Destination User Directory has moved

Thank you for this.  

In regards to your initial Recommendation, if the only way forward is to specify a direct IP and port instead of a proxy, I will do it.  However, that's what got me into this trouble in the first place, and I would much prefer the mobility of an actual DNS name.

In regards to the Secondary recommendation, I would like to do this; however it's a bit of a chicken and the egg, I am not able to add any more users to Confluence - presumably because Confluence is hard-wired to be a "slave" to JIRA users as you can see in the screenshot below.  What would you recommend to enable an internal administrator account in this situation?

.

I mistakenly assumed your Jira user directory was read-only. Confluence creates the user in the first directory it has permission to write to, in this case the Jira user directory because it is on top. It fails because it can't connect currently. (I was able to reproduce the behavior on my test instance after making the Jira User directory read/write.)

Please move the Internal Directory up in the order and then create the internal admin. For more on how the directories work see: Managing Multiple Directories

Back to the 403 error: Can you ping or nslookup and resolve the DNS name of the Jira server from the command line on the Confluence server? What if you do a traceroute to that IP? Does it go through any network devices that could be blocking the connectivity?

Following these instructions, I was able via direct IP address to set up a 2nd JIRA user directory reference (disabling my first one) and successfully synchronize.  Thank you immensely for this.

Regarding utilizing DNS naming:

JIRA DNS ping and nslookup work quite well from the command line on the Confluence server.

JIRA DNS reference for aforementioned 2nd JIRA user directory works if "http://jira.moducom.net:8080" is specified.  That is a little unexpected, because the proxy is, as mentioned before, arranged to do jira.moducom.net:80 -> [::]:8080 and definitely does exactly that during normal usage.

I am relieved to hear the Jira User directory is functional for Confluence now. It is interesting that the User Directory only connects when you specify the port. It reminded me of this guide: Reverse Proxy and Application Link Troubleshooting Guide

When using a reverse proxy, the application server (Tomcat) must be aware of the proxy to ensure that the correct addresses and URLs are sent back to the client. If this is not correctly set up, Tomcat will return the hostname and IP that it's listening on, rather than the address that clients use to access the application.

The most reliable way to configure your HTTP connector is to include the proxy information:

<Connector port="8080" connectionTimeout="20000" maxThreads="200" minSpareThreads="10"
 enableLookups="false" acceptCount="10" URIEncoding="UTF-8" 
 proxyName="atlassian.com" proxyPort="443" scheme="https" secure="true" />

 Please make sure the connector directive in <confluence_install_dir>/conf/server.xml has the proxyName, proxyPort and scheme as described.

Both JIRA and Confluence have been configured with these proxyName/proxyPort settings.

Risking over-punctiliousness, I notice you suggest changing the Confluence proxy settings but wouldn't the JIRA settings be the focal point?

You may be as punctilious as you like, in fact, you are right, it was the Jira setting I meant to refer you to; I should have asked you to check the server.xml in Jira.

I am not sure why the User Directory wants to bypass the proxy and "talk" on the Tomcat port. I can only speculate that it's "something" with the network configuration. 

Are you all set now that the user directory is functional or do we need to get it to talk on port 80?

The critical need is handled, and my concern about future breakages is tempered with the knowledge of using an internal administrator to add a brand new user directory when needed.  

I'd like to explore precisely how to get the DNS port 80 flavor working, but the reality is it will probably be time consuming and either:

a) worked out as a bug

b) revealed in a workaround in due time

So, with all that, I can say I am all set.  I leave it to you the prudence of reporting this as a possible bug, if you think it is I'd be happy to help with that.  Thank you for everything !

One more thing to check - since Confluence is also behind the proxy, the requests to Jira User Server may appear to Jira to be coming from the NGINX proxy. Is the IP address of the proxy allowed in Jira User Server and in the Jira Whitelist?

I am curious whether you have application links set up between Confluence and Jira and if so, whether the links are using the DNS names.

