Jira Workflow

About

The Keeper Security Integration for Jira is an Atlassian Forge application that enables seamless management of Keeper vault operations directly from Jira issues. This integration bridges the gap between project management workflows and secrets management, allowing teams to request, approve, and execute credential operations without leaving their Jira environment.

The Jira integration also provides management over Endpoint Privilege Manager (KEPM) approvals. All actions are logged as Jira comments with timestamps and user information.

Record Management Features

Endpoint Privilege Management Features

Prerequisites

To maintain Keeper's strict zero knowledge encryption model, the Jira integration requires that the customer hosts the Commander Service Mode container on a VM and hosts the customized Forge app in their Jira Cloud.

Setup and Configuration

In order to communicate between the Jira service and Keeper, the customer is responsible for hosting a Keeper Commander Service Mode instance with an Ngrok or Cloudflare Tunnel. This can be accomplished many ways depending on your IT requirements. Commander Service Mode can run as a foreground service on any machine, or it can be run in a Docker container locally or remotely on a server.

Step 1. Commander Setup

Follow the setup steps documented in the Commander Service Mode REST API section to install Keeper Commander and start the service. You need to follow the instructions using either Ngrok or Cloudflare tunnels to properly route requests from the Forge app to your Commander instance. Commander Service Mode can run directly in the CLI, in the background on a local machine, on a remote server as a service, or under a Docker container. Using Docker is the recommended method.

Note the following Important Items:

1) The Request Queue System (API v2) must be enabled, e.g. -q=y

2) For Vault Management features, make sure the following commands are in the list:

3) For Vault + KEPM features, make sure the following commands are in the list:

4) For Ngrok Tunneling, ensure the following parameters are included:

5) For Cloudflare Tunneling, ensure the following parameters are included:

After service creation, the API key will be displayed in the console output. Make sure to copy and store it securely. If you are using Docker, you can pull the API key from the logs with this command:

When the Commander service is up and running, you should be able to submit a curl request to the endpoint. For example:

If the tunnel is running and the API key is correct, you should get a response like this:

Now that the service is up and running, move to the Jira configuration steps.

Step 2. Install the Keeper Forge App

Before configuring the integration, you must install the Keeper Forge app in your Jira Cloud instance.

See Forge App Installation Guide for detailed instructions.

Step 3. Jira Configuration

Configure the Integration in your Atlassian Jira instance as the Administrator.

• In Jira: Go to Apps → Keeper.

• Enter API URL including the /api/v2 path and API Key.

• Example URLs:

  • Ngrok: https://your-subdomain.ngrok.io/api/v2

  • Cloudflare: https://your-subdomain.trycloudflare.com/api/v2

• Test Connection

  • Click Test Connection → verify success.

• Save Settings

Jira Admin configuration complete.

Step 4. Endpoint Privilege Manager Webhook

To manage Keeper EPM approvals and generate tickets in Jira, a webhook notification is sent from Keeper to the Jira platform. The webhook URL is provided on the Keeper Jira integration screen. This webhook must be activated in the Keeper Admin Console following the steps below.

1) Locate the Web Trigger URL from the Jira Forge app.

2) Generate Authentication Token:

3) Copy both the URL and the token (token shown only once)

4) Login to the Keeper Admin Console > Reporting & Alerts > Alerts and click on "Add Alert"

5) Set Alert Name to something like "Jira EPM Webhook"

6) In Alert Condition, select the below events:

• Agent created approval request

• Removed approval request

• Changed approval request status

7) Click on "Add Recipient" and then click "Webhook"

8) Paste the copied URL and Token from above

9) Save the recipient and then save the alert

10) Back on the Jira Forge app, Configure which Jira project should receive automatically created tickets from Keeper Security alerts. Also select the target project and default issue type.

The web trigger URL is automatically generated by Jira Forge and serves as the webhook endpoint for Keeper Security alerts.

11) Save the Forge App configuration

User Guide for Jira Workflow

• Navigate to your Jira project (e.g., IT Support, Security Operations)

  • Create a new ticket.

• Open a Jira Issue Page

  • On the right side panel, look for Keeper panel on the right.

  • The panel will load and display available Keeper actions.

  • Select action: Request Access to Record / Request Access to Folder / Request Record Permission Change.

  • Fill in form fields (required fields marked *).

• Submit for Approval

  • First submission: Click Save Request to submit for admin approval.

  • Updating existing request: Click Update Request to modify your previously saved request.

  • A confirmation message will appear: "Request submitted successfully" or "Request updated successfully".

Feature: Request Access to Record

Description: Request shared access to specific Keeper records

Capabilities:

• Grant or revoke record access to users by email

• Transfer record ownership

• Set optional permissions (Allow Sharing, Allow Edit)

• Configure access expiration (specific date/time or duration)

• Apply permissions recursively to all records in a folder

Feature: Request Access to Folder

Description: Request access to Keeper shared folders for users or teams.

Capabilities:

• Grant or remove folder access

• Assign to individual users or teams

• Configure folder permissions:

  • Can Manage Records

  • Can Manage Users

  • Can Share Records

  • Can Edit Records

• Set access expiration

Feature: Create New Secret

Description: Create new secret records directly in Keeper.

Capabilities:

• Select from available record types (Login, Bank Account, SSH Key, etc.)

• Fill in type-specific fields dynamically

• Store secrets securely in Keeper vault

Feature: Update Record

Description: Update existing Keeper records.

Capabilities:

• Search and select records from the vault

• Modify record fields (title, login, password, URL, notes, etc.)

• Force update option to override warnings

Note: You must have "Edit Issues" permission to see and use the Keeper panel.

Feature: Manage KEPM Approval Requests

Description: Review, approve or deny Keeper Endpoint Privilege Manager (KEPM) requests directly in Jira.

Capabilities:

• Review outstanding requests

• Approve elevation or command execution

• Deny elevation or command execution

Troubleshooting

Debug Mode

If the Commander Service Mode REST API is not behaving as expected, enable debug mode for detailed logs and troubleshooting. For example:

Or (Docker):

When debug mode is enabled:

• Console or Docker logs show detailed request/response traces

• Useful for identifying configuration or API communication issues

• Should be disabled in production to avoid exposing sensitive logs

Checking Service Status

1. Check Service Mode Status via CLI keeper service-status

2. Verify API Accessibility and Status

   • Test API endpoint and check service status:

   • Check if server is running and accessible from Jira

   • Verify firewall rules allow access

3. Restart Service Mode

Note: Tickets will continue to be created using webhook payload data during service outages to ensure no security events are lost. Once service is restored, new tickets will include enriched data from the KEPM approval view command.

Troubleshooting Problems