Jira Connector firewall settings (self-hosted server)

Applies to

Smartsheet
  • Business
  • Enterprise
Smartsheet Advance Package

Capabilities

Who can use this capability

You must be a Sysadmin on Smartsheet and Jira to configure the connector. You must be a licensed Smartsheet user to create or edit a workflow. You'll also need a Jira account with access to your Jira project. 

This article provides server and firewall requirements for a self-hosted server on the Smartsheet for Jira Connector. 

If you are not using a firewall and are looking for Jira Connector setup instructions, please view our Jira Cloud and self-hosted Setup.

Prerequisites

Your self-hosted Jira server must meet the following requirements:

  • Jira version 7.2 or higher for self-hosted Jira servers. Jira version 9.0 is not supported. For more information see Jira version compatibility
  • Configure your Jira server to allow Smartsheet to connect to it from the Internet: A secure (HTTPS) connection is required.

    Smartsheet supports a specific set of standard CA (certificate authority) certificates that come with Java.
     
  • Expired or incomplete certificate authorities will be considered invalid. Inquire with your primary Smartsheet contact before or during purchase. 

Configure your firewall to work with the connector 

The Smartsheet for Jira Connector runs in the cloud and needs to connect to your Jira server. If a firewall protects your Jira server, you may need to modify the firewall configuration to enable the connection. 

Things to know

  • By default, Jira uses port 8080 or port 443. However, since a Jira Administrator can change the port Jira uses, confirm with your Jira Administrator which port your Jira server uses.
  • The server must support HTTPS connections. HTTP without HTTPS is not supported.
  • The certificate used to enable HTTPS connections to the server must be valid and must be issued by a well-known certificate authority.

Opening the firewall to the Smartsheet for Jira Connector

Since Smartsheet for Jira runs on the Internet, it must be possible for connections from the Internet to reach the Jira server’s REST API. You have the following options for exposing your Jira server to Smartsheet over the Internet:

Option 1:  Allow Connections to Jira

The Jira REST API is a custom port on the Apache Tomcat host Jira was deployed on. Since the REST API endpoints are on a separate path from the Jira user interface and login pages, you do not need to permit access to the Jira server’s UI or login screens from the Internet.

You can restrict incoming connections to your Jira server to only be able to connect to the following paths on your Jira server:

  • https://<yourJirahost.com>/<context>/rest/* 
  • https://<yourJirahost.com>/<context>/auth/*
  • https://<yourJirahost.com>/<context>/plugins/*

You can restrict and prevent Internet connections to all other paths on your Jira server.

Option 2: Reverse Proxy

If you use a  reverse proxy in your firewall, Jira must be aware of the proxy to ensure the correct addresses and URLs are sent back to the client. If you receive an OAuth Signature Rejected error while setting up a connection, or for more information on configuring Jira with a proxy server, see Atlassian's documentation.

Atlassian provides the following resources on how to secure Jirat:

Verifying the connection to my Jira server is from Smartsheet and is secure

The following measures ensure the security and authentication of the Smartsheet for Jira Connector and your Jira server.

Allowing HTTPS/TLS traffic

Your Jira server must allow connections over HTTPS/TLS using a certificate issued from a well-known, credible certificate authority. This ensures the following:

  • Since your certificate is private and only available to you, when Smartsheet for Jira connects to your Jira server, our system knows Smartsheet is connecting to your Jira server and hasn’t been redirected by an attacker to another server and there is no man-in-the-middle (MITM) attack in progress.
  • By using HTTPS/TLS, all traffic between Smartsheet for Jira and your Jira server is encrypted.

Jira application link authentication

When the Jira Administrator sets up a connection between the Smartsheet for Jira Connector and their Jira server, Smartsheet generates a RSA Public/Consumer key pair unique to each organization instance and the Jira server registered with Smartsheet for Jira.

  • The Jira Connector Admin supplies the public key to their Jira server to set up the Application Link. In every request/call Smartsheet for Jira makes to the organization’s Jira server, Smartsheet for Jira signs the request with Smartsheet’s Consumer key, which Jira verifies using the public key copied when registering the Application Link.
  • Use of RSA Public/Consumer keys ensures only Smartsheet for Jira is making connections to the Jira server. No other system has the Consumer key corresponding to the Public key used to authenticate every API request sent to Jira. No other person or system on the Internet will have authenticated access to your Jira server’s REST API.

Error messages and FAQs

Error: Connection refused by Jira host. Please verify that the Jira host URL is correct and accessible.

You’ll receive this error message if the Connector can't access your Jira server, or the Public Key and Consumer Key were entered incorrectly. Since Smartsheet for Jira is on the Internet, it must be possible for connections from the Internet to reach the Jira server’s REST API. Ensure you are using a Port that allows for HTTPS (e.g. 8080 or 443), as HTTP is not supported.

Error: Unable to find a valid SSL certificate on the Jira host. Please have your Jira Administrator install a valid certificate (note that expired certificates are considered invalid).

To use the Smartsheet for Jira Connector with a self-hosted server, you will need to use a certificate from a trusted certificate authority, and the certificate must be valid. Some examples of when a certificate authority will be considered invalid are:

  • The certificate is not installed correctly.

  • The intermediate certificate chain is missing.

  • Certificate is from a trusted authority, but may be signed by an untrusted authority.

If your Jira server is publicly available, or your firewall is temporarily open, you can use a third-party SSL test tool (for example, SSL/TLS server assessment service provided by Qualys SSL Labs (www.ssllabs.com)) to check if your certificate has been installed correctly. If you notice any errors specifying the certificate is incomplete, you may need to contact the certificate supplier directly for assistance in resolving common errors, or for information on where to download missing or incomplete certificates.

IMPORTANT: Although your certificate may be installed correctly, it still may not be a certificate supported by Smartsheet. If you still receive the above error after you’ve checked your certificates, please reach out to Smartsheet Support.

Are there IP addresses used with Jira I can add to the Allowlist in our firewall?

Adding IP addresses to the Allowlist, or a range of IP Addresses of incoming connections does not offer any meaningful improvement to security. Smartsheet publishes a DNS A record at aws.relay.smartsheet.com which can be added to the Allowlist in your firewall. The DNS A record will resolve to the Jira Connector's outgoing IP Address.

We do not recommend you resolve this DNS A record to the underlying IP address and add the IP addresses to the Allowlist because if we change it, which is possible to occur, then Smartsheet will no longer be able to connect to your Jira server. By adding the DNS A record to your Allowlist, your firewall rules will continue to permit Smartsheet for Jira to connect when the underlying IP addresses change.