Deutsch Español Français 日本語 Português do Brasil

Articles in this section

Mutual TLS for Jira Cards

Cat
  • Updated

Available on: Enterprise plan

Available for: Jira on-premise (Server / Data Center)

Mutual Transport Layer Security allows establishing an even more secure connection between your Jira instance and Miro. The functionality is automatically supported on all Enterprise plans and does not require any configuration on the Miro end. 

⚠️ Note that this article does not present detailed instructions but simply provides a sample configuration and our certificate (at the end of the article). Please consult with your IT team and your system administrators, because depending on your network infrastructure the configuration steps may differ. 

Ways to configure

There are two options to choose from when it comes to how the validation will be checked:

  • Via the certificate
  • Via the certificate's fingerprint

Choose the method you prefer and adjust the NGINX configuration that you have using one of the following snippets. Be sure to replace 127.0.0.1 with your Jira instance IP or web address and enter our certificate values instead of ENTER_MIRO_CERTIFICATE_HERE.

Validating via the certificate

Find the sample for the NGINX configuration below:

ssl_verify_client optional;
ssl_verify_depth 3;
set $cert_old "ENTER_OLD_MIRO_CERTIFICATE_HERE";
set $cert_new "ENTER_NEW_MIRO_CERTIFICATE_HERE";
set $valid_cert_flag 0;

location /jira/plugins/servlet/oauth/authorize {
       proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      client_max_body_size 10M;
      proxy_redirect off;
}

location /jira/login.jsp {
        proxy_pass http://127.0.0.1/jira/login.jsp;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       client_max_body_size 10M;
       proxy_redirect off;
}

location /jira {
     if ($ssl_client_raw_cert ~ $cert_old) { set $valid_cert_flag 1; }
if ($ssl_client_raw_cert ~ $cert_new) { set $valid_cert_flag 1; }
if ($valid_cert_flag != 1) { return 403 "Invalid certificate\n"; }
       proxy_pass http://127.0.0.1/jira;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      client_max_body_size 10M;
      proxy_redirect off;
   }

Validating via the certificate's fingerprint

Find the sample for the NGINX configuration below:

ssl_verify_client optional;
       ssl_verify_depth 3;
set $fingerprint_old "ENTER_OLD_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $fingerprint_new "ENTER_NEW_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $valid_fingerprint_flag 0;

location /jira/plugins/servlet/oauth/authorize {
       proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      client_max_body_size 10M;
      proxy_redirect off;
}

location /jira/login.jsp {
        proxy_pass http://127.0.0.1/jira/login.jsp;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       client_max_body_size 10M;
       proxy_redirect off;
}

location /jira {
if ($ssl_client_fingerprint = $fingerprint_old) { set $valid_fingerprint_flag 1; }
if ($ssl_client_raw_cert = $fingerprint_new) { set $valid_fingerprint_flag 1; }
if ($valid_fingerprint_flag != 1) { return 403; }
       proxy_pass http://127.0.0.1/jira;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      client_max_body_size 10M;
      proxy_redirect off;
  }

Miro certificates

Old certificate New certificate

The old certificate is valid until April 4, 2023. 

-----BEGIN CERTIFICATE-----
MIIGpTCCBY2gAwIBAgIJAPi0WZHXQHmjMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIyMDMwMzA5MjExMloX
DTIzMDQwNDA5MjExMlowHjEcMBoGA1UEAxMTamlyYS1jYXJkcy5taXJvLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUezlo2EoHrI180Fuke6/I7
LDTT3kucqW6mSHQTJ7l/UYetvsGzT6OxXChHtwXZp5nqwnd7uOz+jCUE0V5+nQUT
K9oP51bzR2LXcUAdohPkbcL9ofrA6ZETuOzdPe6uMJYb3pZBYFIFC2cdCyPyj3T8
QrpmbI4OgpP7LIHI+GlmTAgloy0y17vBms/9ofE6HKsHmV0NHZr6CagdQks7JUFw
VSAfl8THkqHpKI3GOqVeHHyHyOe3+RH7y7lKIj+kNe+znv3iMpk67eJBJHkl+1IF
xeqlRfW1e8EzjENQ2PtJAyEbsoPHAnRu1JdJOsF2Ld1zk7cbQ50YZLHEeY7sxh0C
AwEAAaOCA00wggNJMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRw
Oi8vY3JsLmdvZGFkZHkuY29tL2dkaWcyczEtMzg4Ni5jcmwwXQYDVR0gBFYwVDBI
BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRq
MGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEF
BQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5
L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjA3BgNV
HREEMDAughNqaXJhLWNhcmRzLm1pcm8uY29tghd3d3cuamlyYS1jYXJkcy5taXJv
LmNvbTAdBgNVHQ4EFgQU2wiZ/76DT0QSteUPWyBAumMf5WcwggF+BgorBgEEAdZ5
AgQCBIIBbgSCAWoBaAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1u
AAABf08VaA4AAAQDAEcwRQIgE4b1z73aHpEUm0t767CEbBs5k18P3VL9gde8ffcn
S3ACIQDkdXZoHljAIGAV2Of4u/dADbx32RUQPC6y21BzRzVMHQB2ADXPGRu/sWxX
vw+tTG1Cy7u2JyAmUeo/4SrvqAPDO9ZMAAABf08VaZIAAAQDAEcwRQIgPYI4uMSe
59LnpJF1ivhe7axWAchcyzw3EuLlXMvfSckCIQDEp4u/8B8etyss1qa8yLnPvvn6
+UzwWDMvEDa90zuPWAB2AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS
AAABf08Vag0AAAQDAEcwRQIgFUvaCCOxige+fuCmSCy/Qjo3Mw+XAtPLMzGWYppE
aSsCIQCZdcwDTSjKSKG4OuUO7c9Z1/kENm+BxNfXiJ1kCgW4nTANBgkqhkiG9w0B
AQsFAAOCAQEAf7Bxu7OZiL1188x1ewvIh2CA4jm/U9rJVecdLDylbxTzZBzez3hl
DEUgj5/V5t+CxubJJTzbi6h9gK7sEAEryO6EgO1kZNwKS4sRSKgCoURBBRxv1lEl
yTyuz8OEhgB5MsWFg2AhkUiiGJJhHGCZeCaWJZQeAKnS+yVWHhC0u+f/OD58Gvug
rDlKbiha3WMu3dX1fe/7pIZLVi7Y4Xti2IMbi7DXb+Di315F+4UWZQM0pON8Q/pJ
yowcYPTSF7agUH8526DG43k71HLjKYDnrXi/4JeSl5M0hrwMz2un5hWuFBGbxjGJ
9VSi1PY9bCx1CMj8p6q9/+DmsGd7mFj7CQ==
-----END CERTIFICATE-----
Was this article helpful?
Yes, thanks Not really
Sorry about that! Why wasn't the article helpful?
If you would like to get a reply from the Miro Support team, please create a ticket here
Thank you for your feedback!
Error! Please try later...
Return to top

Related articles