How-to setup a secured Jira Software 7.9.0 on Ubuntu 16.04.4 in less than 30 minutes

Summary

This article is about to install Jira Software 7.9.0 from scratch on an out-of-the-box Ubuntu 16.04.4 Server, that will listen on HTTPS.  Downloading the packaged does not count to the 30 minutes. Of cause you can take this article to install another version combination, but then not all commands will work with copy & paste.

Requirements

• remote linux server with Ubuntu 16.04.4 Server installed (unmodified, out-of-the-box with just OpenSSH active)

• no Apache running on port 443

• root access to Ubuntu remote server

• internet connection from remote server to download Ubuntu packages and the MySQL driver

• min. 1Gb free disk space at /opt (has to be more for production use)

• computer with any graphical browser and SSH (PuTTY on Win)

• a DNS name (in this how-to jira.mycompany.com is used - replace it with yours)

• already downloaded JIRA located at /root/atlassian-jira-software-7.9.0.tar.gz (wget https://www.atlassian.com/software/jira/downloads/binary/atlassian-jira-software-7.9.0.tar.gz)

• already downloaded Oracle JRE located at /root/jre-8u172-linux-x64.tar.gz (http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html)

• a valid Jira Software license from Atlassian

Your Skills

• you know how to login to a (remote) Linux server
• you know how to edit configuration files with nano, vim, emacs, ...

How  to use this article

You can copy and paste all the commands (in code blocks) just to your root shell. The text around is for explaining the "why". If there are important instructions to read, then the text is bold.

Are you ready to rumble?  Start your watch now ... 3.2.1

Part 1 - Prepare MySQL Database

Download and install MySQL from Ubuntu Repository. (Confirm with 'Y')

apt-get install mysql-server

You get asked to set a password for root - you will need it the next steps.

Create the database named 'jira'.

mysqladmin -u root -p create jira

Connect to the database.

mysql -u root -p

Modify the created db, create a news user called 'jira' and grant permissions.

The next 4 commands have to be pasted into the mysql shell. Use another password for the 'jira' db user than for 'root'.

alter database jira character set utf8 collate utf8_bin;
create user 'jira'@'localhost' identified by '<password used by jira>';
grant all on jira.* to 'jira'@'localhost';
exit;

Tune mysql to fit to the requirements of Jira.

echo "innodb_log_file_size = 256M" >> /etc/mysql/mysql.conf.d/mysqld.cnf
echo "max_allowed_packet = 34M" >> /etc/mysql/mysql.conf.d/mysqld.cnf

The tuning requires a restart of MySQL.

systemctl restart mysql.service

Part 2 - Java installation

Change to the directory, where everything gets installed.

cd /opt

Extract the JRE tar-ball.

tar xzf /root/jre-8u172-linux-x64.tar.gz

Create a sym-link. Avoids changing configurations when upgrading Java.

ln -s jre1.8.0_172/ java

Part 3 - nginx and SSL 

Download and install nginx from Ubuntu resources. (Confirm with Y)

apt-get install nginx

Create the nginx proxy configuration. This will forward calls to 443 to internal port 8080 where Jira's tomcat is listening. Additionally SSL is configured and the maximum size of an uploaded attachment is set to 30 Mb. Also gzip compression is activated - make sure not to activate gzip compression later in Jira.

Copy & paste the next full code block into your shell.

cat << EOF | sudo tee /etc/nginx/sites-available/jira
server {
 listen 443 ssl;
 server_name jira.mycompany.com;
 keepalive_timeout 70;
 ssl_certificate /etc/nginx/ssl/jira.crt;
 ssl_certificate_key /etc/nginx/ssl/jira.pem;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 1d;
 large_client_header_buffers 4 32k;
 gzip on;
 gzip_min_length 10240;
 gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
 location / {
 proxy_pass http://localhost:8080;
 proxy_set_header X-Forwarded-Host \$host;
 proxy_set_header X-Forwarded-Server \$host;
 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 client_max_body_size 30M;
 proxy_connect_timeout 300;
 proxy_send_timeout 300;
 proxy_read_timeout 300;
 send_timeout 300;
 }
}
EOF

Enable the configuration to be loaded next restart.

ln -s /etc/nginx/sites-available/jira /etc/nginx/sites-enabled/jira

Create the directory to store the SSL certificates and change inside.

