Jira Connector Firewall FAQ (Self-Hosted Server)

This article provides server and firewall requirements that will need to be in place, prior to configuring a self-hosted server on the Smartsheet for Jira Connector. If you are not using a firewall and are looking for Jira Connector setup instructions, please view our Jira Cloud and Self-Hosted Setup article in the Help Center. 

Before You Begin: Requirements

To ensure a successful setup of the Smartsheet for Jira Connector, your Self-Hosted Jira server must meet the following requirements:

  • Jira version 7.2 or higher for Self-Hosted Jira servers.
  • Your Jira server must be configured to allow Smartsheet to connect to it from the Internet: A secure (https) connection is required.

    NOTE: Smartsheet supports a specific set of standard CA (certificate authority) certificates that come with Java.
     
  • Expired or incomplete certificate authorities will be considered invalid. Inquire with your primary Smartsheet contact before or during purchase. 
  • If you’re using a firewall, please also review Configuring the Firewall below for additional requirements.

Configure Your Firewall to Work with the Connector

You may need to change firewall settings to enable communication between your Self-Hosted Jira server and the cloud-based Smartsheet for Jira Connector. Keep the following in mind:

  • The Smartsheet for Jira Connector runs in the cloud and needs to be able to connect to your Jira server. If your Jira server is protected by a firewall, your organization’s IT Administrator may need to modify the firewall configuration to enable Smartsheet to connect to your Jira server's REST API from the Internet.
  • By default, Jira uses port 8080 or port 443. However, since it is possible for a Jira Administrator to change the port Jira uses, it is necessary to confirm with your Jira Administrator which port your Jira server uses.
  • The server must support https connections (to ensure security, http without https is not supported).
  • The certificate used to enable https connections to the server must be valid and must be issued by a well-known certificate authority.

Is it necessary to open my firewall to use the Smartsheet for Jira Connector? 

Yes—since Smartsheet for Jira runs on the Internet, it must be possible for connections from the Internet to reach the Jira server’s REST API. You have the following options for exposing your Jira server to Smartsheet over the Internet:

Option 1:  Allow Connections to Jira

The Jira REST API is a custom port on the Apache Tomcat host that Jira was deployed on. Since the REST API endpoints are on a separate path from the Jira User Interface and login pages, you do not need to permit access to the Jira server’s UI or login screens from the Internet.
You can restrict incoming connections to your Jira server to only be able to connect to the following paths on your Jira server: 

  • https://<yourJirahost.com>/<context>/rest/* 
  • https://<yourJirahost.com>/<context>/auth/*
  • https://<yourJirahost.com>/<context>/plugins/ 

You can restrict and prevent Internet connections to all other paths on your Jira server.

Option 2: Reverse Proxy

If you are using a reverse proxy in your firewall, Jira must be aware of the proxy to ensure that the correct addresses and URLs are sent back to the client. If you receive an OAuth Signature Rejected error while setting up a connection, or for more information on how to correctly configure Jira when a proxy server is being used see Atlassian's documentation at https://confluence.atlassian.com/display/APPLINKS/OAuth+troubleshooting+guide#OAuthtroubleshootingguide-OAuthsignaturerejected

Atlassian provides the following recommended resource how to secure Jira, even when it’s  publicly exposed to the Internet:

How can I verify that the connection to my Jira server is from Smartsheet and is secure?

We take the following measures to ensure the security and authentication of the Smartsheet for Jira Connector and your Jira server.

Allowing HTTPS/TLS Traffic

Your Jira server must allow connections over HTTPS/TLS using a certificate issued from a well-known credible certificate authority. This measure ensures the following:

  • Since your certificate is private and only available to you, when Smartsheet for Jira connects to your Jira server, our system knows that Smartsheet is connecting to your Jira server and hasn’t been redirected by an attacker to another server and that there is no man-in-the-middle (MITM) attack in progress.
  • By using HTTPS/TLS, all traffic between Smartsheet for Jira and your Jira server is encrypted.

