30 Mb. Also gzip compression is activated - make sure to deactivate gzip compression later in Jira.

cat << EOF | sudo tee /etc/nginx/conf.d/jira.conf
server {
 listen 443 ssl http2;
 server_name jira.mycompany.com;
 keepalive_timeout 70;
 ssl_certificate /etc/nginx/ssl/jira.crt;
 ssl_certificate_key /etc/nginx/ssl/jira.pem;
 ssl_protocols TLSv1.1 TLSv1.2;
 ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 1d;
 large_client_header_buffers 4 32k;
 gzip on;
 gzip_min_length 10240;
 gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
 location / {
 proxy_pass http://localhost:8080;
 proxy_set_header X-Forwarded-Host \$host;
 proxy_set_header X-Forwarded-Server \$host;
 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 client_max_body_size 30M;
 proxy_connect_timeout 300;
 proxy_send_timeout 300;
 proxy_read_timeout 300;
 send_timeout 300;
 }
}
EOF

Don't forget to adapt line 4 to your hostname before pasting.

Create the directory to store the SSL certificates and change inside.

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl

If you have already a valid signed SSL certificate and your SSL key at hand, then copy the key to jira.pem and the certificate to jira.crt. Skip the next steps and continue at #MARKER#. If you need to create some new self-signed certificates, continue here.

Create your own SSL key. 

openssl genrsa -des3 -out jira.key 2048

You will get asked the set a passphrase - remember/note it.

Remove the passphrase from the key. This is required so that nginx can start unattended (without entering the passphrase).

openssl rsa -in jira.key -out jira.pem

Now the site details for the certificate are added.

openssl req -new -key jira.pem -out jira.csr

Replace the bold text with your own data.

Country Name (2 letter code) [AU]:XY
State or Province Name (full name) [Some-State]:My Country
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company
Organizational Unit Name (eg, section) []:Operations
Common Name (e.g. server FQDN or YOUR name) []:jira.mycompany.com
Email Address []: <<-- leave empty
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <<-- leave empty
An optional company name []: <<--leave empty

Self-sign your certificate. It will be valid for 777 days from now.

openssl x509 -req -days 777 -in jira.csr -signkey jira.pem -out jira.crt

Now the certificate is added to the JRE default keystore. This is required, so that Jira can talk to itself without getting an SSL certificate authorization error. (this step is required also for already existing self-made certificates.

/opt/java/bin/keytool -import -alias jira.mycompany.com:443 -keystore /opt/java/lib/security/cacerts -file jira.crt

The password of the keystore is 'changeit'. Confirm with 'yes'.

#MARKER#

Nginx needs to be made persistent and restarted, so that all changes can take effect.

systemctl enable nginx
systemctl restart nginx

Part 4 - Jira binary installation

Back to our installation directory.

cd /opt

Extract Jira Software.

tar xzf /root/atlassian-jira-software-8.1.0.tar.gz

Create a sym-link for future Jira upgrades.

ln -s atlassian-jira-software-8.1.0-standalone jira

Create the Jira-Home directory

mkdir jira-home

Edit tomcat settings to fit to the proxy configuration. (in this case with nano)

vim jira/conf/server.xml

At line 38 (Connector block) add the following behind 'bindOnInit="false" ':

proxyName="jira.mycompany.com" proxyPort="443" scheme="https"

Save & exit editor.

Change the ownership of all files to the same user, the service is started later. We use 'nginx' users here.

chown -R nginx:nginx atlassian-jira-software-8.1.0-standalone jira-home

Create systemd configuration to be able to start/stop Jira.

cat << EOF | sudo tee /etc/systemd/system/jira.service
[Unit]
Description = Atlassian Jira Software
After=syslog.target network.target
 
[Service]
Type=forking
Environment=JIRA_HOME=/opt/jira-home
Environment=JAVA_HOME=/opt/java
PermissionsStartOnly=true
User=nginx
Group=nginx
ExecStart=/opt/jira/bin/startup.sh
ExecStop=/opt/jira/bin/shutdown.sh
TimeoutStartSec=120
TimeoutStopSec=600
PrivateTmp=true
 
[Install]
WantedBy = multi-user.target
EOF

Make the systemd configuration known to the system.

systemctl daemon-reload

Make the Jira service persistent.

systemctl enable jira.service

Start Jira now!

systemctl start jira.service

Note: depending on your remote system, start-up can take some time. You can have a look inside Jira log file, meanwhile: /opt/jira-home/log/atlassian-jira.log

Congratulations! Setup on command line is now finished. Continue with your Browser.

Has it taken longer than 30 minutes?

Part 5 - Finish installation

Point your browser to https://jira.mycompany.com. If you have used a self-signed SSL certificate, you have now manually to trust the certificate.

Select "I'll set it up myself" and "next". Then enter the data like seen in the screen shots:

"Test Connection". If its green you can proceed. Now again, this can take some time before you get asked to enter your license.

You have reached the end of this how-to. Hope you were successful. If you are facing problems or you can provide an improvement, let me know.

Post installation tasks (not part of this how-to)

• disable gzip compression
• log rotate jira/tomcat
• setup firewall to protect db and port 8080
• increase JVM memory settings
• monitoring
• backup mechanism