Available on: Enterprise Plan
Available for: Jira on-premise (Server / Data Center)
Mutual Transport Layer Security allows establishing an even more secure connection between your Jira instance and Miro. The functionality is automatically supported on all Enterprise plans and does not require any configuration on the Miro end.
⚠️ Note that this article does not present detailed instructions but simply provides a sample configuration and our certificate (at the end of the article). Please consult with your IT team and your system administrators, because depending on your network infrastructure the configuration steps may differ.
Choose the method you prefer and adjust the NGINX configuration that you have using one of the following snippets. Be sure to replace 127.0.0.1 with your Jira instance IP or web address and enter our certificate values instead of ENTER_MIRO_CERTIFICATE_HERE.
Validating via the certificate
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 3;
set $cert_old "ENTER_OLD_MIRO_CERTIFICATE_HERE";
set $cert_new "ENTER_NEW_MIRO_CERTIFICATE_HERE";
set $valid_cert_flag 0;
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_raw_cert ~ $cert_old) { set $valid_cert_flag 1; }
if ($ssl_client_raw_cert ~ $cert_new) { set $valid_cert_flag 1; }
if ($valid_cert_flag != 1) { return 403 "Invalid certificate\n"; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
Validating via the certificate's fingerprint
Find the sample for the NGINX configuration below:
ssl_verify_client optional;
ssl_verify_depth 3;
set $fingerprint_old "ENTER_OLD_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $fingerprint_new "ENTER_NEW_FINGERPRINT_OF_MIRO_CERTIFICATE_HERE";
set $valid_fingerprint_flag 0;
location /jira/plugins/servlet/oauth/authorize {
proxy_pass http://127.0.0.1/jira/plugins/servlet/oauth/authorize;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira/login.jsp {
proxy_pass http://127.0.0.1/jira/login.jsp;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
location /jira {
if ($ssl_client_fingerprint = $fingerprint_old) { set $valid_fingerprint_flag 1; }
if ($ssl_client_raw_cert = $fingerprint_new) { set $valid_fingerprint_flag 1; }
if ($valid_fingerprint_flag != 1) { return 403; }
proxy_pass http://127.0.0.1/jira;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10M;
proxy_redirect off;
}
Miro certificates
The old certificate is valid until April 4, 2024.
-----BEGIN CERTIFICATE-----
MIIGpjCCBY6gAwIBAgIIFQn6dMANr6kwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjMwMzA1MDcyOTAwWhcN
MjQwNDA1MDcyOTAwWjAeMRwwGgYDVQQDExNqaXJhLWNhcmRzLm1pcm8uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR7OWjYSgesjXzQW6R7r8jss
NNPeS5ypbqZIdBMnuX9Rh62+wbNPo7FcKEe3BdmnmerCd3u47P6MJQTRXn6dBRMr
2g/nVvNHYtdxQB2iE+Rtwv2h+sDpkRO47N097q4wlhvelkFgUgULZx0LI/KPdPxC
umZsjg6Ck/ssgcj4aWZMCCWjLTLXu8Gaz/2h8TocqweZXQ0dmvoJqB1CSzslQXBV
IB+XxMeSoekojcY6pV4cfIfI57f5EfvLuUoiP6Q177Oe/eIymTrt4kEkeSX7UgXF
6qVF9bV7wTOMQ1DY+0kDIRuyg8cCdG7Ul0k6wXYt3XOTtxtDnRhkscR5juzGHQID
AQABo4IDTzCCA0swDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6
Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS01Mjk0LmNybDBdBgNVHSAEVjBUMEgG
C2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu
Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUF
BzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
Z2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDcGA1Ud
EQQwMC6CE2ppcmEtY2FyZHMubWlyby5jb22CF3d3dy5qaXJhLWNhcmRzLm1pcm8u
Y29tMB0GA1UdDgQWBBTbCJn/voNPRBK15Q9bIEC6Yx/lZzCCAYAGCisGAQQB1nkC
BAIEggFwBIIBbAFqAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsA
AAGGsKyCWwAABAMASDBGAiEA1enIaQQS2O3/YkWzbO0grlm0oys/9KNpBwuQpkHj
eN0CIQCT3v6KQX4fAVCKbHsytHVAWuaajIH3nRC2eWtI9J1kRgB3AEiw42vapkc0
D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABhrCsg0kAAAQDAEgwRgIhALLRymwv
Zvda+sJiaj5YwrD7Sq5UrDQyZpcj+qg9d8rZAiEAhdbDfHD7S6srDTuEE8uo6smb
r38An2L2qp9KV47AV4EAdgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7
qwAAAYawrIPfAAAEAwBHMEUCIQCWaR7Xd1LxMWHQmE4Rti4Af5PKYlHBCHoTayb/
baMuBQIgdEB2HKPQA9y4fjFdwIlPJjaTWkjzr1eDw8wwbv5vrMMwDQYJKoZIhvcN
AQELBQADggEBAC6lyp+jDufdUwvT6lXOnAE4Ty40gMrc6qhMltIaFXYVZ9mgJFWA
Z4YznQGQWZNpd1D7mjJXNxrqy+1I8zEcPIMGd1bwPDvPyVATI6z77D/WRLlqLV94
QkesRauQDAz3iePjbOF0v119IG2Syd/j27DSOyhimxlWzdcnt67tulotaU2hvp6m
yJb72/3/J5eeMrIGttZQRmfTPp0S31MSpdsVyvVy/BEUlV942etysxUAxpw2EFnE
Y+BClbTAGcNTmFSr3vWf1G22wRrclXqZGl8nmn/ITKS3RxxmWhG9HT/olTsgrOAW
kBSO09jSQk/6SksU8co9ftzjISgKAv1R43I=
-----END CERTIFICATE-----
The new certificate is valid until April 6, 2025.
