I've moved JIRA which Confluence is using for a User Server from one IP address to a local DNS name (jira.xxxx.net). Now the Remote JIRA Directory can't connect, and users are no longer synchronized. I've spent about an hour trying to fix it, with no luck. How can I repair this connection?
I realize variations of this question have been asked and answered, but they are an overwhelming collection of Q&A, SQL commands, rollback recommendations and frankly I get lost.
I understand you changed the Jira URL from an IP address to a DNS name. Since then Confluence has not been able to connect to Jira for user management.
Please let me know what steps you have taken and what error messages you are seeing in the browser and the logs:
The log should have errors indicating that the external user directory is not available during authentication. The error messages should give us a clue as to why it isn't connecting.
I look forward to hearing more about your case.
At the point where I try to "Add" "Atlassian JIRA" in the Confluence User Directory area, I get a :
'Connection test failed. Response from the server:
com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. client.forbidden.exception Go to JIRA home'
Even though I triple-checked that Application Name and Application Password match
Here are some screenshots:
Thanks for the screen shots. Based on those:
For logging in with an internal admin, go to Confluence Admin>Groups and check the membership of the confluence-administrators group. If you do not have credentials for a user in that group, then add a user (it will add them in the Confluence Internal directory unless the Jira directory is read/write)and add the user to the confluence-administrators group so they will be a super user.
Then you can edit the existing Remote Jira user directory to point at the DNS name instead of an IP address.
Eliminating 403 Forbidden connecting to Jira
You will likely see the same 403 error when connecting with the existing user directory that you are seeing when adding a new Jira user directory. To get connected, please see: Unable to connect to JIRA for authentication - Forbidden 403
Confluence server could not connect or access to JIRA server due to the following cause:
JIRA does not include Confluence server IP address in JIRA User Server settings
JIRA has not whitelisted Confluence server or IP address, despite both of them located within same server.
There is a proxy or firewall that blocks such access from Confluence to JIRA.
Please try the resolutions from the article and let me know if you see any other error when connecting to Jira for user management.
For the Internal Administrator guidance, the account I am logged in as reports to being a member of the confluence-administrators group. I am able to attempt adding remote JIRA user directories, as indicated in 2nd screenshot (Confluence_userdirectory_2)
For the Eliminating 403 guidance:
In the 3rd screenshot (JIRA_userdirectory_1) I have IP address specified of 192.168.0.0/16 to allow all traffic in from 192.168.x.x which does match our IP range
I added a whitelist entry (http://wiki.moducom.net) but unfortunately no change.
Also, I don't see how a proxy or firewall could be blocking it - BUT - there is indeed an nginx reverse proxy in place forwarding:
It works well enough for other areas (such as application linking).
How do you recommend we proceed?
Thanks for making sure the whitelist and Jira User Server settings are there.
One of the resolutions on the knowledge base article is to bypass the proxy by accessing Jira on localhost as described on: Unable to connect to JIRA for authentication - Forbidden 403 It sounds like Confluence and Jira are on the same server proxied to the two ports, in which case that option is worth considering.
Right now the issue I am focussed on is the 403 error connecting to Jira, but I wanted to be clearer about the Confluence Internal admin. Regarding the editing of the existing Remote Jira User Directory: In order to edit it a user must be in the confluence-administrators group and also the user must be logged in from another directory. Your other directory is the Confluence internal directory. To see what directory a user is from, view them in User Management as in the screen shot below.
It is considered a good practice to have an administrative account in the Internal directory when external authentication is used with Confluence. That way, if the system that authenticates users fails or is unreachable you can still get into the UI.
Thank you for this.
In regards to your initial Recommendation, if the only way forward is to specify a direct IP and port instead of a proxy, I will do it. However, that's what got me into this trouble in the first place, and I would much prefer the mobility of an actual DNS name.
In regards to the Secondary recommendation, I would like to do this; however it's a bit of a chicken and the egg, I am not able to add any more users to Confluence - presumably because Confluence is hard-wired to be a "slave" to JIRA users as you can see in the screenshot below. What would you recommend to enable an internal administrator account in this situation?
I mistakenly assumed your Jira user directory was read-only. Confluence creates the user in the first directory it has permission to write to, in this case the Jira user directory because it is on top. It fails because it can't connect currently. (I was able to reproduce the behavior on my test instance after making the Jira User directory read/write.)
Please move the Internal Directory up in the order and then create the internal admin. For more on how the directories work see: Managing Multiple Directories
Back to the 403 error: Can you ping or nslookup and resolve the DNS name of the Jira server from the command line on the Confluence server? What if you do a traceroute to that IP? Does it go through any network devices that could be blocking the connectivity?
Following these instructions, I was able via direct IP address to set up a 2nd JIRA user directory reference (disabling my first one) and successfully synchronize. Thank you immensely for this.
Regarding utilizing DNS naming:
JIRA DNS ping and nslookup work quite well from the command line on the Confluence server.
JIRA DNS reference for aforementioned 2nd JIRA user directory works if "http://jira.moducom.net:8080" is specified. That is a little unexpected, because the proxy is, as mentioned before, arranged to do jira.moducom.net:80 -> [::]:8080 and definitely does exactly that during normal usage.
I am relieved to hear the Jira User directory is functional for Confluence now. It is interesting that the User Directory only connects when you specify the port. It reminded me of this guide: Reverse Proxy and Application Link Troubleshooting Guide
When using a reverse proxy, the application server (Tomcat) must be aware of the proxy to ensure that the correct addresses and URLs are sent back to the client. If this is not correctly set up, Tomcat will return the hostname and IP that it's listening on, rather than the address that clients use to access the application.
The most reliable way to configure your HTTP connector is to include the proxy information:
<Connector port="8080" connectionTimeout="20000" maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10" URIEncoding="UTF-8"
proxyName="atlassian.com" proxyPort="443" scheme="https" secure="true" />
Please make sure the connector directive in <confluence_install_dir>/conf/server.xml has the proxyName, proxyPort and scheme as described.
You may be as punctilious as you like, in fact, you are right, it was the Jira setting I meant to refer you to; I should have asked you to check the server.xml in Jira.
I am not sure why the User Directory wants to bypass the proxy and "talk" on the Tomcat port. I can only speculate that it's "something" with the network configuration.
Are you all set now that the user directory is functional or do we need to get it to talk on port 80?
The critical need is handled, and my concern about future breakages is tempered with the knowledge of using an internal administrator to add a brand new user directory when needed.
I'd like to explore precisely how to get the DNS port 80 flavor working, but the reality is it will probably be time consuming and either:
a) worked out as a bug
b) revealed in a workaround in due time
So, with all that, I can say I am all set. I leave it to you the prudence of reporting this as a possible bug, if you think it is I'd be happy to help with that. Thank you for everything !
One more thing to check - since Confluence is also behind the proxy, the requests to Jira User Server may appear to Jira to be coming from the NGINX proxy. Is the IP address of the proxy allowed in Jira User Server and in the Jira Whitelist?
I am curious whether you have application links set up between Confluence and Jira and if so, whether the links are using the DNS names.
Application links on both sides using DNS naming without explicit ports.
Whitelist also using DNS naming; Going to add IP:PORT directly to Whitelist and followup with results.
Found the culprit. The IP Addresses under Edit Application needed to include localhost-y things in it (::1, 127.0.0.1), not just 192.168.0.0/16.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG