It's a good security practice to host your Jira server instances behind a firewall. This often means that you must whitelist explicitly inbound and outbound traffic to Jira for installed Marketplace applications that require it. The OKRs for Jira by Quantive plugin needs bidirectional communication to the Quantive API server. This article explains the API calls the Quantive Jira plugin makes and the corresponding Firewall rules that must be configured.
What API calls does the OKRs for Jira by Quantive plugin make
When you work with the OKRs for Jira by Quantive plugin there are several possible API calls:
When you authenticate to the plugin for the first time, it uses OAuth flow. The following requests will be made for each user:
The first call is to https://auth(.us/.as/.sa).gtmhub.com/authorize which will lead users to the Quantive Results login screen, and then to a grant consent screen
The second request is made server-side and is to https://auth(.us/.as/.sa).gtmhub.com/oauth/token. You must make sure your server allows traffic to the https://auth(.us/.as/.sa).gtmhub.com domain for this call to work properly.
When you use the plugin to select a Quantive OKR and link it to a Jira issue the following API calls are made (via HTPS)
the first call is to fetch the sessions form the configured Quantive account
then we get the OKRs for the selected sessions
alternatively, we make search calls in case you use the search functionality the plugin exposes
once you select the desired OKR and link it to the Jira issue we make a POST request to Quantive and create a Task under the linked OKR. This task represents the Jira issue (so you get 360 degree view of the relation between the OKR and the Jira item).
Which URLs must be whitelisted in your firewall
You must add an FQDN rule for the following URLs, depending on the data center your Quantive account is hosted in:
EU Data Center (accounts with URL like https:///accountDomain.quantive.com):
US Data Center (accounts with URL like https:///accountDomain.us.quantive.com):
AS Data Center (accounts with URL like https:///accountDomain.as.quantive.com):
SA Data Center (accounts with URL like https:///accountDomain.sa.quantive.com):
There’s several places this might need to be instrumented, namely:
Jira server itself has a configuration for whitelisted URLs. Request your Jira admin team to add the above whitelisted domain (reference: Configuring the allowlist | Administering Jira applications Data Center and Server 9.1 | Atlassian Documentation)
Your firewall configuration
If your Jira instance is not allowed to communicate with the outside word, you might need to perform some additional actions, for example add a proxy (reference: Configure an outbound proxy for use in Jira server | Jira | Atlassian Documentation)