命令行配置步骤
Command line installation
过程说明:
创建存放证书的本地秘钥库keystore文件jira.jks,生成证书签名请求文件csr.txt或者jira.csr;
自签名,生成密钥和根证书;
使用根证书ca.crt对csr.txt进行签名,生成jira.crt文件;
导入根证书、签名的证书至本地秘钥库
步骤一、创建密钥库
Step 1. Create the KeyStore
Generate the Java KeyStore.
<JAVA_HOME>/keytool -genkey -alias jira -keyalg RSA -keystore <Jira_HOME>/jira.jks实际步骤:
keytool -genkey -alias jira -keyalg RSA -keystore /data/jirasoftware-home/jira.jks密码:secret
配置过程参数:
What is your first and last name?
[Unknown]: xx
What is the name of your organizational unit?
[Unknown]: xx
What is the name of your organization?
[Unknown]: xx
What is the name of your City or Locality?
[Unknown]: Beijing
What is the name of your State or Province?
[Unknown]: Beijing
What is the two-letter country code for this unit?
[Unknown]: CN
Instead of the first and last names, enter the server URL, excluding https://. For example: jira.atlassian.com.注:
1)*.jks文件不要放在安装目录,以免后续升级时被冲掉;
此处放在/opt/jirasoftware-home下
2)执行时要输入 firt and last name 时。要写域名或者IP,比如: 192.168.100.101,jira.company.com;
没有域名:此处使用xx
3)执行时要输入密码,只能是字母和数字组合,记住了,后续要用到。
Enter a password.
2, 生成证书签名请求(*.csr)
Create the CSR for signing and the password from the step 2.
<JAVA_HOME>/keytool -certreq -alias jira -file /output/directory/csr.txt -keystore <Jira_HOME>/jira.jks
Submit the CSR to the CA for signing. They'll provide a signed certificate and a root or实际步骤:
keytool -certreq -alias jira -file /home/jira/csr.txt -keystore /opt/jirasoftware-home/jira.jks3, 签名(*.crt):(有俩种方式获取)
1)CA机构签名:
将生成的 jira.csr 提交给CA机构签名,CA会给你签名后的证书 jira.crt 以及根证书或者中间证书:root.crt
2)自签名:
生成密钥和根证书:
openssl req -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 3650 -out ca.crt自签名:
openssl x509 -req -CA ca.crt -CAkey ca.key -in jira.csr -out jira.crt -days 3650 -CAcreateserial实际配置步骤:
# openssl x509 -req -CA ca.crt -CAkey ca.key -in ../csr.txt -out jira.crt -days 3650 -CAcreateserial
Signature ok
检查签名:
openssl verify -verbose -CAfile ca.crt jira.crt
jira.crt: OK
4, 导入根证书、签名的证书至本地秘钥库:
$JAVA_HOME/bin/keytool -importcert -alias rootCA -keystore /opt/jirasoftware-home/jira.jks -trustcacerts -file ca.crt
$JAVA_HOME/bin/keytool -importcert -alias jira -keystore /opt/jirasoftware-home/jira.jks -file jira.crt密码:xx
检查导入证书:
$JAVA_HOME/bin/keytool -list -alias jira -keystore /data/jirasoftware-home/jira.jks
Enter keystore password:
jira, Aug 16, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 二、配置JIRA服务
1,备份<Jira_INSTALL>/conf/server.xml
2,配置https连接选项:
编辑<Jira_INSTALL>/conf/server.xml,增加如下:
<Connector port="18080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3"
clientAuth="false" useBodyEncodingForURI="true"
keyAlias="jira" keystoreFile="/opt/jirasoftware-home/jira.jks" keystorePass="xx" keystoreType="JKS"/>参数备注:
port="18080"
SSLEnabled="true"
secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3"
keyAlias="jira"
keystoreFile="/opt/jirasoftware-home/jira.jks"
keystorePass="xx"
keystoreType="JKS"如果https端口不是8443,修改了端口,http里的对应也要改:
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>3,配置http自动重定向https页面:(可选,未配置)
编辑<Jira_INSTALL>/atlassian-jira/WEB-INF/web.xml,在前增加如下:
/data/jirasoftware/atlassian-jira/WEB-INF
参考链接:
https://confluence.atlassian.com/adminjiraserver0822/running-jira-applications-over-ssl-or-https-1142238093.html
