It's a good security practice to host your Jira server instances behind a firewall. This often means that you must whitelist explicitly inbound and outbound traffic to Jira for installed Marketplace applications that require it. The OKRs for Jira by Gtmhub plugin needs bidirectional communication to the Gtmhub API server. This article explains the API calls the Gtmhub Jira plugin makes and the corresponding Firewall rules that must be configured.
What API calls does the OKRs for Jira by Gtmhub plugin make
When you work with the OKRs for Jira by Gtmhub plugin there are several possible API calls:
When you use the plugin to select a Gtmhub OKR and link it to a Jira issue the following API calls a re made (via HTPS)
the first call is to fetch the sessions form the configured Gtmhub account
then we get the OKRs for the selected sessions
alternatively, we make search calls in case you use the search functionality the plugin exposes
once you select the desired OKR and link it to the Jira issue we make a POST request to Gtmhub and create a Task under the linked OKR. This task represents the Jira issue (so you get 360 degree view of the relation between the OKR and the Jira item).
Additionally, you can configure a Webhook in Jira that posts info to Gtmhub on issue update/delete so the status of the task created in gtmhub is updated dynamically when the Jira issue status is updated (Gtmhub Plugin for Jira Server | Gtmhub Help Center). That mechanism will also require outbound calls from Jira to Gtmhub.
Which URLs must be whitelisted in your firewall
You must add an FQDN rule for the following URLs, depending on the data center your Gtmhub account is hosted in:
EU Data Center (Gtmhub accounts with URL like https:///accountDomain.gtmhub.com) - https://app.gtmhub.com/*
US Data Center (Gtmhub accounts with URL like https:///accountDomain.us.gtmhub.com) - https://app.us.gtmhub.com/*
AS Data Center (Gtmhub accounts with URL like https:///accountDomain.as.gtmhub.com) - https://app.as.gtmhub.com/*
SA Data Center (Gtmhub accounts with URL like https:///accountDomain.sa.gtmhub.com) - https://app.sa.gtmhub.com/*
There’s several places this might need to be instrumented, namely:
Jira server itself has a configuration for whitelisted URLs. Request your Jira admin team to add the above whitelisted domain (reference: Configuring the allowlist | Administering Jira applications Data Center and Server 9.1 | Atlassian Documentation)
Your firewall configuration
If your Jira instance is not allowed to communicate with the outside word, you might need to perform some additional actions, for example add a proxy (reference: Configure an outbound proxy for use in Jira server | Jira | Atlassian Documentation)