You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil> on 2010/08/04 18:07:00 UTC
Tomcat 6.0.18/ IIS 6.0 /SSL
I am trying to get Tomcat and IIS configured on my secure web server (SSL)
so that I can access my deployed web application via https and NOT over
http. Connection to non-SSL works, but I cannot have that connection due to
security.
I want to run Tomcat through IIS, and I have configured it using the
isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit
my https://site/geoportal my credentials do not carry me through to the web
application, instead I receive "Internet Explorer Cannot Display Webpage".
Can someone help me out on how to configure my server.xml and interpretting
my log files please? I have even tried to export my server certificate, and
call it using the keystore:"", still not working. I'm a Tomcat green horn,
any help would be awesome.
Isapi_redirect.log file: Looks like some sort of authentication is being
passed, then the ajp13 is not found?
[Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c
(3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe
uri=/jakarta/isapi_redirect.dll
[Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c
(3120): Service request headers=5 attributes=9 chunked=no content-length=0
available=0
[Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did
not find a worker ajp13
[Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c
(2162): could not get a worker for name ajp13
[Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
(2210): could not get a worker for name ajp13
Here is the meat of my server.xml (pretty sure it's wrong):
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking &
non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="80" />
<!-- A "Connector" using the shared thread pool-->
<Connector executor="tomcatThreadPool"
port="8009" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1"
keystoreFile="C:\Program Files (x86)\Apache Software
Foundation\Tomcat 6.0\conf\cert.pfx"
keystorePass="mypassword"
keystoreType="pkcs12" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Thanks Jason.
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by André Warnier <aw...@ice-sa.com>.
Maybe to avoid further meandering in what should or should not work, here is a short
tutorial of how all this stuff works.
At the end of the chain, you have a Tomcat Engine. This engine processes HTTP requests
which it receives in some internal Tomcat format. The requests are processed by
forwarding them to "web applications" within Tomcat, who process the request and generate
a response.
On top of the Tomcat engine are sitting one or more <Connector>'s.
Each of these Connector's is at the same time a TCP socket listening on some port, and a
sophisticated translation engine. Each Connector translates the requests received on its
port, from the external communications protocol format used (e.g. HTTP or HTTPS or AJP)
into the common internal Tomcat request format, and then passes it to the Tomcat engine.
Graphically, it looks like this :
Connector 1 Connector 2 Connector 3
HTTP AJP HTTPS
\ | /
Tomcat engine
/ | \
webapp1 webapp2 webapp3
You can send a request (using the appropriate format) through any of the enabled
Connector's. For Tomcat in the end it does not matter. It will send the response via the
same Connector, which will perform the appropriate reverse translation according to its
protocol.
Now imagine a front-end server, like IIS.
For reasons of your own, you want to send the request to IIS first, and would like IIS to
determine if this request is to handle locally by itself, or to be forwarded to a back-end
Tomcat, and to do that if needed.
That is where the IIS add-on module isapi_redirect comes into play.
IIS gives it the URL of a request just received. isapi_redirect, in function of its
configuration, decides if this request is for a back-end Tomcat or not.
(That is what uriworkermap helps in doing).
If it decides that this URL is not for Tomcat, it returns to IIS saying "sorry, not for
me", and IIS looks for other ways to satisfy this request.
If isapi_redirect decides that this request is for a back-end Tomcat, then it checks for
which one. For isapi_redirect, each back-end Tomcat to which it can redirect requests is
called a "worker". (In a simple case, there is only one.).
(Here is where the workers.properties settings matter)
When isapi_redirect has determined to which "worker" it should pass the request, it tries
to set up a TCP channel with this worker (Tomcat), on a port which understands the AJP
protocol (aka, an AJP Connector of that Tomcat).
If this does not work (because the worker is not configured properly or the corresponding
Tomcat is simply not running), isapi_redirect will return an error to IIS.
If it works, then isapi_redirect encodes the request according to the requirements of the
AJP protocol, and sends it to Tomcat through this TCP channel.
isapi_redirect then waits for the response, on the same TCP channel.
When it gets the response, it returns it to IIS, which returns it to the browser.
So the full graphic now looks like this :
browser
|
TCP channel (SSL/HTTPS)
|
IIS
|
isapi_redirector
|
TCP channel (non-SSL)
|
Connector 1 Connector 2 Connector 3
HTTP AJP HTTPS
\ | /
Tomcat engine
/ | \
webapp1 webapp2 webapp3
Of course, Tomcat can deal with HTTPS all on its own, so you do not necessarily need an
IIS in front for that. You could also have the browsers use HTTPS to talk directly to Tomcat.
Then the configuration would be this :
browser
|
TCP channel (SSL/HTTPS)
|
Connector 1 Connector 2 Connector 3
HTTP AJP HTTPS
\ | /
Tomcat engine
/ | \
webapp1 webapp2 webapp3
and as far as Tomcat is concerned, it will not make much difference (except that now the
Tomcat HTTPS Connector will be doing more work, and the AJP Connector less work).
There are good reasons to use a front-end Apache httpd, or IIS, in front of Tomcat.
There are also bad reasons, such as a simple lack of information.
If your only reason to put IIS/isapi_redirect in front of Tomcat is to handle HTTPS
connections, then it is not a very good reason, and it makes the setup more complicated
than it could be.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Propes, Barry L " <ba...@citi.com>.
