Available on: Enterprise plan
Available for: Jira on-premise (Server / Data Center)
Mutual Transport Layer Security allows establishing an even more secure connection between your Jira instance and Miro. The functionality is automatically supported on all Enterprise-plan accounts and does not require any configuration on the Miro end.
⚠️ NOTE that this article does not present detailed instructions but simply provides a sample configuration and our certificate (at the end of the article). Please consult with your IT team and your system administrators, because depending on your network infrastructure the configuration steps may differ.
Choose the method you prefer and adjust the NGINX configuration that you have using one of the following snippets. Be sure to replace 127.0.0.1 with your Jira instance IP or web address and enter the current version of our certificate instead of ENTER_MIRO_CERTIFICATE_HERE.
Validating via the certificate
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 2;
set $cert "ENTER_MIRO_CERTIFICATE_HERE";
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_raw_cert !~ $cert) { return 403 "certs"; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
Validating via the certificate's fingerprint
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 2;
set $fingerprint "ENTER_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_fingerprint !~ $fingerprint) { return 403; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
Miro certificate
The current certificate is valid until November 25, 2022. Once the new certificate is available, we'll add it to the article.
-----BEGIN CERTIFICATE----- MIIGjjCCBXagAwIBAgIRAKam2ME6pFzHOkCXJDlVQdowDQYJKoZIhvcNAQELBQAw gYQxCzAJBgNVBAYTAlBMMRUwEwYDVQQIDAxNYcWCb3BvbHNraWUxEDAOBgNVBAcM B0tyYWvDs3cxHDAaBgNVBAoTE0RPTUVOWS5QTCBzcC4geiBvLm8xLjAsBgNVBAMT JURPTUVOWSBTU0wgRFYgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjExMTI1 MDAwMDAwWhcNMjIxMTI1MjM1OTU5WjAeMRwwGgYDVQQDExNqaXJhLWNhcmRzLm1p cm8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR7OWjYSgesj XzQW6R7r8jssNNPeS5ypbqZIdBMnuX9Rh62+wbNPo7FcKEe3BdmnmerCd3u47P6M JQTRXn6dBRMr2g/nVvNHYtdxQB2iE+Rtwv2h+sDpkRO47N097q4wlhvelkFgUgUL Zx0LI/KPdPxCumZsjg6Ck/ssgcj4aWZMCCWjLTLXu8Gaz/2h8TocqweZXQ0dmvoJ qB1CSzslQXBVIB+XxMeSoekojcY6pV4cfIfI57f5EfvLuUoiP6Q177Oe/eIymTrt 4kEkeSX7UgXF6qVF9bV7wTOMQ1DY+0kDIRuyg8cCdG7Ul0k6wXYt3XOTtxtDnRhk scR5juzGHQIDAQABo4IDXjCCA1owHwYDVR0jBBgwFoAUVjQFv0RyVj2WKdP/MXvv nUVJOakwHQYDVR0OBBYEFNsImf++g09EErXlD1sgQLpjH+VnMA4GA1UdDwEB/wQE AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjBKBgNVHSAEQzBBMDUGCisGAQQBgq14AQEwJzAlBggrBgEFBQcCARYZaHR0cHM6 Ly9jcHMudXNlcnRydXN0LmNvbTAIBgZngQwBAgEwTwYDVR0fBEgwRjBEoEKgQIY+ aHR0cDovL2NybC51c2VydHJ1c3QuY29tL0RPTUVOWVNTTERWQ2VydGlmaWNhdGlv bkF1dGhvcml0eS5jcmwwgYEGCCsGAQUFBwEBBHUwczBKBggrBgEFBQcwAoY+aHR0 cDovL2NydC51c2VydHJ1c3QuY29tL0RPTUVOWVNTTERWQ2VydGlmaWNhdGlvbkF1 dGhvcml0eS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5j b20wNwYDVR0RBDAwLoITamlyYS1jYXJkcy5taXJvLmNvbYIXd3d3LmppcmEtY2Fy ZHMubWlyby5jb20wggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AEalVet1+pEg MLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABfVZDs48AAAQDAEcwRQIhANYn1M82 jyJwt/Gs38PXySjTDxk7yUwGFR0rorQ+8ObUAiARWOGKAF4sthQrO0Py1Q571Vzk EN9JxXd9ta0UzrVVRQB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2 AAABfVZDs5gAAAQDAEcwRQIgX5iZL7FHNc57IykFeR4iuVl+bEU0e0bqaJiVvhhB eRkCIQC83pz90rl5g2EQtb2GYWav33jiC3GakdRJUt/SYIVGDAB3ACl5vvCeOTkh 8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABfVZDs20AAAQDAEgwRgIhAN2FcIbq TXkQSKg4mLpMyb4TiaFraAsDaxnNUyNnw9NHAiEA8m9FkEOEdIkYZ+WmkWLU7Joc eZiQCF1a0QTetAbkip4wDQYJKoZIhvcNAQELBQADggEBAITdYOGcy1bdYipDq6sv 8gL3oOZuyAL0K9ohQ2gjEMET11N+/cLGjtYnQVbGWNEqUphQOMerZrYdpVBRsMo1 +nVNuGhA4iCLJgqpx4kwDzUNhSa4vLdK1HIVyckky63ACpdlf0Czc3JmWwKcqTdq 7MduhvpHPeResv0YI0MWG1CDu/CuvYRvZRSJPztjVQ9cpumESRa3uyZGKpxmMU6+ bPTRHVpW2+MjAxTHW6ddrEluP5+pI0PJa0jiUS6q3GZGk4eZB2LMADqU5UwJqDbv KQpXFJZOGcDbsIUB6kU3HefT/Vmq4HdUWTJm28AkSDTvzNnXLOnR12zmhxhI56yF vvU= -----END CERTIFICATE-----
Ways to configure
There are two options to choose from when it comes to how the validation will be checked: