Jira cannot connect to the database through SSL due to FIPS mode: only SunJSSE KeyManagers may be used

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

If the database has been configured with SSL, when trying to initialize Jira you may run into the following error if using a Java version distributed by Red Hat.

atlassian-jira.log

1 2 3 4 5 6 7 8 9 10 11 2021-10-28 13:31:20,879+0000 JIRA-Bootstrap ERROR [c.a.config.bootstrap.DefaultAtlassianBootstrapManager] Could not successfully test your database: org.postgresql.util.PSQLException: Could not initialize SSL context. ... Caused by: java.security.KeyManagementException: FIPS mode: only SunJSSE KeyManagers may be used at sun.security.ssl.SSLContextImpl.chooseKeyManager(SSLContextImpl.java:167) at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:83) at javax.net.ssl.SSLContext.init(SSLContext.java:282) at org.postgresql.ssl.LibPQFactory.<init>(LibPQFactory.java:191) ... 40 more 2021-10-28 13:31:20,904+0000 JIRA-Bootstrap ERROR [c.a.jira.health.HealthChecks] JIRA couldn't connect to your database 2021-10-28 13:31:20,904+0000 JIRA-Bootstrap ERROR [c.a.jira.health.HealthChecks] JIRA failed to establish a connection to your database.

Environment

Any Jira version that uses Java distributed by Red Hat and connects to a DB configured with SSL.

Diagnosis

The connection errors can be found on the atlassian-jira.log's right after the startup.

The easiest way to confirm the vendor of the Java being used by Jira would be to go to Jira administration (gear icon) > System > System Info, and look for the Java Vendor entry.

1 Java Vendor : Red Hat, Inc.

Cause

This problem is caused by the FIPS compliance mode being enabled by default on newer versions of the JDK, which prevents the proper use of the JKS truststore by the JVM.

Solution

In order to avoid hitting this limitation, you may disable the FIPS mode on your JDK, which should allow Jira to bind to the database using the current configuration.

To do so, we can add the following startup parameter to Jira and then restart the app for the changes to be picked up.

1 -Dcom.redhat.fips=false

Since Jira is not yet FIPS 140-2 compliant (as per the suggestion below), disabling the FIPS mode on the JVM arguments should not make the connection to the database less secure.

The connection between Jira and its database will still be encrypted and protected.

JRASERVER-71975 - Make Jira and other Atlassian self-hosted products FIPS 140-2 compliant

Updated on March 20, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community