Quantive

It's a good security practice to host your Jira server instances behind a firewall. This often means that you must whitelist explicitly inbound and outbound traffic to Jira for installed Marketplace applications that require it. The OKRs for Jira by Quantive plugin needs bidirectional communication to the Quantive API server. This article explains the API calls the Quantive Jira plugin makes and the corresponding Firewall rules that must be configured.

What API calls does the OKRs for Jira by Quantive plugin make

When you work with the OKRs for Jira by Quantive plugin there are several possible API calls:

When you authenticate to the plugin for the first time, it uses OAuth flow. The following requests will be made for each user:

- The first call is to https://auth(.us/.as/.sa).gtmhub.com/authorize which will lead users to the Quantive Results login screen, and then to a grant consent screen
- The second request is made server-side and is to https://auth(.us/.as/.sa).gtmhub.com/oauth/token. You must make sure your server allows traffic to the https://auth(.us/.as/.sa).gtmhub.com domain for this call to work properly.

When you use the plugin to select a Quantive OKR and link it to a Jira issue the following API calls are made (via HTPS)

- the first call is to fetch the sessions form the configured Quantive account
- then we get the OKRs for the selected sessions
- alternatively, we make search calls in case you use the search functionality the plugin exposes
- once you select the desired OKR and link it to the Jira issue we make a POST request to Quantive and create a Task under the linked OKR. This task represents the Jira issue (so you get 360 degree view of the relation between the OKR and the Jira item).

- When you authenticate to the plugin for the first time, it uses OAuth flow. The following requests will be made for each user:
  - The first call is to https://auth(.us/.as/.sa).gtmhub.com/authorize which will lead users to the Quantive Results login screen, and then to a grant consent screen
  - The second request is made server-side and is to https://auth(.us/.as/.sa).gtmhub.com/oauth/token. You must make sure your server allows traffic to the https://auth(.us/.as/.sa).gtmhub.com domain for this call to work properly.
- When you use the plugin to select a Quantive OKR and link it to a Jira issue the following API calls are made (via HTPS)
  - the first call is to fetch the sessions form the configured Quantive account
  - then we get the OKRs for the selected sessions
  - alternatively, we make search calls in case you use the search functionality the plugin exposes
  - once you select the desired OKR and link it to the Jira issue we make a POST request to Quantive and create a Task under the linked OKR. This task represents the Jira issue (so you get 360 degree view of the relation between the OKR and the Jira item).

Which URLs must be whitelisted in your firewall

You must add an FQDN rule for the following URLs, depending on the data center your Quantive account is hosted in:

EU Data Center (accounts with URL like https:///accountDomain.quantive.com):

- <a href="https://app.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.quantive.com/*</a>
- <a href="https://auth.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.gtmhub.com/*</a>

US Data Center (accounts with URL like https:///accountDomain.us.quantive.com):

- <a href="https://app.us.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.us.quantive.com/*</a>
- <a href="https://auth.us.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.us.gtmhub.com/*</a>

AS Data Center (accounts with URL like https:///accountDomain.as.quantive.com):

- <a href="https://app.as.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.as.quantive.com/*</a>
- <a href="https://auth.as.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.as.gtmhub.com/*</a>

SA Data Center (accounts with URL like https:///accountDomain.sa.quantive.com):

- <a href="https://app.sa.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.sa.quantive.com/*</a>
- <a href="https://auth.sa.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.sa.gtmhub.com/*</a>

- EU Data Center (accounts with URL like https:///accountDomain.quantive.com):
 - <a href="https://app.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.quantive.com/*</a>
 - <a href="https://auth.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.gtmhub.com/*</a>
- US Data Center (accounts with URL like https:///accountDomain.us.quantive.com):
 - <a href="https://app.us.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.us.quantive.com/*</a>
 - <a href="https://auth.us.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.us.gtmhub.com/*</a>
- AS Data Center (accounts with URL like https:///accountDomain.as.quantive.com):
 - <a href="https://app.as.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.as.quantive.com/*</a>
 - <a href="https://auth.as.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.as.gtmhub.com/*</a>
- SA Data Center (accounts with URL like https:///accountDomain.sa.quantive.com):
 - <a href="https://app.sa.quantive.com/*" rel="nofollow noopener noreferrer" target="_blank">https://app.sa.quantive.com/*</a>
 - <a href="https://auth.sa.gtmhub.com/*" rel="nofollow noopener noreferrer" target="_blank">https://auth.sa.gtmhub.com/*</a>

There’s several places this might need to be instrumented, namely:

Jira server itself has a configuration for whitelisted URLs. Request your Jira admin team to add the above whitelisted domain (reference: <a href="https://confluence.atlassian.com/adminjiraserver/configuring-the-allowlist-1014667309.html" rel="nofollow noopener noreferrer" target="_blank">Configuring the allowlist | Administering Jira applications Data Center and Server 9.1 | Atlassian Documentation</a>)

If your Jira instance is not allowed to communicate with the outside word, you might need to perform some additional actions, for example add a proxy (reference: <a href="https://confluence.atlassian.com/jirakb/configure-an-outbound-proxy-for-use-in-jira-server-247857187.html" rel="nofollow noopener noreferrer" target="_blank">Configure an outbound proxy for use in Jira server | Jira | Atlassian Documentation</a>)

- Jira server itself has a configuration for whitelisted URLs. Request your Jira admin team to add the above whitelisted domain (reference: <a href="https://confluence.atlassian.com/adminjiraserver/configuring-the-allowlist-1014667309.html" rel="nofollow noopener noreferrer" target="_blank">Configuring the allowlist | Administering Jira applications Data Center and Server 9.1 | Atlassian Documentation</a>)
- Your firewall configuration
- If your Jira instance is not allowed to communicate with the outside word, you might need to perform some additional actions, for example add a proxy (reference: <a href="https://confluence.atlassian.com/jirakb/configure-an-outbound-proxy-for-use-in-jira-server-247857187.html" rel="nofollow noopener noreferrer" target="_blank">Configure an outbound proxy for use in Jira server | Jira | Atlassian Documentation</a>)

How to configure your Jira Server firewall rules to ensure proper Quantive plugin functionality