Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Problem connecting Confluence to Jira User Directories

Michael Wolfe
Michael Wolfe
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 15, 2017

I have both Jira and Confluence running on the same server, both over SSL.  Prior to implementing SSL on both sites, Confluence was capable of synchronizing its user directory with Jira.  Now that SSL is in place on both services, Confluence cannot connect.  When I try to create a new connector, I get this error if I specify https:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Over http I get this:

The following URL does not specify a valid Crowd User Management REST service: http://server.domain.com/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user

 

They are using the same Java keystore, which is in 

/usr/local/java/jre1.8.0_151, so they should be able to locate each others certs, unless there is a bug where they need to have their own, separate keystores with a copy of cert in the keystore.  Has anyone else experienced this issue?

Answer
Watch
Like Be the first to like this
653 views

1 answer

0 votes
Dave Theodore [Coyote Creek Consulting]
Dave Theodore [Coyote Creek Consulting]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 15, 2017

What type of x509 certs? If they are from a commercial CA, you need to be sure to include the intermediate (chain) cert along with the public and private keys in whatever method you are using to terminate SSL.  

If they are self-signed certs or from your internal or otherwise non-commercial CA, you will need to import them in to the Java key store for the version you are running. If both apps are running the same Java, this can be done once, as both will use the same keystore. I would expect your keystore to be located at /usr/local/java/jre1.8.0_151/lib/security/cacerts It would also be worth verifying you are actually running the Java located in /usr/local/java/jre1.8.0_151 via `ps -ef`

Worst case, set up a plain text connector on each app and use that for your Application Links and to hook Confluence up to JIRA. I'd bind it to localhost to ensure that unencrypted auth traffic stays internal to the box, as well.

View More Comments
Michael Wolfe
Michael Wolfe
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 16, 2017

All of my certs are issued from our internal CA's, and I also forgot to mention that I'm using Apache as a reverse proxy to our Jira sites.  This allows our users to go to jira.domain.com without needing to type in a port number, as well as automatically direct them to the SSL page.

I was able to get around this by using the port number in the connection URL.

I ran ps -ef and it looks like the only references to Java are within the Confluence and Jira installation directories.  Does that mean they are referencing the keystore within <installation_dir>/jre/lib/security/ as opposed to the one I've configured within $JAVA_HOME?

Like
Dave Theodore [Coyote Creek Consulting]
Dave Theodore [Coyote Creek Consulting]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 16, 2017

Yep. You need to import the cert in to the respective keystore for the Java each app is using. You could also change the scripts to use the Java that you installed, since you already imported the certs there and probably would rather manage the certs in one place rather than two.

Like
Michael Wolfe
Michael Wolfe
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 16, 2017

That I would, and it's weird that I went through all that trouble to install the correct version of Java, setup SSL, and only for it to use it's own keystore for cert validation.

Which script are you referring to?  Is it this one? 

Djava.util.logging.config.file=/var/www/confluence/conf/logging.properties

Like demond61 likes this
Dave Theodore [Coyote Creek Consulting]
Dave Theodore [Coyote Creek Consulting]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
November 28, 2017

Sorry for the late reply. I was referring to the start script.  Depending on how you start the apps, there are a number of places that you can declare the JAVA_HOME or JRE_HOME. It's always a good idea to verify the version of Java actually running via `ps.`

Like demond61 likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events