Application links on both sides using DNS naming without explicit ports.

Whitelist also using DNS naming; Going to add IP:PORT directly to Whitelist and followup with results.

EDIT:

Found the culprit.  The IP Addresses under Edit Application needed to include localhost-y things in it (::1, 127.0.0.1), not just 192.168.0.0/16.

With aforementioned settings, I am able to use DNS name http://jira.moducom.net in the confluence JIRA server user directory configuration

So...http://jira.moducom.net  with no port, so default port 80. Nice.

I do feel we are all set now, what do you say?

100% all set !

We went from solution established to curiosity satisfied.  You rock.  Thank you !

At the point where I try to "Add" "Atlassian JIRA" in the Confluence User Directory area, I get a :

'Connection test failed. Response from the server:
com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. client.forbidden.exception Go to JIRA home'

Even though I triple-checked that Application Name and Application Password match

Here are some screenshots:

Thanks for the screen shots. Based on those:

• You need to log in with an administrative account from the Confluence Internal Directory so you can edit the Remote Jira directory.
• Then you have the 403 error to overcome.

Internal Administrator

For logging in with an internal admin, go to Confluence Admin>Groups and check the membership of the confluence-administrators group. If you do not have credentials for a user in that group, then add a user (it will add them in the Confluence Internal directory unless the Jira directory is read/write)and add the user to the confluence-administrators group so they will be a super user.

Then you can edit the existing  Remote Jira user directory to point at the DNS name instead of an IP address.

Eliminating 403 Forbidden connecting to Jira

You will likely see the same 403 error when connecting with the existing user directory that you are seeing when adding a new Jira user directory. To get connected, please see: Unable to connect to JIRA for authentication - Forbidden 403

Confluence server could not connect or access to JIRA server due to the following cause:

1. JIRA does not include Confluence server IP address in JIRA User Server settings

2. JIRA has not whitelisted Confluence server or IP address, despite both of them located within same server.

3. There is a proxy or firewall that blocks such access from Confluence to JIRA.

Please try the resolutions from the article and let me know if you see any other error when connecting to Jira for user management.

For the Internal Administrator guidance, the account I am logged in as reports to being a member of the confluence-administrators group.  I am able to attempt adding remote JIRA user directories, as indicated in 2nd screenshot (Confluence_userdirectory_2)

For the Eliminating 403 guidance:

Item 1

In the 3rd screenshot (JIRA_userdirectory_1) I have IP address specified of 192.168.0.0/16 to allow all traffic in from 192.168.x.x which does match our IP range

Item 2

I added a whitelist entry (http://wiki.moducom.net) but unfortunately no change.  

Item 3

Also, I don't see how a proxy or firewall could be blocking it - BUT - there is indeed an nginx reverse proxy in place forwarding:

• jira.moducom.net -> localhost:8080
• wiki.moducom.net -> localhost:8090

It works well enough for other areas (such as application linking).  

How do you recommend we proceed?

Thanks for making sure the whitelist and Jira User Server settings are there.

Recommendation

One of the resolutions on the knowledge base article is to bypass the proxy by accessing Jira on localhost as described on: Unable to connect to JIRA for authentication - Forbidden 403  It sounds like Confluence and Jira are on the same server proxied to the two ports, in which case that option is worth considering.

Secondary recommendation

Right now the issue I am focussed on is the 403 error connecting to Jira, but I wanted to be clearer about the Confluence Internal admin. Regarding the editing of the existing Remote Jira User Directory: In order to edit it a user must be in the confluence-administrators group and also the user must be logged in from another directory. Your other directory is the Confluence internal directory. To see what directory a user is from, view them in User Management as in the screen shot below.

It is considered a good practice to have an administrative account in the Internal directory when external authentication is used with Confluence. That way, if the system that authenticates users fails or is unreachable you can still get into the UI.

HIt

Somehow, I was able to reply AS you Ann.  Certainly not on purpose :) please find my response below