To connect Jira & Confluence using SSL with MySQL we need to download the MySQL certificates. Once downloaded (mysql-server-cert.pem, client-cert.pem and client-key.pem), we need to convert to a keystore format to be imported in Java when the services are started.

How to convert the MySQL certificates and store it in Jira & Confluence? Using “Keytool” inside the JRE (Java Runtime Edition) “bin” folder.

./keytool -import -alias MySQLCACert  -keystore ../lib/security/cacerts -file cert/mysql-server-cert.pem
 ./keytool -import -alias mysqlclientcertificate  -keystore ../lib/security/cacerts -file cert/client-cert.pem
 openssl pkcs12 -export -in cert/client-cert.pem -inkey cert/client-key.pem -name "mysqlclient" -passout pass:mypassword -out cert/client-keystore.p12
 ./keytool -importkeystore -srckeystore cert/client-keystore.p12 -srcstoretype pkcs12 -srcstorepass mypassword -destkeystore keystore -deststoretype JKS -deststorepass mypassword

(remember, the “cacerts” file is inside your JRE directory, take a look in Jira System Info to know the real path. Remember also the password of cacerts by default is “changeit”).

You must do the same operation for each instance (Jira & Confluence)

Now we are ready to do the changes, just edit the files:

  • In Jira edit the file “dbconfig.xml” and add in the MySQL connection string useSSL=true
  • In Confluence edit the file “confluence.cfg.xml” and add in the MySQL connection string useSSL=true

sometimes we need to add “&” to concatenate params in the dbconfig and confluence.cfg files. ( something like “&useSSL=true“)

Now edit in Jira and Confluence bin fiolder, the file “setenv.sh” to append those values

-Djavax.net.ssl.keyStore=path_to_keystore_file -Djavax.net.ssl.keyStorePassword=mypassword

Restart the services!

That’s all 😀

By MrAddon

.

Posted by:.

2 replies on “How to configure SSL MySQL for Jira Server and Confluence Server

  1. Important for version > Jira 8.18.2:

    IMPORTANT!!! in Jira dbconfig add new param: JDK 11 only compatible with TLSv1.2

jdbc:mysql://<host>:<port>/<dbname>?enabledTLSProtocols=TLSv1.2

    Liked by 1 person

    Reply

  2. Important for version > Confluence 7.12.4

    setenv.sh change to do not generate recovery file becuase too long

-Dconfluence.upgrade.recovery.file.enabled=false

For error: SQL state [HY000]; error code [1419]; You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable); nested exception is java.sql.SQLException: You do not have the SUPER privilege and binary logging is enabled (you *might* want to use the less safe log_bin_trust_function_creators variable)

Stop Confluence
Stop the MySQL database
Specify the below parameter under [mysqld] in your my.cnf file:
 log-bin-trust-function-creators = 1
Start the MySQL database again.
Start Confluence again.

    Liked by 1 person

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s