Mutual TLS for Jira Cards – Miro Support & Help Center

Available on: Enterprise plan

Available for: Jira on-premise (Server / Data Center)

Mutual Transport Layer Security allows establishing an even more secure connection between your Jira instance and Miro. The functionality is automatically supported on all Enterprise-plan accounts and does not require any configuration on the Miro end.

⚠️ Note that this article does not present detailed instructions but simply provides a sample configuration and our certificate (at the end of the article). Please consult with your IT team and your system administrators, because depending on your network infrastructure the configuration steps may differ.

Ways to configure

There are two options to choose from when it comes to how the validation will be checked:

Via the certificate
Via the certificate's fingerprint

Choose the method you prefer and adjust the NGINX configuration that you have using one of the following snippets. Be sure to replace 127.0.0.1 with your Jira instance IP or web address and enter the current version of our certificate instead of ENTER_MIRO_CERTIFICATE_HERE.

Validating via the certificate

Find the sample for the NGINX configuration below:

ssl_verify_client optional;
ssl_verify_depth 3;
set $cert "ENTER_MIRO_CERTIFICATE_HERE";

location /jira/plugins/servlet/oauth/authorize {
       proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       client_max_body_size 10M;
       proxy_redirect off;
}

location /jira/login.jsp {
        proxy_pass http://127.0.0.1/jira/login.jsp;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 10M;
        proxy_redirect off;
}

location /jira {
      if ($ssl_client_raw_cert !~ $cert) { return 403 "certs"; }
       proxy_pass http://127.0.0.1/jira;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       client_max_body_size 10M;
       proxy_redirect off;
   }

Validating via the certificate's fingerprint

Find the sample for the NGINX configuration below:

ssl_verify_client optional;
        ssl_verify_depth 3;
set $fingerprint "ENTER_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";

location /jira/plugins/servlet/oauth/authorize {
       proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       client_max_body_size 10M;
       proxy_redirect off;
}

location /jira/login.jsp {
        proxy_pass http://127.0.0.1/jira/login.jsp;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size 10M;
        proxy_redirect off;
}

location /jira {
      if ($ssl_client_fingerprint !~ $fingerprint) { return 403; }
       proxy_pass http://127.0.0.1/jira;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       client_max_body_size 10M;
       proxy_redirect off;
   }

Miro certificate

The certificate is valid until April 4, 2023. Once the new certificate is available, we'll add it to the article.

Articles in this section

Ways to configure

Validating via the certificate

Validating via the certificate's fingerprint

Miro certificate

Related articles