User documentation
Overview
Sesam is a JIRA plugin that offers a secure way of storing, managing and sharing passwords across teams.
You can easily use already in place JIRA groups to limit access on certain passwords.
Sesam also offers a way to store a users more private passwords.
Getting Started
Installation via Atlassian Marketplace
- Go to the Atlassian Marketplace page and search for "Sesam"
- Buy Sesam or use the free 30 day trial option
- The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.
Installation via JIRA Plugin Manager
You can also install Sesam through the Universal Plugin Manager. (https://confluence.atlassian.com/display/UPM/Installing+add-ons)
- Log into your JIRA instance as Administrator
- Go to Administration > Add-ons and search for "Sesam" at Find New Add-ons
- Buy Sesam or use the free 30 day trial option
- You can now navigate to Sesam via the link in the header
- The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.
License Activation
You can activate your license with the following steps:
- On your JIRA Administration, select Manage Add-Ons.
- Select Sesam from the list of addons. Details about the plugin will be shown.
- Click on "Buy Now" to get yourself a license
AES Key Length
The key length of 256 Bit is only available if Unlimited Strength Jurisdiction Policy is enabled, otherwise 128 Bit will be used by Sesam as a fallback.
If you want to enable Unlimited Strength Jurisdiction Policy follow these steps:
Java Unlimited Strength Policy
Oracle Java
Before Java 8 Update 151
For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files:
- Download the unlimited strength JCE policy files from here
- Extract the downloaded file
- Replace the existing policy JAR files in
$JAVA_HOME/jre/lib/security
with the extracted unlimited strength policy JAR files
Note: In case you later decide to revert to the original limited policy versions, first make a backup of the original JCE policy files (US_export_policy.jar and local_policy.jar) in
$JAVA_HOME/jre/lib/security
.
Java 8 Update 151 and higher
The Unlimited Strength Jurisdiction Policy is included but not used by default. To enable it, you need to edit the java.security
file in $JAVA_HOME/jre/lib/security
(for JDK) or $JAVA_HOME/lib/security
(for JRE). Uncomment (or include) the line:
crypto.policy=unlimited
Java 9
Should be enabled by default.
OpenJDK
Should be enabled by default.
Global Jira permission
The Sesam plugin adds a new global Jira permission during installation. This global permission allows to manage general access of Jira users/groups to the Sesam plugin.
ATTENTION Only Jira users/groups who have the global permission assigned can access Sesam.
By the default the global Sesam permission is initially assigned to following Jira groups (if they exist):
- jira-software-users
- jira-servicedesk-users
- jira-administrators
Manage global permission
Global Jira permissions can managed as described in https://confluence.atlassian.com/adminjiraserver079/managing-global-permissions-950288425.html.
Features
Master Password - Unlock Sesam
In order to access the passwords, a user needs to provide the Master Password. This password is used to decrypt the users protected passwords.
ATTENTION DO NOT FORGET YOUR MASTER PASSWORD.
In order to decrypt the stored password information, at least one Sesam user needs to be logged in. If there is no user remembering the Sesam password, encrypted password information may be lost permanently.
When Sesam is opened the first time, the user can set the Master Password.
ATTENTION We highly recommend to use a secure password, that is not used anywhere else. Keep in mind, this single password protects the whole password database.
Change master password
The master password can also be changed in the preferences.
Forgot Master Password
Sesam allows users to reset their master password.
Attention: There is a risk of losing personal private passwords when resetting the master password with this workflow.
Resetting your master password is easy, you can request a reset on the Sesam login screen by clicking the "Forgot password?" link.
An E-Mail will be sent to the address specified in your JIRA profile. Simply follow the link in the e-mail.
NOTE: The reset link in the e-mail is only valid for 30 minutes.
You will be guided to a site where you can enter a new master password.
Groups
A group can contain a number of passwords and subgroups.
Groups can be used to structure password information and to set the corresponding permissions.
For each group the following permission options can be set:
- Read
Grants the users just read access to the passwords in the group. - Write
Grants users the permission to add new passwords to the group and update existing passwords. - Administrator
Users with this permission will be able to update the permissions and delete the group and all its passwords. (Note: Only with this permission option the user will be able to invite other people to a existing group)
All of the above permission options can be set either with specific JIRA users or with JIRA groups that are most probably already in place in your JIRA instance.
Groups can be managed via the context menu of the corresponding entry in the group tree.
Passwords
A password entry contains the following attributes:
- App name (required)
The name describing the password entry. - Account
The associated account name - Password (required)
The password itself. It can be generated via the UI.- Generation strategy
Password generation happens entirely on client-side using the browsers crypto preferably. The default length of generated passwords can be configured in the Sesam settings. By default it will generate 16 character passwords including- Uppercase letters
- lowercase letters
- Digits
- Special characters :
- +
- -
- .
- Generation strategy
- Tags
Categories (like "Social Media" or "Accounting") that can be used for filtering. - Mail
The associated email address - URL
The URL for the app the password is used for. - Password Description
Generic description field, to add additional information.
My Passwords
In contrast to the shared groups, the private space called "My Passwords" can not be shared with others and is designed to contain the personal passwords.
Those passwords are encrypted in a different way then the shared passwords and will also not be part of any export. Therefore, nobody (not even administrators) have access to this information.
NOTE: Since there is no way to access those passwords, but by entering the corresponding master password, they can NOT be recovered, if the master password is lost.
