Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71975

Make Jira and other Atlassian self-hosted products FIPS 140-2 compliant

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Environment - Java
    • None
    • 104
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      At the moment, Atlassian products do not implement any FIPS 140-2 compliant cryptographic modules on self-hosted instances, which is a requirement for multiple companies to keep using our tools.

      Suggested Solution

      Implement the required cryptographic modules on Atlassian products to ensure they are FIPS 140-2 compliant.

      Workaround

      It appears to be possible to achieve that on self-hosted products at a JVM and/or OS level.

            [JRASERVER-71975] Make Jira and other Atlassian self-hosted products FIPS 140-2 compliant

            Guru Darbar added a comment - - edited

            We were able to workaround this issue by following this guide:
            https://access.redhat.com/documentation/en-us/red_hat_build_of_openjdk/11/html/configuring_red_hat_build_of_openjdk_11_on_rhel_with_fips/config-fips-in-openjdk

            YMMV

            Obviously still not entirely FIPS compliant, but the application runs with FIPS enabled so that's good.

            Guru Darbar added a comment - - edited We were able to workaround this issue by following this guide: https://access.redhat.com/documentation/en-us/red_hat_build_of_openjdk/11/html/configuring_red_hat_build_of_openjdk_11_on_rhel_with_fips/config-fips-in-openjdk YMMV Obviously still not entirely FIPS compliant, but the application runs with FIPS enabled so that's good.

            Melanie Rogers added a comment -

            Our DoD agency requires applications to be FIPS compliant. Please share the details on a workaround as this is critical to get resolved as soon as possible.

            Jira Server Data Center v9.12.1

            05-Jan-2024 10:13:34.530 SEVERE [main] org.apache.catalina.core.
            AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.
                java.lang.IllegalStateException: The FIPS provider must be configured as the default provider when the AprLifecycleListener is configured with FIPS mode [on] at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:313)

            Melanie Rogers added a comment - Our DoD agency requires applications to be FIPS compliant. Please share the details on a workaround as this is critical to get resolved as soon as possible. Jira Server Data Center v9.12.1 05-Jan-2024 10:13:34.530 SEVERE [main] org.apache.catalina.core. AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.     java.lang.IllegalStateException: The FIPS provider must be configured as the default provider when the AprLifecycleListener is configured with FIPS mode [on] at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:313)

            Nancy Debnam added a comment -

            One can add a listener in the server.xml file.

            <Listener
                   className="org.apache.catalina.core.AprLifecycleListener"
                    SSLEngine="on"
                    FIPSMode="on"/>

            However, doing so does generate an error in the startup.  "org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.
                java.lang.Exception: FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS."  So, it would appear that this is available, but the Tomcat needs to be recompiled before it can be used.

            Nancy Debnam added a comment - One can add a listener in the server.xml file. <Listener        className="org.apache.catalina.core.AprLifecycleListener"         SSLEngine="on"         FIPSMode="on"/> However, doing so does generate an error in the startup.  "org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Failed to initialize the SSLEngine.     java.lang.Exception: FIPS was not available to tcnative at build time. You will need to re-build tcnative against an OpenSSL with FIPS."  So, it would appear that this is available, but the Tomcat needs to be recompiled before it can be used.

            cpelote added a comment -

            Any updates on this?  This would be a requirement if we need to run Jira on-prem to achieve FedRAMP.

            cpelote added a comment - Any updates on this?  This would be a requirement if we need to run Jira on-prem to achieve FedRAMP.

            matt added a comment -

            How is this not even being worked yet? I work in a DoD environment, and this is a major issue!

            matt added a comment - How is this not even being worked yet? I work in a DoD environment, and this is a major issue!

            Vincent Mulkowsky added a comment -

            I would like the details of the workaround.

            Vincent Mulkowsky added a comment - I would like the details of the workaround.

            Alex Kulichkov added a comment -

            @Atlassian, Same as previous commenters, we have multiple instances that need to be compliant. Especially the higher level ATOs.

            Alex Kulichkov added a comment - @Atlassian, Same as previous commenters, we have multiple instances that need to be compliant. Especially the higher level ATOs.

            BrianO added a comment - - edited

            Our agency is requires applications to be FIPS compliant.  As previously stated, lack of compliance can negative impact our Authority To Operate (ATO).  

            BrianO added a comment - - edited Our agency is requires applications to be FIPS compliant.  As previously stated, lack of compliance can negative impact our Authority To Operate (ATO).  

            James.Westbrook added a comment -

            I represent a firm that has worked with over 100 customers for FedRAMP compliant environments, all of whom would benefit greatly from Atlassian products ensuring they are FIPS 140-2 compliant. There is a massive gap of good ticketing and DevOps tooling with FIPS mode available.

            James.Westbrook added a comment - I represent a firm that has worked with over 100 customers for FedRAMP compliant environments, all of whom would benefit greatly from Atlassian products ensuring they are FIPS 140-2 compliant. There is a massive gap of good ticketing and DevOps tooling with FIPS mode available.

            Rob Steel added a comment -

            Any updates from Atlassian?

            Rob Steel added a comment - Any updates from Atlassian?

              Unassigned Unassigned
              rrosa@atlassian.com Rodrigo Rosa
              Votes:
              65 Vote for this issue
              Watchers:
              82 Start watching this issue

                Created:
                Updated: