A key point related to mixed use of HTTP and HTTPS.
It may be noted that RMsis and JIRA could be using the same JRE OR different JRE. If they are running on different JRE, adequate care should be taken to ensure that the certificates are installed at the right locations.
In order to run RMsis on SSL (over https), a certificate must be created and registered with RMsis. Please note that
In the SSL world, certificates fall into two major categories: self-signed and CA-signed
Self signed certificates are useful in cases where you require encryption but do not need to verify the website identity. They are commonly used for testing and on internal corporate networks (intranets).If you are using RMsis within a closed group or Intranet, you can use a self signed certificate.
Run keytool on command line, which is available with JAVA 1.6, and enter the responses against the prompt (a sample is shown here). The keytool utility will prompt you for two passwords: the keystore password and the key password for Tomcat. You must use the same value for both passwords.
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: // Password for your java keystore, it is 'changeit' by default What is your first and last name? RMSIS_SERVER // Enter fully qualified server name; for example jira-rmsis.optimizory.com What is the name of your organizational unit? [Unknown]: ORG_UNIT_NAME What is the name of your organization? [Unknown]: ORG_NAME What is the name of your City or Locality? [Unknown]: CITY What is the name of your State or Province? [Unknown]: STATE What is the two-letter country code for this unit? [Unknown]: US Is <CN=ORG_UNIT_NAME, OU=ORG_UNIT, O=ORG_NAME, L=CITY, ST=STATE, C=US> correct? [no]: yes Enter the key password for <key-alias> <RETURN if same as keystore password>: <> // Press Return here and do not specify a password.
Now export the certificate to use it with Tomcat
$JAVA_HOME/bin/keytool -export -alias tomcat -file file.cer // file.cer contains the certificate details to be imported in the next step.
NOTE: Due to the certificate not being signed by a Certification Authority (CA), users may be prompted that the site is untrusted and may have to perform several steps to "accept" the certificate before they can access the site. This usually will only occur the first time they access the site.
If you already have an existing certificate available (for example from a CA like Verisign), please perform the following operation as root (or sudo)
$JAVA_HOME/bin/keytool -import -alias tomcat -file file.cer
Assuming your certificate is called "file.cer" whether obtained by a CA or self generated, the above command will add this certificate to the Truststore.
The keytool utility creates the keystore as a file called .keystore in the current user's home directory.
If this file does not exist, it will be created.
Use keystore switch to specify existing keystore (if any)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore <PATH_TO_KEYSTORE>/keystoreFile.jks
If JIRA is running on HTTPS, a Public Security Certificate is expected to be installed and accessed by RMsis. For RMsis versions 1.5.2 and later, the system will automatically accept the default certificate configured for JIRA. In case of an exception, you will need to add security certificate of JIRA Server in java trust store which resides at <JRE_PATH>/lib/security/cacerts. Below is a small how-to for certificate installation.