Password Share
In order to share a password with a third party (someone who has no access to your JIRA instance) Sesam provides an external share feature.
A link can be generated, that will reveal the corresponding password for a defined time period and optionally also only for a single time (one-time-share).
NOTE: This feature offers a more secure and better controllable way to share passwords over insecure channels (like email or chat) than directly sending in plain text, however, we highly recommend to update the password every time it was shared with third parties.
The shared passwords are still securely stored in the database, only by possessing the share link is it possible to access the password information.
How to share a password
To share a password simply click the "Share" button on the password page.
This will open the share dialog, which allows you to configure the password share.
Following options can be configured:
- Share name: The name of the share, which will be used as the title on the share page
- Valid Until: The timestamp when the share expires. Once the valid until date was reached, the share page will no longer display the password, but instead display an error page.
- Options
- One Time Share: If this option is selected, the password can be decrypted (and thus viewed) exactly once. Consecutive attempts to view the shared password will lead to an error page.
- Share additional fields: By default, the account and password will be displayed on the share page. If this options is selected, all password fields (including URL, mail and description) will be displayed on the share page.
By clicking on the "Share" button, the password share will be created. The share link will be displayed and can be copied directly by using the copy-to-clipboard button.
The share link can be opened by anyone on the web, since the share page is public. When opening the share page, a countdown will be displayed, which counts down the time until the share expires.
The password information will be loaded after clicking the "Decrypt" button. For One-Time-Shares this can be done only once, afterwards the share link will be invalid.
By default, the password information includes the account and password. If the option for sharing additional fields was selected, the additional fields will also be displayed (if they are not empty).
The password can be viewed in plain by clicking on the view button (the "eye" icon). However, it is also possible to directly copy the password by clicking on the copy-to-clipboard button in which case it is not necessary to view the password in plain at all.
Manage Password Shares
Sesam allows you to view and delete your active password shares. You can to this by selecting the tab Shared passwords on the Preferences site.
All your active password shares are displayed in a paginated table. The share name of each entry is a link to the corresponding share page.
By clicking the Delete button the password share will be immediately deleted.
The table can also be filtered for specific passwords or groups by simply entering the password/group name in the filter search field.
By clicking on Reset, the current filter selection will be deleted, thus showing all results again.
While each user can manage their personal shares, Jira admin users can additionally manage password shares for all users.
Activity Stream
Sesam automatically adds a new activity provider to the Jira Activity Stream.
This allows you to view recent Sesam activity in your Activity Stream dashboard widget.
You can also customize your dashboard widget by applying optional filters. For example listing only activities of a certain group or password, or restrict the entries to a specific set of activity types.
In addition, you can also view your personal Sesam activity in your Jira profile page.
Recent Activity
You can view recent user activity on the Recent Activity page. This page can be accessed directly from the Jira menu or by viewing the Preferences site.
The content of this page is a list of recent user activity with optional filters. By default only the last 5 entries are displayed, click on the Show more to view additional entries.
Following filter options are supported:
- Password/Group: Restrict activities to a specific password or group.
- Date begin: Only display activities, which occurred after this date.
- Date end: Only display activities, which occurred before this date.
- Username: Display activities of a specific user.
- Activity types: Restrict activities to a set of activity types. By default all activity types are enabled.
In order to apply the filter option click on the Filter button. The filter options can be reset by clicking on the Reset button.
You can only see the activity of passwords and groups to which you have at least read access to.
Link Passwords to JIRA Issues
Sesam provides the ability to link a password within a JIRA issue.
This can simply be done by opening the issue, then clicking the menu entry "More" - "Link". In addition to the default tabs, there is now an additional Sesam tab. After selecting the tab, the password search field can be used to search a password within Sesam.
NOTE: You can only link passwords for which you have at least Read permissions.
Simply select the password in the search and click on "Link" to finish linking the password to the issue. Of course, multiple passwords can be selected and linked to the issue.
Linked Sesam passwords are displayed in the "Issue Links" section. Clicking on the password link directly forwards to the Sesam password detail view, where the password can directly be copied to the clipboard.
Admin - Maintenance
JIRA-Administrators have access to the "Administration" tab on in the preferences.
General Settings
The general settings page can be used by administrators to configure global Sesam settings.
Manage Groups
A list of all top-level groups in the company space. Admins can edit or delete any company container via this user interface.
NOTE: Private groups and passwords of other users cannot be maintained by JIRA-Administrators
Create Backups
JIRA Admins have access to the Backup & Restore feature. A Backup of all shared groups can be created on demand, including subgroups, passwords and associated data (e.g. tags).
We currently support following file formats for backups:
- JSON
- XML
We save the encrypted backups in the database, so we are able to restore any previously made backup on demand (see Restore Backups). Backups can also be downloaded by JIRA Administrators.
ATTENTION Downloaded Backups are in plain text, therefore, they need to be stored and handled with caution outside of Sesam.
Backup creation workflow
Restore Backups
Restoring a backup allows JIRA administrators to restore a previously backed up state of Sesam.
NOTE: Prior to any restore a backup of the current state will be automatically created, therefore, the restore can be rolled back.
Restore backups directly from the database
Backups can be restored directly from the entry in the backups table.
Restore exported backups
Downloaded/exported backups are restored by uploading the backup file.
If you check the option "preserve associated password date" Sesam tries to preserve favorite passwords and the recent passwords for all users.