Apptio Open Token for additional security of Jira Data Center Webhooks

Edit online

Currently Targetprocess integration with Jira is based on webhooks, change notification mechanism. As the data flows across the systems, usually over the public network, security is a crucial aspect.

The webhooks sent from Jira are plain http calls requiring an open endpoint on the receiver side by default. Although Atlassian introduced Secure webhooks for Jira Cloud recently such improvements are not expected for Jira DC.

Apptio Open Token for Jira Data Center

Considering the lack of Jira DC webhooks security, Apptio provides a way to authenticate incoming traffic via Apptio Open Token. The mechanism is based on generating temporary token based on API keys.

Setting up Targetprocess secured endpoint

Enabling Apptio Open Token authentication causes rejecting incoming webhooks without valid token in apptio-opentoken header. To configure the authentication, execute the following steps:

  1. Open Targetprocess settings.
  2. Go to Integrations section.
  3. Select your profile.
  4. Scroll to Set up webhook in Jira section.
  5. Set Apptio Open Token as an authentication type.
  6. Press Save button.

Enhancing Jira DC webhooks with Apptio Open Token

Jira DC does not provide any out-of-the-box mechanism to extend outgoing webhooks with custom header. Therefore, you have to add your own mechanism providing Apptio Open Token.

One of the possibilities is to create proxy service with a following algorithm:

  1. Catch outgoing webhooks
  2. Obtain Apptio Open Token using your API key.
  3. Add apptio-opentoken header with the obtained token to the webhook.
  4. Forward the webhook to Targetprocess endpoint