-----BEGIN CERTIFICATE-----
MIIGpTCCBY2gAwIBAgIIQgAbkcMlgcgwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjQwMzA1MDczMDI4WhcN
MjUwNDA2MDczMDI4WjAeMRwwGgYDVQQDExNqaXJhLWNhcmRzLm1pcm8uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtR7OWjYSgesjXzQW6R7r8jss
NNPeS5ypbqZIdBMnuX9Rh62+wbNPo7FcKEe3BdmnmerCd3u47P6MJQTRXn6dBRMr
2g/nVvNHYtdxQB2iE+Rtwv2h+sDpkRO47N097q4wlhvelkFgUgULZx0LI/KPdPxC
umZsjg6Ck/ssgcj4aWZMCCWjLTLXu8Gaz/2h8TocqweZXQ0dmvoJqB1CSzslQXBV
IB+XxMeSoekojcY6pV4cfIfI57f5EfvLuUoiP6Q177Oe/eIymTrt4kEkeSX7UgXF
6qVF9bV7wTOMQ1DY+0kDIRuyg8cCdG7Ul0k6wXYt3XOTtxtDnRhkscR5juzGHQID
AQABo4IDTjCCA0owDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6
Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS0xODIzNS5jcmwwXQYDVR0gBFYwVDBI
BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRq
MGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEF
BQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5
L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjA3BgNV
HREEMDAughNqaXJhLWNhcmRzLm1pcm8uY29tghd3d3cuamlyYS1jYXJkcy5taXJv
LmNvbTAdBgNVHQ4EFgQU2wiZ/76DT0QSteUPWyBAumMf5WcwggF+BgorBgEEAdZ5
AgQCBIIBbgSCAWoBaAB1AE51oydcmhDDOFts1N8/Uusd8OCOG41pwLH6ZLFimjnf
AAABjg2FZN4AAAQDAEYwRAIgBc+PVwPjZPnnD0zyCPlQ8+up0MsFlkf7z9PlPi2v
OeYCIBDKD4doMh7x4hyIP+pqzmQGYTdX/o42KHwvrkECwLo6AHYAfVkeEuF4Knsc
YWd8Xv340IdcFKBOlZ65Ay/ZDowuebgAAAGODYVl6gAABAMARzBFAiEA4V4cbend
3S3vD+f0y9Fwka3ckS7Z8lr38PW88pJouGECICfKUoms5n/P/UJiFH/Zq2ZHG8+/
DzfWDctoQdUDWGZVAHcAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAA
AAGODYVmaQAABAMASDBGAiEAufiFjn4hhkI237cz/mKGRh7nSqBF1KG03eZlE05e
3NMCIQCUInWAC/aNHTAktslNOoDeLxtpfg0M5L5sFpw+77AkeDANBgkqhkiG9w0B
AQsFAAOCAQEAGprOBgqK1Rr2aclZPjtPK6Kgvb6z1D/jBjEfNYVwP8n9BZ7Ewhwf
azl0I+uLqjXojOKPdMmf/3ZyM+2lj7QwCFeKzshKmSvINE48NZX6s5b50JK9a/Yl
LyJvnIv2dZvPktQ1H3of3kYqOAxynzFGJ97iZBXjCiESZU7V+gm4d3ILQLqJaxX9
UPyqVFDoJQQhNbhnjhTdieQdqWte43vMvrgmr1Y6Chd+kY7RxfHcu+2CUEqQo3ay
BrfLpItd34cR58VBcHTrvpK4nFWODCeNqhracTwvyzoGHlKli/nXod183CSSzcFG
0ghxdD7Lyj4notIkK3L2UHKOxz5UqD8kog==
-----END CERTIFICATE-----
Ways to configure
There are two options to choose from when it comes to how the validation will be checked: