User documentation

Owned by Florian Becker
Last updated: Sept 25, 2019 by Andreas Derler
10 min read

Overview

Sesam is a JIRA plugin that offers a secure way of storing, managing and sharing passwords across teams.
You can easily use already in place JIRA groups to limit access on certain passwords. 
Sesam also offers a way to store a users more private passwords.

Getting Started

Installation via Atlassian Marketplace 

  1. Go to the Atlassian Marketplace page and search for "Sesam"
  2. Buy Sesam or use the free 30 day trial option
  3. The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.

Installation via JIRA Plugin Manager 

You can also install Sesam through the Universal Plugin Manager. (https://confluence.atlassian.com/display/UPM/Installing+add-ons)

  1. Log into your JIRA instance as Administrator
  2. Go to Administration > Add-ons and search for "Sesam" at Find New Add-ons
  3. Buy Sesam or use the free 30 day trial option
  4. You can now navigate to Sesam via the link in the header
  5. The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.

License Activation

You can activate your license with the following steps:

  1. On your JIRA Administration, select Manage Add-Ons. 
  2. Select Sesam from the list of addons. Details about the plugin will be shown. 
  3. Click on "Buy Now" to get yourself a license

AES Key Length

The key length of 256 Bit is only available if Unlimited Strength Jurisdiction Policy is enabled, otherwise 128 Bit will be used by Sesam as a fallback.

If you want to enable Unlimited Strength Jurisdiction Policy follow these steps:

Java Unlimited Strength Policy

Oracle Java

Before Java 8 Update 151

For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files:

  1. Download the unlimited strength JCE policy files from here
  2. Extract the downloaded file
  3. Replace the existing policy JAR files in $JAVA_HOME/jre/lib/security with the extracted unlimited strength policy JAR files

Note: In case you later decide to revert to the original limited policy versions, first make a backup of the original JCE policy files (US_export_policy.jar and local_policy.jar) in $JAVA_HOME/jre/lib/security.

Java 8 Update 151 and higher

The Unlimited Strength Jurisdiction Policy is included but not used by default. To enable it, you need to edit the java.security file in $JAVA_HOME/jre/lib/security (for JDK) or $JAVA_HOME/lib/security (for JRE). Uncomment (or include) the line:

crypto.policy=unlimited
Java 9

Should be enabled by default.

OpenJDK

Should be enabled by default.

Global Jira permission

The Sesam plugin adds a new global Jira permission during installation. This global permission allows to manage general access of Jira users/groups to the Sesam plugin.

ATTENTION Only Jira users/groups who have the global permission assigned can access Sesam.

By the default the global Sesam permission is initially assigned to following Jira groups (if they exist):

  • jira-software-users
  • jira-servicedesk-users
  • jira-administrators

Manage global permission

Global Jira permissions can managed as described in https://confluence.atlassian.com/adminjiraserver079/managing-global-permissions-950288425.html.

Features

Master Password - Unlock Sesam

In order to access the passwords, a user needs to provide the Master Password. This password is used to decrypt the users protected passwords.

ATTENTION DO NOT FORGET YOUR MASTER PASSWORD.

In order to decrypt the stored password information, at least one Sesam user needs to be logged in. If there is no user remembering the Sesam password, encrypted password information may be lost permanently.

 


When Sesam is opened the first time, the user can set the Master Password.


ATTENTION We highly recommend to use a secure password, that is not used anywhere else. Keep in mind, this single password protects the whole password database.

Change master password

The master password can also be changed in the preferences.

Forgot Master Password

Sesam allows users to reset their master password.

Attention: There is a risk of losing personal private passwords when resetting the master password with this workflow.


Resetting your master password is easy, you can request a reset on the Sesam login screen by clicking the "Forgot password?" link. 


An E-Mail will be sent to the address specified in your JIRA profile. Simply follow the link in the e-mail.

NOTE: The reset link in the e-mail is only valid for 30 minutes.

You will be guided to a site where you can enter a new master password.

Groups

A group can contain a number of passwords and subgroups.

Groups can be used to structure password information and to set the corresponding permissions.

For each group the following permission options can be set:

  • Read
    Grants the users just read access to the passwords in the group.
  • Write
    Grants users the permission to add new passwords to the group and update existing passwords.
  • Administrator
    Users with this permission will be able to update the permissions and delete the group and all its passwords. (Note: Only with this permission option the user will be able to invite other people to a existing group)

All of the above permission options can be set either with specific JIRA users or with JIRA groups that are most probably already in place in your JIRA instance.


Groups can be managed via the context menu of the corresponding entry in the group tree.


Passwords


A password entry contains the following attributes:

  • App name (required)
    The name describing the password entry.
  • Account
    The associated account name
  • Password (required)
    The password itself. It can be generated via the UI.
    • Generation strategy
      Password generation happens entirely on client-side using the browsers crypto preferably. The default length of generated passwords can be configured in the Sesam settings. By default it will generate 16 character passwords including
      • Uppercase letters
      • lowercase letters
      • Digits 
      • Special characters : 
        • +
        • -
        • .
  • Tags
    Categories (like "Social Media" or "Accounting") that can be used for filtering.
  • Mail
    The associated email address
  • URL
    The URL for the app the password is used for.
  • Password Description
    Generic description field, to add additional information.

My Passwords

In contrast to the shared groups, the private space called "My Passwords" can not be shared with others and is designed to contain the personal passwords.

Those passwords are encrypted in a different way then the shared passwords and will also not be part of any export. Therefore, nobody (not even administrators) have access to this information.

NOTE: Since there is no way to access those passwords, but by entering the corresponding master password, they can NOT be recovered, if the master password is lost.

Password Share

In order to share a password with a third party (someone who has no access to your JIRA instance) Sesam provides an external share feature.

A link can be generated, that will reveal the corresponding password for a defined time period and optionally also only for a single time (one-time-share).

NOTE: This feature offers a more secure and better controllable way to share passwords over insecure channels (like email or chat) than directly sending in plain text, however, we highly recommend to update the password every time it was shared with third parties. 

The shared passwords are still securely stored in the database, only by possessing the share link is it possible to access the password information.

How to share a password

To share a password simply click the "Share" button on the password page.

This will open the share dialog, which allows you to configure the password share.

Following options can be configured:

  • Share name: The name of the share, which will be used as the title on the share page
  • Valid Until: The timestamp when the share expires. Once the valid until date was reached, the share page will no longer display the password, but instead display an error page.
  • Options
    • One Time Share: If this option is selected, the password can be decrypted (and thus viewed) exactly once. Consecutive attempts to view the shared password will lead to an error page.
    • Share additional fields: By default, the account and password will be displayed on the share page. If this options is selected, all password fields (including URL, mail and description) will be displayed on the share page.

By clicking on the "Share" button, the password share will be created. The share link will be displayed and can be copied directly by using the copy-to-clipboard button.

The share link can be opened by anyone on the web, since the share page is public. When opening the share page, a countdown will be displayed, which counts down the time until the share expires.

The password information will be loaded after clicking the "Decrypt" button. For One-Time-Shares this can be done only once, afterwards the share link will be invalid.

By default, the password information includes the account and password. If the option for sharing additional fields was selected, the additional fields will also be displayed (if they are not empty).

The password can be viewed in plain by clicking on the view button (the "eye" icon). However, it is also possible to directly copy the password by clicking on the copy-to-clipboard button in which case it is not necessary to view the password in plain at all.

Manage Password Shares

Sesam allows you to view and delete your active password shares. You can to this by selecting the tab Shared passwords on the Preferences site.

All your active password shares are displayed in a paginated table. The share name of each entry is a link to the corresponding share page.

By clicking the Delete button the password share will be immediately deleted.

The table can also be filtered for specific passwords or groups by simply entering the password/group name in the filter search field.

By clicking on Reset, the current filter selection will be deleted, thus showing all results again.

While each user can manage their personal shares, Jira admin users can additionally manage password shares for all users.


Activity Stream

Sesam automatically adds a new activity provider to the Jira Activity Stream.

This allows you to view recent Sesam activity in your Activity Stream dashboard widget.

You can also customize your dashboard widget by applying optional filters. For example listing only activities of a certain group or password, or restrict the entries to a specific set of activity types.

In addition, you can also view your personal Sesam activity in your Jira profile page.

Recent Activity

You can view recent user activity on the Recent Activity page. This page can be accessed directly from the Jira menu or by viewing the Preferences site.

The content of this page is a list of recent user activity with optional filters. By default only the last 5 entries are displayed, click on the Show more to view additional entries.

Following filter options are supported:

  • Password/Group: Restrict activities to a specific password or group. 
  • Date begin: Only display activities, which occurred after this date.
  • Date end: Only display activities, which occurred before this date.
  • Username: Display activities of a specific user.
  • Activity types: Restrict activities to a set of activity types. By default all activity types are enabled.

In order to apply the filter option click on the Filter button. The filter options can be reset by clicking on the Reset button.

You can only see the activity of passwords and groups to which you have at least read access to.


Link Passwords to JIRA Issues

Sesam provides the ability to link a password within a JIRA issue.

This can simply be done by opening the issue, then clicking the menu entry "More" - "Link". In addition to the default tabs, there is now an additional Sesam tab. After selecting the tab, the password search field can be used to search a password within Sesam.

NOTE: You can only link passwords for which you have at least Read permissions.

Simply select the password in the search and click on "Link" to finish linking the password to the issue. Of course, multiple passwords can be selected and linked to the issue.

Linked Sesam passwords are displayed in the "Issue Links" section. Clicking on the password link directly forwards to the Sesam password detail view, where the password can directly be copied to the clipboard.

Admin - Maintenance

JIRA-Administrators have access to the "Administration" tab on in the preferences. 

General Settings

The general settings page can be used by administrators to configure global Sesam settings.

Manage Groups

A list of all top-level groups in the company space. Admins can edit or delete any company container via this user interface. 

NOTE: Private groups and passwords of other users cannot be maintained by JIRA-Administrators

Create Backups

 JIRA Admins have access to the Backup & Restore feature. A Backup of all shared groups can be created on demand, including subgroups, passwords and associated data (e.g. tags).

We currently support following file formats for backups: 

  • JSON
  • XML

We save the encrypted backups in the database, so we are able to restore any previously made backup on demand (see Restore Backups). Backups can also be downloaded by JIRA Administrators.

ATTENTION  Downloaded Backups are in plain text, therefore, they need to be stored and handled with caution outside of Sesam.

Backup creation workflow

Restore Backups

Restoring a backup allows JIRA administrators to restore a previously backed up state of Sesam.

NOTE: Prior to any restore a backup of the current state will be automatically created, therefore, the restore can be rolled back.

Restore backups directly from the database

Backups can be restored directly from the entry in the backups table. 

Restore exported backups

Downloaded/exported backups are restored by uploading the backup file.
If you check the option "preserve associated password date" Sesam tries to preserve favorite passwords and the recent passwords for all users.