Encryption

From an encryption perspective, we are using the Salesforce SOAP API running over HTTPS to do all direct communication between the two servers, this connection is secured using the DigiCert and TLS 1.2 and higher protocols. Currently, the connector is using the following cipher to communicate to Salesforce:

ECDHE-RSA-AES256-GCM-SHA384

Here are the references:

If you need to double check these provided details, you can set up a test connection from Jira to Salesforce using our connector and you can confirm the TLS version and Cipher used from Salesforce Login result. Here are the steps.

  • Setup > Login History > Click "Download Now" (use the CVS File Type),

  • Open the downloaded CSV file and check the "TLS Protocol" and "TLS Cipher Suite" columns for the connections from the "CustomWare/Jira/" Application.

Salesforce is disabling TLS 1.1

 As per the announcement from Salesforce, TLS 1.1 will be disabled. This should not affect users who are using Java 8.

Security Design

Jira > Saleforce

Done via authentication using username, password and API token together. This is done periodically to refresh the session if it is terminated for any reason (i.e., due to Salesforce session timing out), once it is authenticated, the session token is used for all subsequent requests, this uses a single user account in Salesforce to carry out all of the operations.

A security token is an automatically generated key that you must add to the end of your password in order to log in to Salesforce from an untrusted network.

For example, if your password is mypassword, and your security token is XXXXXXXXXX, then you must enter mypasswordXXXXXXXXXX to log in. This is a Salesforce requirement.

Another option is by adding your Jira server to the Trusted IP Range. This way you will no longer require the security token to access Salesforce from Jira. 

Salesforce > Jira

In the standard setup, this is not required as the user logs into Jira to trigger all of the data synchronization from Salesforce to Jira.

The buttons/visualforce pages are links and views into custom actions that we have included as part of the Jira plugin, so essentially the user is triggering a "synchronize" flow in our Jira plugin and from there on, Jira connects to Salesforce to do the heavy lifting.

The Connector uses Jira Application Links to manage Salesforce credential. It is stored as clear text in the PROPERTYSTRING table.

Atlassian's recommended practice for production instances is that you do not using Jira's internal/bundled HSQL database and that you should restrict access to the database that your Jira instance uses.