How do I completely disable SSL for JIRA on Apache Tomcat

Jason Huntowski May 1, 2015

Hello,

This may be a rather dumb question, but I inherited JIRA from another company and they have SSL enabled on Apache Tomcat 7. It works great and if it didn't, I see there is a wealth of knowledge from Apache.org to JIRA's knowledge base and Atlassian Answers on how to set it up or fix it, but I can't find anything on simply turning it off.

Our instance sits behind a firewall and SSL is not necessary, or at least the powers that be deem it not necessary, so how do I just disable it?

Were running JIRA 6.3.1 on Windows Server 2012. I have tried altering the server.xml and changed SSLEnabled to false, which I kind of knew wouldn't work, which it didn't. I have tried opening the configuration tool and selecting "Disabled" as the profile, but it all just fails. I am server dumb, this whole thing just sort of got dropped into my lap, so any advice would be golden.

I could work backwards through the configuration steps, but that seems labor intensive for just turning something off. There has to be a better way. Is there a config file somewhere where I could just comment out the initial kick-off of the whole SSL process?

 

Thanks!

2 answers

1 accepted

3 votes
Answer accepted
rrudnicki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 1, 2015

Hi Jason, 

As I could see, you have a HTTPS connector setup. Commenting that code will disable your SSL. Put the comment between <!--  ... code ... --> like this:

&lt;!--
&lt;Connector port="8443" useBodyEncodingForURI="true" protocol="org.apache.coyote.http11.Http11Protocol" 
minSpareThreads="25" maxThreads="150" maxSpareThreads="75" maxHttpHeaderSize="8192" 
enableLookups="false" disableUploadTimeout="true" connectionTimeout="20000" acceptCount="100" 
sslProtocol="TLS" secure="true" scheme="https" keystoreType="JKS" keystorePass=[our pass] 
keystoreFile=[our file location] keyAlias=[our alias] clientAuth="false" SSLEnabled="true"/&gt;
&lt;/Service&gt;&lt;/Server&gt;
--&gt;

This connector is in the end of your server.xml toguether with the HTTP connector.

 

Also make sure Tomcat is not forcing the HTTPS redirecting. Please have a look on this link to check out this: https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS#RunningConfluenceOverSSLorHTTPS-Step5.AddaSecurityConstrainttoRedirectAllURLstoHTTPS

 

Regards, 

Renato Rudnicki

Jason Huntowski May 1, 2015

Renato,

 

Thank you for your suggestions. I did find that the web.xml was forcing the redirect. I am in the process of commenting out the code you suggested with the code from the web.xml commented out but I had one question? In the other connector that doesn't get commented out, should I remove the redirectPort="8443"?

Connector port="8080" useBodyEncodingForURI="true" redirectPort="8443" protocol="HTTP/1.1" minSpareThreads="25" maxThreads="150" maxSpareThreads="75" maxHttpHeaderSize="8192" enableLookups="false" disableUploadTimeout="true" connectionTimeout="20000" acceptCount="100"/>

 

Also, will I have to offer a new URL for accessing this site? the URL I use now is the servername:8443, that would no longer be viable if the redirect is off, right? Or am I way off base?

 

Thanks,

 

Jason

Jason Huntowski May 4, 2015

So, I just wanted to update this question with what I learned as the answer to this. The culprit ended up being the forced HTTPS redirect in the web.xml in WEB-INF. We ultimately decided to leave the connector for both the HTTPS and the HTTP in the server.xml for a while so that users who don't read the full e-mail, won't be given an error when they access the old link. Thank you to both Renato and David for your help.

2 votes
David Di Blasio
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 1, 2015

Hi Jason,
Depending on how SSL is configured you might just have to comment out the connector in <JIRA_INSTALL>/conf/server.xml. Here's an example from https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS

 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keyAlias="jira" keystoreFile="<JIRA_HOME>/jira.jks" keystorePass="changeit" keystoreType="JKS"/>

If you paste in your server.xml we can get a better idea on how to direct you though. Be advised you'll want to change any sensitive information such as the keystorepass

 

Jason Huntowski May 1, 2015

David,

 

Thank you so much for your response. I was actually trying to comment out that section when you replied, but it still seems to go to the redirect port. I am wondering if I need to change a port redirect or proxy somewhere else? I have pasted my server xml below. Any info you can give me would be one step closer than I am right now.