I had this same issue at my workplace, and was actually able to strong arm them and force them to let me use 6.0.26! : )
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 10:40 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Well I'd like to but 6.0.18 is the most recent version approved on our
> network.
You might want the powers that be to review the fixes that have gone in over the last two years - including some significant security-related ones. 6.0.18 is rather sadly out of date.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Propes, Barry L " <ba...@citi.com>.
Alright!
-----Original Message-----
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel.ctr@navy.mil]
Sent: Friday, August 06, 2010 10:45 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Well good news, 6.0.28 was JUST approved...WooHOO!!!
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 11:40 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Well I'd like to but 6.0.18 is the most recent version approved on our
> network.
You might want the powers that be to review the fixes that have gone in over the last two years - including some significant security-related ones.
6.0.18 is rather sadly out of date.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Leo,
I'm actually configuring the Geoportal Extension. I've got everything
working w/respect to LDAP and my database. My IIS is running as 32 bit, due
to some applications that need 32as64.
-----Original Message-----
From: Leo Donahue - PLANDEVX [mailto:LeoDonahue@mail.maricopa.gov]
Sent: Wednesday, August 11, 2010 1:32 PM
To: 'Tomcat Users List'
Subject: RE: Configuring Tomcat 6.0.28 with SSL
>-----Original Message-----
>From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>[mailto:jason.t.hansel.ctr@navy.mil]
>Subject: RE: Configuring Tomcat 6.0.28 with SSL
>
>Well, IIS is listening on 443. Our users authenticate via PKI, through
>IIS (which is set-up for SSL/Single-Sign On). Ideally, I'd like this to
>be the same for the web app I'm trying to make available on the web
>server, however, the isapi_redirect loads the page very very very slow.
>I know that I'd have to establish a different port (according to the
>SysAdmin) if I'd want to authenticate through Tomcat, can this be done
>on 8443? Sorry for the questions, I'm a GIS guy learning Web.
>
Jason,
Sorry I'm late chiming in, but I had to go back and read the archives to see
the history.
Are you trying to secure something ArcGIS Server related? (or, ArcIMS?)
I am able to avoid needing IIS/ISAPI for any of our GIS web apps, so far.
Even when I had IIS/ISAPI configured, I didn't experience the same issues
you have had with performance.
> can this be done on 8443?
That is how I have to develop and test our GIS web apps that use SSL.
Leo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>.
>-----Original Message-----
>From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>[mailto:jason.t.hansel.ctr@navy.mil]
>Subject: RE: Configuring Tomcat 6.0.28 with SSL
>
>Well, IIS is listening on 443. Our users authenticate via PKI, through
>IIS
>(which is set-up for SSL/Single-Sign On). Ideally,
>I'd like this to be the same for the web app I'm trying to make
>available on
>the web server, however, the isapi_redirect loads the page very very
>very
>slow. I know that I'd have to establish a different port (according to
>the
>SysAdmin) if I'd want to authenticate through Tomcat, can this be done
>on
>8443? Sorry for the questions, I'm a GIS guy learning Web.
>
Jason,
Sorry I'm late chiming in, but I had to go back and read the archives to see the history.
Are you trying to secure something ArcGIS Server related? (or, ArcIMS?)
I am able to avoid needing IIS/ISAPI for any of our GIS web apps, so far. Even when I had IIS/ISAPI configured, I didn't experience the same issues you have had with performance.
> can this be done on 8443?
That is how I have to develop and test our GIS web apps that use SSL.
Leo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Configuring Tomcat 6.0.28 with SSL
>
> Do you know of any methods to speed up performance when configuring
> Tomcat->isapi_redirect->IIS?
Sorry, no. I try to avoid IIS if at all possible.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Chuck,
Do you know of any methods to speed up performance when configuring
Tomcat->isapi_redirect->IIS? I've googled this for a few days and have found
people experiencing the same issue, however, no solution has been
discovered.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Wednesday, August 11, 2010 11:46 AM
To: Tomcat Users List
Subject: RE: Configuring Tomcat 6.0.28 with SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Configuring Tomcat 6.0.28 with SSL
>
> Well, IIS is listening on 443.
Then Tomcat can't - unless you use different IP addresses for IIS and
Tomcat.
> if I'd want to authenticate through Tomcat, can this be done on 8443?
Yes, just use that port in the URL. But be aware that many versions of
we-don't-need-no-stinkin'-standards-IE get confused when SSL is used over
something other than 443, so you'll need to verify that it works with all
the browsers your users have.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Configuring Tomcat 6.0.28 with SSL
>
> Well, IIS is listening on 443.
Then Tomcat can't - unless you use different IP addresses for IIS and Tomcat.
> if I'd want to authenticate through Tomcat, can this be done on 8443?
Yes, just use that port in the URL. But be aware that many versions of we-don't-need-no-stinkin'-standards-IE get confused when SSL is used over something other than 443, so you'll need to verify that it works with all the browsers your users have.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Chuck,
Well, IIS is listening on 443. Our users authenticate via PKI, through IIS
(which is set-up for SSL/Single-Sign On). Ideally,
I'd like this to be the same for the web app I'm trying to make available on
the web server, however, the isapi_redirect loads the page very very very
slow. I know that I'd have to establish a different port (according to the
SysAdmin) if I'd want to authenticate through Tomcat, can this be done on
8443? Sorry for the questions, I'm a GIS guy learning Web.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Wednesday, August 11, 2010 10:59 AM
To: Tomcat Users List
Subject: RE: Configuring Tomcat 6.0.28 with SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Configuring Tomcat 6.0.28 with SSL
>
> I do get the "INFO: The APR based Apache Tomcat Native library which
> allows optimal performance in production environments was not found on
> the java.library.pat".
So APR is not in use, meaning you should follow the SSL doc here:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
(Which you probably have been doing.)
> When I try and access my webapp via 443
Post your current server.xml, with comments removed and privileged
information masked.
Do a netstat -ano and find out what process is actually listening on 443.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Configuring Tomcat 6.0.28 with SSL
>
> I do get the "INFO: The APR based Apache Tomcat Native
> library which allows optimal performance in production
> environments was not found on the java.library.pat".
So APR is not in use, meaning you should follow the SSL doc here:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
(Which you probably have been doing.)
> When I try and access my webapp via 443
Post your current server.xml, with comments removed and privileged information masked.
Do a netstat -ano and find out what process is actually listening on 443.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Jorge,
I do get the "INFO: The APR based Apache Tomcat Native library which allows
optimal performance in production environments was not found on the
java.library.pat". When I try and access my webapp via 443, I am getting a
404 error "Not Found", even though I removed jakarta from IIS and commented
out the AJP 1.3 connector. Seems as though isapi_redirect.dll is stil being
used, I cannot delete from my directory. Any Help would be great.
-----Original Message-----
From: Jorge Medina [mailto:cerebrotecnologico@gmail.com]
Sent: Tuesday, August 10, 2010 4:27 PM
To: Tomcat Users List
Subject: Re: Configuring Tomcat 6.0.28 with SSL
There are two ways to add SSL support to Tomcat
a) Pure java support
b) Using OpenSSL through the APR library
For (b) you need to compile (or use a distribution with) the Tomcat Native
Library.
Configuring SSL using (a) is different than when using (b).
You may now if your server is running the APR by looking at the logs, at
startup you may find a line similar to:
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
After you have determined if you have the APR, look at how to configure SSL
at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
-Jorge
On Tue, Aug 10, 2010 at 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC,
55E00 <ja...@navy.mil> wrote:
>
> I am abandoning the IIS/isapi_redirect.dll method of authenticating
> via SSL into our web application due to the "authentication" process
> taking a while, causing the web app to run abnormally slow.
>
> I am wanting to use our server certificate (PKCS12) as the keystore.
> I've been doing a lot of research and it seems that I need to import
> the root certificates into the keystore using OpenSSL. What I am not
> too clear on is how to edit the server.xml file to accommodate these
> configurations. Here is what I have thus far, however, SSL does not seem
to be working.
>
> Copied from Notepad:
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="C:\Program Files\Apache Software
> Foundation\Tomcat 6.0\con\geo.pfx"
> keystorePass="password" keystoreType="pkcs12"
> clientAuth="false" sslProtocol="TLS" />
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring Tomcat 6.0.28 with SSL
Posted by Jorge Medina <ce...@gmail.com>.
There are two ways to add SSL support to Tomcat
a) Pure java support
b) Using OpenSSL through the APR library
For (b) you need to compile (or use a distribution with) the Tomcat
Native Library.
Configuring SSL using (a) is different than when using (b).
You may now if your server is running the APR by looking at the logs,
at startup you may find a line similar to:
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
After you have determined if you have the APR, look at how to configure SSL at
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
-Jorge
On Tue, Aug 10, 2010 at 3:41 PM, Hansel, Jason T CTR
SPAWARSYSCEN-ATLANTIC, 55E00 <ja...@navy.mil> wrote:
>
> I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL
> into our web application due to the "authentication" process taking a while,
> causing the web app to run abnormally slow.
>
> I am wanting to use our server certificate (PKCS12) as the keystore. I've
> been doing a lot of research and it seems that I need to import the root
> certificates into the keystore using OpenSSL. What I am not too clear on is
> how to edit the server.xml file to accommodate these configurations. Here is
> what I have thus far, however, SSL does not seem to be working.
>
> Copied from Notepad:
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="C:\Program Files\Apache Software
> Foundation\Tomcat 6.0\con\geo.pfx"
> keystorePass="password" keystoreType="pkcs12"
> clientAuth="false" sslProtocol="TLS" />
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring Tomcat 6.0.28 with SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason,
On 8/10/2010 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
wrote:
> I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL
> into our web application due to the "authentication" process taking a while,
> causing the web app to run abnormally slow.
>
> I am wanting to use our server certificate (PKCS12) as the keystore. I've
> been doing a lot of research and it seems that I need to import the root
> certificates into the keystore using OpenSSL. What I am not too clear on is
> how to edit the server.xml file to accommodate these configurations. Here is
> what I have thus far, however, SSL does not seem to be working.
>
> Copied from Notepad:
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="C:\Program Files\Apache Software
> Foundation\Tomcat 6.0\con\geo.pfx"
> keystorePass="password" keystoreType="pkcs12"
> clientAuth="false" sslProtocol="TLS" />
Wait, are you trying to do CLIENT-CERT authentication?
