Apptio Open Token for additional security of Jira Data Center Webhooks

Currently Targetprocess integration with Jira is based on webhooks, change notification mechanism. As the data flows across the systems, usually over the public network, security is a crucial aspect. 

The webhooks sent from Jira are plain http calls requiring an open endpoint on the receiver side by default. Although Atlassian introduced Secure webhooks for Jira Cloud recently (see: https://developer.atlassian.com/cloud/jira/platform/webhooks/#secure-admin-webhooks) such improvements are not expected for Jira DC. 

Apptio Open Token for Jira Data Center 

Considering the lack of Jira DC webhooks security, Apptio provides a way to authenticate incoming traffic via Apptio Open Token. The mechanism is based on generating temporary token based on API keys (see: https://help.apptio.com/en-us/frontdoor/admin-guide/eaa-api/overview-api-keys-faq.html) 

Setting up Targetprocess secured endpoint 

Enabling Apptio Open Token authentication causes rejecting incoming webhooks without valid token in ‘apptio-opentoken’ header. To configure the authentication, execute the following steps: 

1. Open Targetprocess settings:  
2. Go to “Integrations” section:  
3. Select your profile  
4. Scroll to “Set up webhook in Jira” section
5. Set “Apptio Open Token” as an authentication type  
6. Press “Save” button. 

Enhancing Jira DC webhooks with Apptio Open Token  

Jira DC does not provide any out-of-the-box mechanism to extend outgoing webhooks with custom header. Therefore, you have to add your own mechanism providing Apptio Open Token.  

One of the possibilities is to create proxy service with a following algorithm: 

1. Catch outgoing webhooks  
2. Obtain Apptio Open Token (see: https://help.apptio.com/en-us/frontdoor/admin-guide/eaa-api/api-curl-sample-commands.html) using your API key.  
3. Add ‘apptio-opentoken’ header with the obtained token to the webhook.  
4. Forward the webhook to Targetprocess endpoint