Thanks,

Jason

Server.xml

<?xml version="1.0" encoding="UTF-8"?>

<!-- ==================================================================================== Atlassian JIRA Standalone Edition Tomcat Configuration. See the following for more information http://confluence.atlassian.com/display/JIRA/Configuring+JIRA+Standalone ==================================================================================== -->

<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -->
-<Server shutdown="SHUTDOWN" port="8005">
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener"/><Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<!-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -->

<!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/service.html -->
-<Service name="Catalina">
<!-- ==================================================================================== To run JIRA via HTTPS: * Uncomment the Connector below * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of "changeit" for both the certificate and the keystore itself. * If you are on JDK1.3 or earlier, download and install JSSE 1.0.2 or later, and put the JAR files into "$JAVA_HOME/jre/lib/ext" * Restart and visit https://localhost:8443/ For more info, see : http://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS and http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html ==================================================================================== -->

<!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/> -->

<!-- ==================================================================================== If you have Apache AJP Connector (mod_ajp) as a proxy in front of JIRA you should uncomment the following connector configuration line See the following for more information : http://confluence.atlassian.com/display/JIRA/Configuring+Apache+Reverse+Proxy+Using+the+AJP+Protocol ==================================================================================== -->

<!-- <Connector port="8009" redirectPort="8443" enableLookups="false" protocol="AJP/1.3" URIEncoding="UTF-8"/> -->
-<Engine name="Catalina" defaultHost="localhost">-<Host name="localhost" unpackWARs="true" autoDeploy="true" appBase="webapps">-<Context useHttpOnly="true" reloadable="false" path="" docBase="${catalina.home}/atlassian-jira">
<!-- ==================================================================================== Note, you no longer configure your database driver or connection parameters here. These are configured through the UI during application setup. ==================================================================================== -->
<Resource name="UserTransaction" type="javax.transaction.UserTransaction" jotm.timeout="60" factory="org.objectweb.jotm.UserTransactionFactory" auth="Container"/><Manager pathname=""/></Context></Host>
<!-- ==================================================================================== Access Logging. This should produce access_log.<date> files in the 'logs' directory. The output access log lies has the following fields : IP Request_Id User Timestamp "HTTP_Method URL Protocol_Version" HTTP_Status_Code ResponseSize_in_Bytes RequestTime_In_Millis Referer User_Agent ASESSIONID eg : 192.168.3.238 1243466536012x12x1 admin [28/May/2009:09:22:17 +1000] "GET /jira/secure/admin/jira/IndexProgress.jspa?taskId=1 HTTP/1.1" 200 24267 1070 "http://carltondraught.sydney.atlassian.com:8090/jira/secure/admin/jira/IndexAdmin.jspa" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10" "C2C99B632EE0F41E90F8EF7A201F6A78" NOTES: The RequestId is a millis_since_epoch plus request number plus number of concurrent users The Request time is in milliseconds The ASESSIONID is an hash of the JSESSIONID and hence is safe to publish within logs. A session cannot be reconstructed from it. See http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html for more information on Tomcat Access Log Valves ==================================================================================== -->
<Valve className="org.apache.catalina.valves.AccessLogValve" resolveHosts="false" pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/></Engine><Connector port="8080" useBodyEncodingForURI="true" redirectPort="8443" protocol="HTTP/1.1" minSpareThreads="25" maxThreads="150" maxSpareThreads="75" maxHttpHeaderSize="8192" enableLookups="false" disableUploadTimeout="true" connectionTimeout="20000" acceptCount="100"/><Connector port="8443" useBodyEncodingForURI="true" protocol="org.apache.coyote.http11.Http11Protocol" minSpareThreads="25" maxThreads="150" maxSpareThreads="75" maxHttpHeaderSize="8192" enableLookups="false" disableUploadTimeout="true" connectionTimeout="20000" acceptCount="100" sslProtocol="TLS" secure="true" scheme="https" keystoreType="JKS" keystorePass=[our pass] keystoreFile=[our file location] keyAlias=[our alias] clientAuth="false" SSLEnabled="true"/></Service></Server>

Suggest an answer

Log in or Sign up to answer