Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to better manage Java keystores?

Jordan Packer
Jordan Packer July 6, 2015

We have an on-premise installation of various Atlassian products (JIRA, Confluence, Bamboo, Fisheye, Crucible, and Stash) all running behind a corporate firewall. We have enabled HTTPS access for each of these applications by utilizing our F5 load balancer to act as a proxy (which terminates the SSL and handles all certificates).

However, in order to get certain things working correctly (namely, Application Links), I have to import the SSL certificates from each of the applications into the Java keystore files on each server. This can be kind of a pain to maintain... any time a single certificate gets updated, I have several places to go to for importing the new certificate (all of which requires a restart of each application). Also, any time I upgrade Java (or upgrade an application that is using its own internal Java), then I have to re-import each of those certificates.

Is there any way to make this easier? I was hoping that I could just import the Root CA certificate for our corporate network and have that handle all downstream certificates, but that doesn't seem to work.... Does anybody out there have better ideas? How are you handling this in your organizations?

Answer
Watch
Like Be the first to like this
582 views

1 answer

1 accepted

0 votes
Answer accepted
Rich Duncan
Rich Duncan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 6, 2015

Yep this is a pain!  Try the following:

  1. Goto the target app in the browser - most of them will provide a means to look at the certificate chain that is used in the HTTPS connection.
  2. If it's self-signed you have to import that certificate into all of the key stores
  3. If it's locally signed (by your organization) you need to import all of the certificates between the leaf and the root (including the root but not the leaf).  This lets you work with any host that uses a certificate signed by the same local authority.
  4. If signed by a public authority, it should be ok, except I've actually seen situations where an interim certificate needed to be imported.

hth,

 

-Rich 

 

View More Comments
Jordan Packer
Jordan Packer July 6, 2015

That did the trick, thank you so much! I had tried importing the very top (or root, in your terms), but I hadn't tried doing everything else in the chain, minus the "leaf".

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events