Authentication proxy blocks synchrony traffic
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
Collaborative Editing is enabled, and the Synchrony service is running, but Collaborative Editing does not work for any users.
Diagnosis
Environment
- Confluence Data Center 6.x
- An authentication proxy is in use in the environment (e.g. IDMS)
Diagnostic Steps
Confirm Synchrony is up and running locally on the Synchrony Nodes
Process Check$ ps aux | grep -i synchrony synchro+ 860 0.7 9.8 3622844 401484 ? Sl May28 622:26 java -Xms2048k -Xmx1024m -classpath /var/atlassian/synchrony/synchrony-standalone.jar:/var/atlassian/synchrony/postgresql-9.4.1212.jar -Dsynchrony.cluster.impl=hazelcast-btf -Dsynchrony.port=8091 -Dcluster.listen.port=5701 -Dsynchrony.cluster.base.port=25500 -Dcluster.join.type=tcpip -Dcluster.join.tcpip.members=10.10.15.20 -Dsynchrony.context.path=/synchrony -Dsynchrony.cluster.bind=10.10.15.21 -Dsynchrony.bind=10.10.15.21 -Dcluster.interfaces=10.10.15.21 -Dsynchrony.service.url=https://confluence.example.com/synchrony -Djwt.private.key=<private-key-here> -Djwt.public.key=<public-key-here> -Dsynchrony.database.url=jdbc:postgresql://10.10.25.44:5432/conf6 -Dsynchrony.database.username=dbusername -Dsynchrony.database.password=dbpassword -Djava.net.preferIPv4Stack=true -Dip.whitelist=127.0.0.1,localhost synchrony.core sqlHeartbeat test$ curl http://<node-ip>:8091/synchrony/heartbeat OK- Capture a HAR file and confirm the following two GET requests return the values below:
GET /rest/synchrony-interop/status{ "synchronyEnabled": true, "sharedDraftsEnabled": true }This is the check to see whether Collab Editing is enabled on the Confluence side (e.g. On/Off). This does not check if the feature is actually working or if Synchrony is running.
GET /rest/synchrony-interop/synchrony-status
{ "status": "stopped" }- The expected state is "running" - a "stopped" state indicates the remote Synchrony server is not reachable, or not running. In this example, the Synchrony server is up and the heartbeat URL responds OK, this indicates Confluence can't reach synchrony.
- Confirm the Synchrony Interop Bootstrap Plugin (System plugin) is enabled
A
wgetto the jwt-key URL results in a permission denied error:$ wget https://confluence.example.com/synchrony/jwt-key -2018-07-09 01:33:52- https://confluence.example.com/synchrony/jwt-key Resolving confluence.example.com... 10.1.15.4 Connecting to confluence.example.com|10.1.15.4|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://idmsauth.example.com/IDMSWebAuth/login?appIdKey=0xyz&path=%3Fos_destination%3D%252Fsynchrony%252Fjwt-key&rv=30 [following] -2018-07-09 01:33:52- https://idmsauth.example.com/IDMSWebAuth/login?appIdKey=0xyz&path=%3Fos_destination%3D%252Fsynchrony%252Fjwt-key&rv=30 Resolving idmsauth.example.com... 10.10.32.15 Connecting to idmsauth.example.com|10.10.32.15|:443... connected. HTTP request sent, awaiting response... 200 Length: 4762 (4.7K) [text/html] jwt-key: Permission denied Cannot write to “jwt-key” (Success).
Cause
In some environments, an intermediary authentication proxy (such as IDMS) is used for all web traffic. This type of proxy may require the path for synchrony ( /synchrony/* ) to be whitelisted, else it will be blocked.
Resolution
Whitelist/Allow the path for synchrony in the authentication proxy rules:
/synchrony/*