Jira Application Link Authentication

When the Jira Administrator sets up their connection between the Smartsheet for Jira Connector and their Jira server, Smartsheet generates a RSA Public/Consumer key pair that is unique to each organization instance and the Jira server that is registered with Smartsheet for Jira. 

  • The Jira Connector Admin will paste the public key into their Jira server to set up the "Application Link". In every request/call that Smartsheet for Jira makes to the organization’s Jira server, Smartsheet for Jira signs the request with Smartsheet’s Consumer key, which Jira verifies using the public key copied when registering the Application Link.
  • Use of RSA Public/Consumer keys ensures that only Smartsheet for Jira is making connections to the Jira server. This is because no other system has the Consumer key corresponding to the Public key, which is used to authenticate every API request sent to Jira. This ensures that no other person or system on the Internet will be able to have authenticated access to your Jira server’s REST API.

Are there IP addresses used with Jira that I can whitelist in our firewall? 

The measures taken to ensure security between the Smartsheet and Jira applications are outlined above (How to Allow Connections to Jira and Security Detail) and we believe that whitelisting the IP address, or a range of IP Addresses, of incoming connections does not offer any meaningful improvement to security. Smartsheet publishes a DNS A record at aws.relay.smartsheet.com which can be whitelisted in your firewall. The DNS A record will resolve to the Jira Connector's outgoing IP Address. 

We do not recommend that you resolve this DNS A record to the underlying IP address and whitelist the IP addresses because if we change it, which is possible to occur, then Smartsheet will no longer be able to connect to your Jira server. By whitelisting the DNS A record, your firewall rules will continue to permit Smartsheet for Jira to connect when the underlying IP addresses change.

Troubleshooting Self-Hosted Connection Error Messages

Error: Connection refused by Jira host. Please verify that the Jira host URL is correct and accessible.

You’ll receive this error message if the Connector is unable to access your Jira server, or the Public Key and Consumer Key have been entered incorrectly. Since Smartsheet for Jira is on the Internet, it must be possible for connections from the Internet to reach the Jira server’s REST API. You will need to ensure that you are using a Port which allows for HTTPS (e.g. 8080 or 443), as HTTP is not supported.

Error: Unable to find a valid SSL certificate on the Jira host. Please have your Jira Administrator install a valid certificate (note that expired certificates are considered invalid).

In order to use the Smartsheet for Jira Connector with a Self-Hosted server, you will need to use a certificate from a trusted certificate authority, and the certificate must be valid. Some examples of when a certificate authority will be considered invalid are:

  • The certificate is not installed correctly.

  • The intermediate certificate chain is missing.

  • Certificate is from a trusted authority, but may be signed by an untrusted authority.

If your Jira server is publicly available, or your firewall is temporarily open, you can use a third-party SSL test tool (for example, SSL/TLS server assessment service provided by Qualys SSL Labs (www.ssllabs.com)) to check if your certificate has been installed correctly. If you notice any errors specifying the certificate is incomplete, you may need to contact the certificate supplier directly for assistance in resolving common errors, or for information on where to download missing or incomplete certificates.

IMPORTANT: Although your certificate may be installed correctly, it still may not be a certificate that is supported by Smartsheet. If you still receive the above error after you’ve checked your certificates, please reach out to Smartsheet Support.

SMARTSHEET IS NOT RESPONSIBLE OR LIABLE FOR THE AVAILABILITY, ACCURACY, FUNCTIONALITY, ADHERENCE TO THIRD PARTY POLICIES, OR LEGALITY OF ANY THIRD PARTY SERVICES, WEBSITES OR OTHER RESOURCES REFERENCED IN THIS ARTICLE, AND SMARTSHEET DOES NOT ENDORSE ANY SUCH SERVICES, WEBSITES OR RESOURCES, OR THE CONTENT, PRODUCTS OR SERVICES AVAILABLE THEREFROM. YOU ASSUME ALL RISK ARISING FROM YOUR USE OF ANY SUCH THIRD PARTY SERVICES, WEBSITES OR RESOURCES, AND YOU ARE SOLELY RESPONSIBLE FOR COMPLIANCE WITH ANY APPLICABLE TERMS OF USE.

Was this article helpful?
YesNo