Authentication proxy blocks synchrony traffic
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Problem
Collaborative Editing is enabled, and the Synchrony service is running, but Collaborative Editing does not work for any users.
Diagnosis
Environment
Confluence Data Center 6.x
An authentication proxy is in use in the environment (e.g. IDMS)
Diagnostic Steps
Confirm Synchrony is up and running locally on the Synchrony Nodes
Process Check
1 2$ ps aux | grep -i synchrony synchro+ 860 0.7 9.8 3622844 401484 ? Sl May28 622:26 java -Xms2048k -Xmx1024m -classpath /var/atlassian/synchrony/synchrony-standalone.jar:/var/atlassian/synchrony/postgresql-9.4.1212.jar -Dsynchrony.cluster.impl=hazelcast-btf -Dsynchrony.port=8091 -Dcluster.listen.port=5701 -Dsynchrony.cluster.base.port=25500 -Dcluster.join.type=tcpip -Dcluster.join.tcpip.members=10.10.15.20 -Dsynchrony.context.path=/synchrony -Dsynchrony.cluster.bind=10.10.15.21 -Dsynchrony.bind=10.10.15.21 -Dcluster.interfaces=10.10.15.21 -Dsynchrony.service.url=https://confluence.example.com/synchrony -Djwt.private.key=<private-key-here> -Djwt.public.key=<public-key-here> -Dsynchrony.database.url=jdbc:postgresql://10.10.25.44:5432/conf6 -Dsynchrony.database.username=dbusername -Dsynchrony.database.password=dbpassword -Djava.net.preferIPv4Stack=true -Dip.whitelist=127.0.0.1,localhost synchrony.core sqlHeartbeat test
1 2$ curl http://<node-ip>:8091/synchrony/heartbeat OKCapture a HAR file and confirm the following two GET requests return the values below:
GET /rest/synchrony-interop/status1 2 3 4{ "synchronyEnabled": true, "sharedDraftsEnabled": true }This is the check to see whether Collab Editing is enabled on the Confluence side (e.g. On/Off). This does not check if the feature is actually working or if Synchrony is running.
GET /rest/synchrony-interop/synchrony-status1 2 3{ "status": "stopped" }The expected state is "running" - a "stopped" state indicates the remote Synchrony server is not reachable, or not running. In this example, the Synchrony server is up and the heartbeat URL responds OK, this indicates Confluence can't reach synchrony.
Confirm the Synchrony Interop Bootstrap Plugin (System plugin) is enabled
A
wgetto the jwt-key URL results in a permission denied error:1 2 3 4 5 6 7 8 9 10 11 12 13 14$ wget https://confluence.example.com/synchrony/jwt-key -2018-07-09 01:33:52- https://confluence.example.com/synchrony/jwt-key Resolving confluence.example.com... 10.1.15.4 Connecting to confluence.example.com|10.1.15.4|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://idmsauth.example.com/IDMSWebAuth/login?appIdKey=0xyz&path=%3Fos_destination%3D%252Fsynchrony%252Fjwt-key&rv=30 [following] -2018-07-09 01:33:52- https://idmsauth.example.com/IDMSWebAuth/login?appIdKey=0xyz&path=%3Fos_destination%3D%252Fsynchrony%252Fjwt-key&rv=30 Resolving idmsauth.example.com... 10.10.32.15 Connecting to idmsauth.example.com|10.10.32.15|:443... connected. HTTP request sent, awaiting response... 200 Length: 4762 (4.7K) [text/html] jwt-key: Permission denied Cannot write to “jwt-key” (Success).
Cause
In some environments, an intermediary authentication proxy (such as IDMS) is used for all web traffic. This type of proxy may require the path for synchrony ( /synchrony/* ) to be whitelisted, else it will be blocked.
Solution
Resolution
Whitelist/Allow the path for synchrony in the authentication proxy rules:
1
/synchrony/*Was this helpful?