If so, you'll want to do clientAuth="want" (if you want a cert, but
don't want to fail otherwise, which I think is usually what one wants to
do) and set the truststore* attributes on the <Connector>.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxhvGQACgkQ9CaO5/Lv0PA7xQCdGdGEwXko++Jm0t8/lJR1eAQb
el0An3FjqgDbTP54DX3oSX9wscDMaqLk
=jLqM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Configuring Tomcat 6.0.28 with SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL
into our web application due to the "authentication" process taking a while,
causing the web app to run abnormally slow.
I am wanting to use our server certificate (PKCS12) as the keystore. I've
been doing a lot of research and it seems that I need to import the root
certificates into the keystore using OpenSSL. What I am not too clear on is
how to edit the server.xml file to accommodate these configurations. Here is
what I have thus far, however, SSL does not seem to be working.
Copied from Notepad:
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="C:\Program Files\Apache Software
Foundation\Tomcat 6.0\con\geo.pfx"
keystorePass="password" keystoreType="pkcs12"
clientAuth="false" sslProtocol="TLS" />
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Significant would mean that I notice how slow the page loads (painfully - 10
to 20 times longer) compared to hitting the web application on 8080.
I had ServletExec AS running on our server and did not experience these
issues. We are required to use Single Sign On when accessing web
applications from our secure web server. Has anyone successfully configured
Tomcat->IIS that is using a secure web server?
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Monday, August 09, 2010 6:30 PM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Chuck,
> I was able to get everything working on my end. There is a
> *significant* performance decrease when running my application through
> IIS and Tomcat using the isapi_redirect.dll, as opposed to port 8080.
>
No way to know what you mean by significant, but from the tone of it I guess
you mean "humanly perceptible". In that case, it is not "normal". The
overhead introduced by isapi_redirect itself may be in the order of the
millisecond.
Are you sure that the extra delay is not due to something happening in IIS,
like the user authentication e.g. ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by André Warnier <aw...@ice-sa.com>.
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Chuck,
> I was able to get everything working on my end. There is a *significant*
> performance decrease when running my application through IIS and Tomcat
> using the isapi_redirect.dll, as opposed to port 8080.
>
No way to know what you mean by significant, but from the tone of it I guess you mean
"humanly perceptible". In that case, it is not "normal". The overhead introduced by
isapi_redirect itself may be in the order of the millisecond.
Are you sure that the extra delay is not due to something happening in IIS, like the user
authentication e.g. ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Chuck,
I was able to get everything working on my end. There is a *significant*
performance decrease when running my application through IIS and Tomcat
using the isapi_redirect.dll, as opposed to port 8080.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 11:50 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Well good news, 6.0.28 was JUST approved...WooHOO!!!
There was one regression in 6.0.28 that you should be aware of:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
Its existence prompted the rapid release of 6.0.29, where the problem is
fixed.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
I sense sarcasm in your voice.
-----Original Message-----
From: Pid * [mailto:pid@pidster.com]
Sent: Friday, August 06, 2010 12:04 PM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 6 Aug 2010, at 16:56, "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00"
<ja...@navy.mil> wrote:
> Chuck,
> Besides the latest version, is there one that you recommend?
You want Chuck to recommend a version that has *less* bug fixes than the
most recent two?
p
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Friday, August 06, 2010 11:50 AM
> To: Tomcat Users List
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
>> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>> [mailto:jason.t.hansel.ctr@navy.mil]
>> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> Well good news, 6.0.28 was JUST approved...WooHOO!!!
>
> There was one regression in 6.0.28 that you should be aware of:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
>
> Its existence prompted the rapid release of 6.0.29, where the problem
> is fixed.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY MATERIAL and is thus for use only by the intended
> recipient. If you received this in error, please contact the sender
> and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by Pid * <pi...@pidster.com>.
On 6 Aug 2010, at 16:56, "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC,
55E00" <ja...@navy.mil> wrote:
> Chuck,
> Besides the latest version, is there one that you recommend?
You want Chuck to recommend a version that has *less* bug fixes than
the most recent two?
p
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Friday, August 06, 2010 11:50 AM
> To: Tomcat Users List
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
>> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>> [mailto:jason.t.hansel.ctr@navy.mil]
>> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> Well good news, 6.0.28 was JUST approved...WooHOO!!!
>
> There was one regression in 6.0.28 that you should be aware of:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
>
> Its existence prompted the rapid release of 6.0.29, where the problem is
> fixed.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Rainer,
I've gone through the install of 6.0.28, I can successfully launch my webapp
from localhost. When I try accessing using the AJP/1.3, I am getting
HTTP:404 errors "The page cannot be found". I have not seen error messages
in my isapi_redirect.log, any help would be great. Seems as though the
application is not even being seen as a valid URL when trying to hit on port
8009, eventhough it's listening.
-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: Friday, August 06, 2010 2:39 PM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Just in case you didn't yet realize: the changelog is public:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
6.0.29 has only 5 changes that were relevant for the changelog. Three of
them link to an issue that can be viewed publicly, one is a pure
enhancement, and the one fix without a link to bugzilla doesn't even have an
issue link, because it wasn't observed as a problem in the wild.
It is not to hard to check the three issue links to get a better basis for
your decision of using 6.0.28 instead of 6.0.29 and to recognize faster in
cse you run into one of the few fixed problems.
Regards,
Rainer
On 06.08.2010 17:56, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Chuck,
> Besides the latest version, is there one that you recommend?
>
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Friday, August 06, 2010 11:50 AM
> To: Tomcat Users List
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
>> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>> [mailto:jason.t.hansel.ctr@navy.mil]
>> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> Well good news, 6.0.28 was JUST approved...WooHOO!!!
>
> There was one regression in 6.0.28 that you should be aware of:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
>
> Its existence prompted the rapid release of 6.0.29, where the problem
> is fixed.
>
> - Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by Rainer Jung <ra...@kippdata.de>.
Just in case you didn't yet realize: the changelog is public:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
6.0.29 has only 5 changes that were relevant for the changelog. Three of
them link to an issue that can be viewed publicly, one is a pure
enhancement, and the one fix without a link to bugzilla doesn't even
have an issue link, because it wasn't observed as a problem in the wild.
It is not to hard to check the three issue links to get a better basis
for your decision of using 6.0.28 instead of 6.0.29 and to recognize
faster in cse you run into one of the few fixed problems.
Regards,
Rainer
On 06.08.2010 17:56, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Chuck,
> Besides the latest version, is there one that you recommend?
>
> -----Original Message-----
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Sent: Friday, August 06, 2010 11:50 AM
> To: Tomcat Users List
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
>> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>> [mailto:jason.t.hansel.ctr@navy.mil]
>> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> Well good news, 6.0.28 was JUST approved...WooHOO!!!
>
> There was one regression in 6.0.28 that you should be aware of:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
>
> Its existence prompted the rapid release of 6.0.29, where the problem is
> fixed.
>
> - Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Cool, thanks Chuck. I need to provide justification to the powers that be.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 12:19 PM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Besides the latest version, is there one that you recommend?
Not really. Many other fixes are in 6.0.28; whether or not the one
regression is important to you depends on what your webapp code is doing.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Besides the latest version, is there one that you recommend?
Not really. Many other fixes are in 6.0.28; whether or not the one regression is important to you depends on what your webapp code is doing.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Chuck,
Besides the latest version, is there one that you recommend?
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 11:50 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Well good news, 6.0.28 was JUST approved...WooHOO!!!
There was one regression in 6.0.28 that you should be aware of:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
Its existence prompted the rapid release of 6.0.29, where the problem is
fixed.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Well good news, 6.0.28 was JUST approved...WooHOO!!!
There was one regression in 6.0.28 that you should be aware of:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
Its existence prompted the rapid release of 6.0.29, where the problem is fixed.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Well good news, 6.0.28 was JUST approved...WooHOO!!!
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 11:40 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Well I'd like to but 6.0.18 is the most recent version approved on our
> network.
You might want the powers that be to review the fixes that have gone in over
the last two years - including some significant security-related ones.
6.0.18 is rather sadly out of date.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Well I'd like to but 6.0.18 is the most recent version
> approved on our network.
You might want the powers that be to review the fixes that have gone in over the last two years - including some significant security-related ones. 6.0.18 is rather sadly out of date.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Well I'd like to but 6.0.18 is the most recent version approved on our
network. I installed the 6.0.18 version by running the .exe from the
Archive.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 11:14 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> I am going to install version 6.0.18
Much better to use 6.0.29 - stay current.
> are there "preferred" versions of JVM you recommend
6u21b07 (the latest) seems to be fine.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> I am going to install version 6.0.18
Much better to use 6.0.29 - stay current.
> are there "preferred" versions of JVM you recommend
6u21b07 (the latest) seems to be fine.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Chuck,
I am going to install version 6.0.18, are there "preferred" versions of JVM
you recommend, or is the latest and greatest sufficient? Thanks again for
your help.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 06, 2010 11:07 AM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Would it be better to install the 32-bit if our IIS is running as
> 32-bit?
Other than the optional APR connector and service wrapper, Tomcat is pure
Java and uses the TCP/IP stack to communicate with IIS, so it doesn't matter
which you use to with IIS. What does matter is that you install the same
modes of APR and service wrapper as the mode of the JVM you have. So if
you're using a 64-bit JVM, you must use the 64-bit version of Tomcat.
Likewise, if you have a 32-bit JVM, you must use the 32-bit version of
Tomcat.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> Would it be better to install the 32-bit if our IIS
> is running as 32-bit?
Other than the optional APR connector and service wrapper, Tomcat is pure Java and uses the TCP/IP stack to communicate with IIS, so it doesn't matter which you use to with IIS. What does matter is that you install the same modes of APR and service wrapper as the mode of the JVM you have. So if you're using a 64-bit JVM, you must use the 64-bit version of Tomcat. Likewise, if you have a 32-bit JVM, you must use the 32-bit version of Tomcat.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Andre,
Thanks for all of the help and literature. When I tried to launch my
application today, I'm getting a 404 error. At This point I am going to
uninstall, per you recommendation and reinstall. Question for you: Would it
be better to install the 32-bit if our IIS is running as 32-bit? I did this
with the isapi_redirect.dll
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Thursday, August 05, 2010 5:36 PM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Charles,
> I was just putting that protocol in there to prevent the 8080 from
> being hit, I've actually commented it out. I got this server.xml file
> from the install (Note:that not everything is on here). I can load my
> webapp now, but the page takes a little while to load using the
> isapi_redirect.dll (which I was referring to below as the redirect
> file...sorry my in head language)
>
I believe that at this point, you may want to :
a) save your web application somewhere else; also save the isapi
configuration files if they are located under the Tomcat installation
directory. (*)
b) de-install the Tomcat you have, and remove all its files (and specially
the logfiles)
c) download a new Tomcat from the Tomcat website, and re-install it
Then restore your application under (tomcat_install_dir)/webapps.
All the above will take only 5 minutes, and you will at least have a clean
Tomcat.
Then try it, both directly using HTTP to port 8080, and through IIS and
isapi_redirect using whatver SSL port you use for that.
With the part under IIS (including isapi_redirect) apparently being fine (as
shown before by your previous logs), the downloaded Tomcat should work out
of the box, through IIS and all.
THEN, when you have verified that the above is working, comment out all
<Connector> tags you do not want, except the one for the AJP Connector on
port 8009, and restart Tomcat.
And check the Tomcat logfiles if you have any problem.
Apart from the ones which Chuck mentioned earlier, your pasted server.xml
had a couple of additional mistakes which make it really hard for us to
figure out what is really going on. (Or it was your cut and paste which was
not accurate, but anyway we can't follow what's happening on the base of
inaccurate information).
In any case, with a correct configuration, the difference in access time
between a direct access to Tomcat via HTTP port 8080, and an indirect access
through IIS and isapi_redirector, should be so small as to be humanly
indistinguishable.
(We are talking 1 millisecond or so).
Unless it is IIS which for some reason is introducing the delay.
(*) This by the way would be illogical, as these files belong really to IIS
and its add-on module isapi_redirect.dll, and not to Tomcat.
The only part of Tomcat which plays a role here, is the AJP Connector on
port 8009.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by André Warnier <aw...@ice-sa.com>.
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Charles,
> I was just putting that protocol in there to prevent the 8080 from being
> hit, I've actually commented it out. I got this server.xml file from the
> install (Note:that not everything is on here). I can load my webapp now, but
> the page takes a little while to load using the isapi_redirect.dll (which I
> was referring to below as the redirect file...sorry my in head language)
>
I believe that at this point, you may want to :
a) save your web application somewhere else; also save the isapi configuration files if
they are located under the Tomcat installation directory. (*)
b) de-install the Tomcat you have, and remove all its files (and specially the logfiles)
c) download a new Tomcat from the Tomcat website, and re-install it
Then restore your application under (tomcat_install_dir)/webapps.
All the above will take only 5 minutes, and you will at least have a clean Tomcat.
Then try it, both directly using HTTP to port 8080, and through IIS and isapi_redirect
using whatver SSL port you use for that.
With the part under IIS (including isapi_redirect) apparently being fine (as shown before
by your previous logs), the downloaded Tomcat should work out of the box, through IIS and all.
THEN, when you have verified that the above is working, comment out all <Connector> tags
you do not want, except the one for the AJP Connector on port 8009, and restart Tomcat.
And check the Tomcat logfiles if you have any problem.
Apart from the ones which Chuck mentioned earlier, your pasted server.xml had a couple of
additional mistakes which make it really hard for us to figure out what is really going
on. (Or it was your cut and paste which was not accurate, but anyway we can't follow
what's happening on the base of inaccurate information).
In any case, with a correct configuration, the difference in access time between a direct
access to Tomcat via HTTP port 8080, and an indirect access through IIS and
isapi_redirector, should be so small as to be humanly indistinguishable.
(We are talking 1 millisecond or so).
Unless it is IIS which for some reason is introducing the delay.
(*) This by the way would be illogical, as these files belong really to IIS and its add-on
module isapi_redirect.dll, and not to Tomcat.
The only part of Tomcat which plays a role here, is the AJP Connector on port 8009.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Charles,
I was just putting that protocol in there to prevent the 8080 from being
hit, I've actually commented it out. I got this server.xml file from the
install (Note:that not everything is on here). I can load my webapp now, but
the page takes a little while to load using the isapi_redirect.dll (which I
was referring to below as the redirect file...sorry my in head language)
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Thursday, August 05, 2010 3:45 PM
To: Tomcat Users List
Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> I created a folder within the Tomcat 6.0 directory called 'connector'.
> That is where all of my redirect files are locared.
For curiosity's sake, what are you referring to with the term "redirect
file"?
> <Connector port="8080" protocol="Java HTTP"
> connectionTimeout="20000"
> redirectPort="80" />
???? Exactly what did you have in mind with that value for the protocol
attribute? Do you see it anywhere in the Tomcat documentation?
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLSv1"
And right here you have a problem - badly formed XML. You might want to
syntax check your server.xml, since it looks really broken from here.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> [mailto:jason.t.hansel.ctr@navy.mil]
> Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> I created a folder within the Tomcat 6.0 directory called
> 'connector'. That is where all of my redirect files are
> locared.
For curiosity's sake, what are you referring to with the term "redirect file"?
> <Connector port="8080" protocol="Java HTTP"
> connectionTimeout="20000"
> redirectPort="80" />
???? Exactly what did you have in mind with that value for the protocol attribute? Do you see it anywhere in the Tomcat documentation?
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLSv1"
And right here you have a problem - badly formed XML. You might want to syntax check your server.xml, since it looks really broken from here.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Andre,
I created a folder within the Tomcat 6.0 directory called 'connector'. That
is where all of my redirect files are locared.
Here is my server.xml
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more
named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking &
non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="Java HTTP"
connectionTimeout="20000"
redirectPort="80" />
<!-- A "Connector" using the shared thread pool-->
<!-- <Connector executor="tomcatThreadPool"
port="8443" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" /> -->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1"
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
<!-- An Engine represents the entry point (within Catalina) that
processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes
them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Thursday, August 05, 2010 11:44 AM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Tomcat is not listening on Port 8009 using the AJP/1.3 protocol.
> I can change this line of code (just did it as a test) to reference
> port
> 8009 and I can see it's listening, however this Is not the protocol I
> am wanting.
>
> <Connector port="8009" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
No, you don't want to do that. Leave that one to the port 8080 or so like it
was before (or totally delete/comment it if you do not want Tomcat to offer
a HTTP interface.
>
> I have the isapi_redirect.dll deployed under 'Default' Websites in IIS
> with a Green Arrow. I used the 32-bit because we are running 32-bit as
64-bit.
>
> Seems that this connector is not even being read:
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
Verify :
1) that this Connector tag is not somehow being commented-out.
2) that in server.xml, it is located between the <Service name="Catalina">
tag, and the
tag <Engine name="Catalina" defaultHost="localhost">
(If it is in the wrong section, it will be ignored).
Then restart Tomcat and try the netstat command again.
If it now shows Tomcat listebing on port 8009, then try to access it again
through IIS.
I also suggest that when you start Tomcat, you have a look at its logfiles,
to see if any bad-looking message shows up.
It may be easier to stop Tomcat, delete all the logfiles in
(tomcat_dir)/logs, then start Tomcat again.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by André Warnier <aw...@ice-sa.com>.
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Tomcat is not listening on Port 8009 using the AJP/1.3 protocol.
> I can change this line of code (just did it as a test) to reference port
> 8009 and I can see it's listening, however this Is not the protocol I am
> wanting.
>
> <Connector port="8009" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
No, you don't want to do that. Leave that one to the port 8080 or so like it was before
(or totally delete/comment it if you do not want Tomcat to offer a HTTP interface.
>
> I have the isapi_redirect.dll deployed under 'Default' Websites in IIS with
> a Green Arrow. I used the 32-bit because we are running 32-bit as 64-bit.
>
> Seems that this connector is not even being read:
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
Verify :
1) that this Connector tag is not somehow being commented-out.
2) that in server.xml, it is located between the <Service name="Catalina"> tag, and the
tag <Engine name="Catalina" defaultHost="localhost">
(If it is in the wrong section, it will be ignored).
Then restart Tomcat and try the netstat command again.
If it now shows Tomcat listebing on port 8009, then try to access it again through IIS.
I also suggest that when you start Tomcat, you have a look at its logfiles, to see if any
bad-looking message shows up.
It may be easier to stop Tomcat, delete all the logfiles in (tomcat_dir)/logs, then start
Tomcat again.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Tomcat is not listening on Port 8009 using the AJP/1.3 protocol.
I can change this line of code (just did it as a test) to reference port
8009 and I can see it's listening, however this Is not the protocol I am
wanting.
<Connector port="8009" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
I have the isapi_redirect.dll deployed under 'Default' Websites in IIS with
a Green Arrow. I used the 32-bit because we are running 32-bit as 64-bit.
Seems that this connector is not even being read:
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Thursday, August 05, 2010 10:35 AM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Thanks again for being patient with me. I've seen some different
> behavior this morning. When I am trying to access my page, I get
> "Service Temporary Unavailable", which is better than what I was
receiving.
Yes, that looks good, from the point of view of IIS and isapi_redirect.
Unfortunately, there does not seem to be a Tomcat listening on AJP port
8009.
Can you run the following command in a command window on the server and
paste the result here :
netstat -anob -p tcp
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by André Warnier <aw...@ice-sa.com>.
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Thanks again for being patient with me. I've seen some different behavior
> this morning. When I am trying to access my page, I get "Service Temporary
> Unavailable", which is better than what I was receiving.
Yes, that looks good, from the point of view of IIS and isapi_redirect.
Unfortunately, there does not seem to be a Tomcat listening on AJP port 8009.
Can you run the following command in a command window on the server and paste the result
here :
netstat -anob -p tcp
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Rainer,
Good news amigo, I am connecting to my web application. Looks like the
uncommented SSL section was causing my isapi_redirect.dll to not work. The
one thing I have noticed though is that it's kind of slow, any pointers
w/respect to speed?
Thanks man.
-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: Thursday, August 05, 2010 10:31 AM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
See inline
On 05.08.2010 15:15, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Thanks again for being patient with me. I've seen some different
> behavior this morning. When I am trying to access my page, I get
> "Service Temporary Unavailable", which is better than what I was
receiving.
>
> [Thu Aug 05 09:12:49.655 2010] [10216:8452] [debug]
> jk_uri_worker_map.c
> (1036): Attempting to map URI '/geoweb1b.eims.local/geoportal' from 2
> maps [Thu Aug 05 09:12:49.686 2010] [10216:8452] [debug]
> jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal/*=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.702 2010] [10216:8452] [debug]
> jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.733 2010] [10216:8452] [debug]
> jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal/*=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.749 2010] [10216:8452] [debug]
> jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.764 2010] [10216:8452] [debug]
> jk_uri_worker_map.c
> (873): Found an exact match '/geoportal=worker1'
OK, uriworkermap.proprties worked, it found a match and wants to use the
worker named "worker1".
