Does exalate have support for mTLS?

Originally asked by Marijn Stapert on 27 October 2021 (original question)


Is there a way to easily configure this plugin for 2 way ssl between 2 server instances? We could try to make an whitelist entry in our proxy for this but this requires consent from multiple parties. We’re also not 100% sure if this will actually work so it’s not a preferred solution.


Comments:

Francis Martens (Exalate) commented on 27 October 2021

Marijn Stapert - what do you mean with ‘2 way ssl’ ?

Marijn Stapert commented on 28 October 2021

2 servers both requiring a certificate to communicate with, so if they want to communicate; both servers need to know each others identity

Francis Martens (Exalate) commented on 28 October 2021

Alright - thanks for clarifying.

Exalate is deployed as an add-on on Jira Server, and is using the http configuration of Jira to exchange messages with the exalate on the other side. So I suspect that the 2 way ssl is enforced by the current configuration - something to be tested

In addition to this - because not all environments are enabled for such authentication, Exalate signs every message using a symmetric signature.

With this signature, the other end will know that the message is coming from the right source.
More about this is detailed in the Exalate Security and Architecture whitepaper

Answer by Maximillian Thomas Nadolny on 27 October 2021

Hi

Yes that is more or less our setup but no easy way I am afraid. We have a point tto point VPN running. We ended up having to add the respective cert to the trust store of the machine and needed to config the firewall. And the remote side had no other way than adding an exception and Nating the traffic directly to the Jira machine.

But although it took some time this was more than worth it.

Cheers

Max

If you want a more specific answer I can ask my Arch guy to give me 3-4 Bullets what needed to be done?


Comments:

Marijn Stapert commented on 27 October 2021

Hey Maximillian,

Thanks for the quick answer!

I was afraid of this, at the moment we’re looking at different options for dealing with certificates.

If it’s no hassle to you, I’d appreciative the list of bullet points. I’m not sure if we’d go down that road, but it could be a good indication whether it’s worth pursuing.

Greets,.

Marijn