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl

If you have already a valid signed SSL certificate and your SSL key at hand, then copy the key to jira.pem and the certificate to jira.crt. Skip the next steps and continue at #MARKER#. If you need to create some new self-signed certificates, continue here.

Create your own SSL key. 

openssl genrsa -des3 -out jira.key 2048

You will get asked the set a passphrase - remember/note it.

Remove the passphrase from the key. This is required so that nginx can start unattended (without entering the passphrase).

openssl rsa -in jira.key -out jira.pem

Now the site details for the certificate are added.

openssl req -new -key jira.pem -out jira.csr

Replace the bold text with your own data.

Country Name (2 letter code) [AU]:XY
State or Province Name (full name) [Some-State]:My Country
Locality Name (eg, city) []:My City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company
Organizational Unit Name (eg, section) []:Operations
Common Name (e.g. server FQDN or YOUR name) []:jira.mycompany.com
Email Address []: <<-- leave empty
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <<-- leave empty
An optional company name []: <<--leave empty

Self-sign your certificate. It will be valid for 777 days from now.

openssl x509 -req -days 777 -in jira.csr -signkey jira.pem -out jira.crt

Now the certificate is added to the JRE default keystore. This is required, so that Jira can talk to itself without getting an SSL certificate authorization error.

/opt/java/bin/keytool -import -alias jira.mycompany.com:443 -keystore /opt/java/lib/security/cacerts -file jira.crt

The password of the keystore is 'changeit'.

#MARKER#

Nginx needs to be restarted so that all changes can take effect.

systemctl restart nginx

Part 4 - Jira binary installation

Back to our installation directory.

cd /opt

Extract Jira Software.

tar xzf /root/atlassian-jira-software-7.9.0.tar.gz

Create a sym-link for future Jira upgrades.

ln -s atlassian-jira-software-7.9.0-standalone jira

Create the Jira-Home directory

mkdir jira-home

Edit tomcat settings to fit to the proxy configuration. (in this case with nano)

nano jira/conf/server.xml

At line 36 (Connector block) add the following behind 'bindOnInit="false" ':

proxyName="jira.mycompany.com" proxyPort="443" scheme="https"

Save & exit editor.

Download the MySQL driver that works with Jira 7.9.0 directly from maven repository.

wget http://central.maven.org/maven2/mysql/mysql-connector-java/5.1.45/mysql-connector-java-5.1.45.jar -O jira/lib/mysql-connector-java-5.1.45.jar

Change the ownership of all files to the same system user, the service is started later.

chown -R www-data:www-data atlassian-jira-software-7.9.0-standalone jira-home

Create Systemd configuration to be able to start/stop Jira.

Copy & paste this full code block into your shell.

cat << EOF | sudo tee /etc/systemd/system/jira.service
[Unit]
Description = Atlassian Jira Software
After=syslog.target network.target
 
[Service]
Type=forking
Environment=JIRA_HOME=/opt/jira-home
Environment=JAVA_HOME=/opt/java
PermissionsStartOnly=true
User=www-data
Group=www-data
ExecStart=/opt/jira/bin/startup.sh
ExecStop=/opt/jira/bin/shutdown.sh
TimeoutStartSec=120
TimeoutStopSec=600
PrivateTmp=true
 
[Install]
WantedBy = multi-user.target
EOF

Make the systemd configuration known to the system.

systemctl daemon-reload

Make the Jira service persistent (starting at boot-up).

systemctl enable jira.service

Start Jira now!

systemctl start jira.service

Note: depending on your remote system, start-up can take some time. You can have a look inside Jira log file, meanwhile: /opt/jira-home/log/atlassian-jira.log

Congratulations! Setup on command line is now finished. Continue with your Browser.

Stop your watch! Has it taken longer than 30 minutes?

Part 5 - Finish installation

Point your browser to https://jira.mycompany.com. If you have used a self-signed SSL certificate, you have now manually to trust the certificate.

Select "I'll set it up myself"  and  "next". Then enter the data like seen in this screen shot:

"Test Connection". If its green you can proceed. Now again, this can take some time before you get asked to enter your license.

You have reached the end of this how-to. Hope you were successful. If you are facing problems, let me know.

Post installation tasks (not part of this how-to)

• log rotate jira/tomcat
• block port 8080 from outside connections
• increase JVM memory settings
• monitoring
• backup mechanism