Upgrading while having -Datlassian.secret.service.state=disabled breaks LDAP

XMLWordPrintable

    • Type: Bug
    • Resolution: Not a bug
    • Priority: Medium
    • None
    • Affects Version/s: 10.5.0, 10.5.1, 10.6.0
    • Component/s: Upgrade
    • None
    • 10.05
    • 6
    • Severity 2 - Major
    • 21
    • Hide
      Atlassian Update – 10 November 2025

      Dear Customers,

      Thank you for your valuable feedback and for taking the time to report and comment on this issue. After a thorough review, we would like to clarify that this behavior is not a bug.

      With the introduction of Secret Service in Jira Version 10.2, LDAP credentials are no longer stored in plain text. Credentials that have already been encrypted using a Secret Service cannot be automatically decrypted if Secret Service is disabled. This design is intentional and is aimed at protecting sensitive information, such as LDAP passwords and application link secrets, as part of our ongoing commitment to secure operations.

      To further support a smooth startup experience, we have implemented a startup check that verifies whether the Secret Service is correctly configured. If Jira detects that secrets are encrypted but Secret Storage is disabled, the startup process will be paused and you will receive clear guidance on how to resolve the issue. This behaviour is included in Jira Data Center 11.3 version.

      As this is expected and intended behavior, we will be closing this issue. If you have encountered challenges that required you to disable Secret Service, we encourage you to contact our Support team. Your feedback is invaluable and will help us continue to improve our products and services.

      Thank you for your understanding and partnership.

      Best regards,
      Maria Mikolajczak
      Jira DC Engineering

      Learn more about Secret Storage
       

      Show
      Atlassian Update – 10 November 2025 Dear Customers, Thank you for your valuable feedback and for taking the time to report and comment on this issue. After a thorough review, we would like to clarify that this behavior is not a bug . With the introduction of Secret Service in Jira Version 10.2, LDAP credentials are no longer stored in plain text. Credentials that have already been encrypted using a Secret Service cannot be automatically decrypted if Secret Service is disabled. This design is intentional and is aimed at protecting sensitive information, such as LDAP passwords and application link secrets, as part of our ongoing commitment to secure operations. To further support a smooth startup experience, we have implemented a startup check that verifies whether the Secret Service is correctly configured. If Jira detects that secrets are encrypted but Secret Storage is disabled, the startup process will be paused and you will receive clear guidance on how to resolve the issue. This behaviour is included in Jira Data Center 11.3 version. As this is expected and intended behavior, we will be closing this issue. If you have encountered challenges that required you to disable Secret Service, we encourage you to contact our Support team. Your feedback is invaluable and will help us continue to improve our products and services. Thank you for your understanding and partnership. Best regards, Maria Mikolajczak Jira DC Engineering Learn more about Secret Storage  

      Issue Summary

      When the startup parameter -Datlassian.secret.service.state=disabled is set, after an upgrade (or running "docker run...") external directories are not able to sync, nor are their passwords able to be updated.

      Steps to Reproduce

      1. Have a Jira instance with an external directory attached
      2. Stop Jira
      3. Add the startup parameter -Datlassian.secret.service.state=disabled
      4. Run a Jira upgrade (or a docker run... for docker instances)

      Expected Results

      Jira will start successfully, the associated passwords remain unencrypted, and LDAP logins and synchronizations continue to be successful

      Actual Results

      LDAP won't sync, causing logins via the LDAP directory to fail and generating an error on the login page of "com.atlassian.crowd,exception.runtime.OperationFailedException".

      Additionally, attempting to update the LDAP password in the UI fails (though just running a test will succeed)

      Relevant Information

      Please refer to the following KB articles to learn more about encryption in Jira

      Workaround

      Removing the startup parameter, starting Jira, and resaving the password on the LDAP directory allows the directory to sync once again.
      This will cause the associated passwords to be encrypted on restart

        1. image.png
          image.png
          71 kB
        2. image-2025-06-11-10-46-18-855.png
          image-2025-06-11-10-46-18-855.png
          101 kB

            Assignee:
            Maria Marzec
            Reporter:
            Mateo
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: