This page last changed on Jun 16, 2010 by alui.

This document describes how to configure Confluence Stand-Alone or WAR file using Tomcat to use a self-signed HTTPS encrypted secure socket layer for user logins and page data.

Please note, these instructions only apply to self-signed certificates. If you are trying to install a third-party certificate, you will need to refer to the instructions provided by the authority that issues the certificate instead.
For other Application Servers, or if using Apache HTTPd Web Server, see Using Apache with mod_proxy for instructions on how to terminate an SSL connection at Apache Web Server.

Unencrypted confidential data within Confluence may be intercepted by an attacker. To secure user logins, you can enable access via HTTPS (HTTP over SSL), and require its use for pages where passwords are sent. In some cases where issue data is sensitive, all pages can be set to be accessed over HTTPS.

Enabling SSL access is different for each application server, but specifying which pages to require protection for is generic. This document is specific to Tomcat, the default application server shipped with Confluence.

On this page:

Adding Secure User Logins

Adding HTTPS requires a valid SSL certificate. If you have a Certificate prepared, skip to the 'Modify the <INSTALL>/conf/server.xml File' section.

Creating A New SSL Certificate

Creating a self-signed certificate
The following commands are in reference to JDK 1.5. For commands/syntax relevant to JDK 1.6, please refer to this document.

On Windows, perform the following at the command prompt:

"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

Or on other platforms, perform the following at the command prompt:

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

Some questions will be asked, including a password for the certificate (the default is 'changeit'). Please note down what you choose, as it will be used in the next step.

"IE7 on Vista Issue"
If your clients will access Confluence from Internet Explorer 7 on Vista, please ensure that you specify the -keyalg RSA flag. By default the SHA1 algorithm is used, which results in 'Internet Explorer cannot display the webpage' errors on IE7 on Vista. Apparently on JDK 1.6 you also need to specify the -sigalg MD5withRSA flag since -keyalg RSA will still result in SHA1 being used (see this blogpost for more information).

Modify the <INSTALL>/conf/server.xml File

In the confluence directory, open the conf/server.xml file and insert one of the following just after the closing </Engine> tag:

  1. For users of Confluence 2.10 or later:
    Open conf/server.xml, uncomment the lines:
            <Connector port="8443" maxHttpHeaderSize="8192"
                       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                       enableLookups="false" disableUploadTimeout="true"
                       acceptCount="100" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
                       URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
    

    Or for users of Confluence 2.2 to 2.9.2:
    Open conf/server.xml, uncomment the lines:

    <Connector port="8443" maxHttpHeaderSize="8192"
                       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                       enableLookups="false" disableUploadTimeout="true"
                       acceptCount="100" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS"
                       URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" />
    
If your Confluence server is running off Apache Tomcat version 6.0.0 or later, you should ensure that the parameter-value pair SSLEnabled="true" has been added to the Connector tag above.
Establishing a CA-issued Certificate

In preparation for a production instance, an official CA-issued key pair is required. Find instructions in the Tomcat documentation.

Verify the Certificate is in the Correct Location

By default, Tomcat will look for the certificates in the file C:\Documents and Settings\\#CURRENT_USER#\.keystore on Windows or ~/.keystore on Unix. If your Certificate is not in this location, you will need to update your <INSTALL>/conf/server.xml file as outlined below, so that Tomcat can find it.

  1. For users of Confluence 2.2 or later:
    Open conf/server.xml, add the keystoreFile="<MY_CERTIFICATE_LOCATION>" parameter to the Connector tag as shown below:
    <Connector port="8443" maxHttpHeaderSize="8192"
                       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                       enableLookups="false" disableUploadTimeout="true"
                       acceptCount="100" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS"
                       URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" keystoreFile="<MY_CERTIFICATE_LOCATION>" />
    
Make sure to change your Server Base URL to https.

Specifying URL Patterns to be Redirected

Restart Tomcat and access your instance on https://<MY_BASE_URL>:8443/.

For more detailed information on setting up SSL with Tomcat (including additional configuration options), have a look at Tomcat 5.5 SSL or Tomcat 6 SSL.

Although HTTPS is now activated and available, the old HTTP URLs (http://localhost:8080) are still available. In most situations one wants these URLs to continue working, but for some to redirect to their HTTPS equivalent.

If you have changed the port that the SSL connector is running on from the preconfigured value of 8443, you must update the redirectPort attribute of the standard HTTP connector to reflect the new SSL port. Tomcat needs this information to know which port to redirect to when an incoming request needs to be secure.
Site-Wide Protection
If using the RSS macro, you may need to configure this with a firewall rule, rather than on Tomcat. See RSS Feed Macro for further information.

If security is a concern, we recommend using SSL encryption site wide, for the reasons listed here: CONF-4116. To do this:

Edit the confluence/WEB-INF/web.xml file and add the following declaration to the end, before the </web-app> tag:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Restricted URLs</web-resource-name>
    <url-pattern>/</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

Once this change is made, restart Confluence and access http://localhost:8080. You should be redirected to https://localhost:8443/login.action.

Please note this will prevent IE from downloading attachments correctly if you are using Tomcat! In order to get this to work with IE you will need to modify server.xml or the relevant context file and add
<Valve className="org.apache.catalina.authenticator.NonLoginAuthenticator"
						disableProxyCaching="true" securePagesWithPragma="false" />

within the <Context element

Protection for Login Action Only

As of Confluence 3.0, Atlassian does not support HTTPS for login only. Please see CONF-18120 and CONF-4116 for details on this.

Protection for Individual Spaces

If you want to protect individual spaces, there isn't a complete way of doing this at the moment. You can add a pattern like this:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Login and Restricted Space URLs</web-resource-name>
    <url-pattern>/login.action</url-pattern>
    <url-pattern>/display/SALARIES/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

Troubleshooting

Check the Confluence Knowledge Base articles at Troubleshooting SSL.

Document generated by Confluence on Jul 09, 2010 01:08