> [Thu Aug 05 09:12:49.780 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (1916): check if [/geoportal] points to the web-inf directory [Thu Aug
> 05 09:12:49.795 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (1932): [/geoportal] is a servlet url - should redirect to worker1
> [Thu Aug 05 09:12:49.811 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (1972): fowarding escaped URI [/geoportal] [Thu Aug 05 09:12:49.827
> 2010] [10216:8452] [debug] jk_worker.c (339):
> Maintaining worker worker1
> [Thu Aug 05 09:12:49.842 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2792): Reading extension header HTTP_TOMCATWORKER6A6B0000: worker1
> [Thu Aug 05 09:12:49.858 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B0000: 1 [Thu
> Aug 05 09:12:49.889 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2794): Reading extension header HTTP_TOMCATURI6A6B0000: /geoportal
> [Thu Aug 05 09:12:49.905 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2795): Reading extension header HTTP_TOMCATQUERY6A6B0000: (null) [Thu
> Aug 05 09:12:49.920 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2850): Applying service extensions
> [Thu Aug 05 09:12:49.936 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2930): Client Certificate encoding:1 sz:1022 flags:1 [Thu Aug 05
> 09:12:49.952 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (3108): Service protocol=HTTP/1.1 method=GET host=150.xxx.xx.xx
> addr=150.xxx.xx.xx name=myserver.server.local port=443 auth=SSL/PCT
> user=EIMS\john.doe uri=/geoportal [Thu Aug 05 09:12:49.967 2010]
> [10216:8452] [debug] jk_isapi_plugin.c
> (3120): Service request headers=8 attributes=9 chunked=no
> content-length=0 available=0 [Thu Aug 05 09:12:49.983 2010]
> [10216:8452] [debug] jk_worker.c (116): found a worker worker1 [Thu
> Aug 05 09:12:49.999 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2162): got a worker for name worker1
> [Thu Aug 05 09:12:50.030 2010] [10216:8452] [debug] jk_ajp_common.c
(3093):
> acquired connection pool slot=0 after 0 retries [Thu Aug 05
> 09:12:50.045 2010] [10216:8452] [debug] jk_ajp_common.c (605):
> ajp marshaling done
> [Thu Aug 05 09:12:50.061 2010] [10216:8452] [debug] jk_ajp_common.c
(2376):
> processing worker1 with 2 retries
> [Thu Aug 05 09:12:50.077 2010] [10216:8452] [debug] jk_ajp_common.c
(1579):
> (worker1) all endpoints are disconnected.
> [Thu Aug 05 09:12:50.092 2010] [10216:8452] [debug] jk_connect.c (480):
> socket TCP_NODELAY set to On
> [Thu Aug 05 09:12:50.108 2010] [10216:8452] [debug] jk_connect.c (604):
> trying to connect socket 712 to 127.0.0.1:8009
Here it tries to open a new connction to the address 127.0.0.1 and port
8009 (as configured for the worker named worker1 in workers.properties).
> [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_connect.c (622):
> connect to 127.0.0.1:8009 failed (errno=61)
It fails to open a TCP connection. Error is 61, which means winsock 10061,
which is "Connection refused".
So either your Tomcat isn't started or not listening on port 8009 on
localhost, or something else (Firewal etc.) blocks access to that port.
Check whether you can see Tomcat listening on 8009 using "netstat -ano".
You should see "*:8009" in status LISTEN and the pid would be the process ID
of your Tomcat Java process. If it is there, you can try whether you can
connect to that port using telnet. As long as you can't connect, the
redirector can't either.
If Tomcat is running on some other system, you need to adjust
worker.worker1.host in workers.properties accordingly.
> [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_ajp_common.c (959):
> Failed opening socket to (127.0.0.1:8009) (errno=61) [Thu Aug 05
> 09:12:51.092 2010] [10216:8452] [error] jk_ajp_common.c (1585):
> (worker1) connecting to backend failed. Tomcat is probably not started
> or is listening on the wrong port (errno=61) [Thu Aug 05 09:12:51.108
> 2010] [10216:8452] [info] jk_ajp_common.c (2540):
> (worker1) sending request to tomcat failed (recoverable), because of
> error during request sending (attempt=1) [Thu Aug 05 09:12:51.124
> 2010] [10216:8452] [debug] jk_ajp_common.c (2397):
> retry 1, sleeping for 100 ms before retrying [Thu Aug 05 09:12:51.249
> 2010] [10216:8452] [debug] jk_ajp_common.c (1579):
> (worker1) all endpoints are disconnected.
> [Thu Aug 05 09:12:51.249 2010] [10216:8452] [debug] jk_connect.c (480):
> socket TCP_NODELAY set to On
> [Thu Aug 05 09:12:51.280 2010] [10216:8452] [debug] jk_connect.c (604):
> trying to connect socket 712 to 127.0.0.1:8009 [Thu Aug 05
> 09:12:52.264 2010] [10216:8452] [info] jk_connect.c (622):
> connect to 127.0.0.1:8009 failed (errno=61) [Thu Aug 05 09:12:52.280
> 2010] [10216:8452] [info] jk_ajp_common.c (959):
> Failed opening socket to (127.0.0.1:8009) (errno=61) [Thu Aug 05
> 09:12:52.295 2010] [10216:8452] [error] jk_ajp_common.c (1585):
> (worker1) connecting to backend failed. Tomcat is probably not started
> or is listening on the wrong port (errno=61) [Thu Aug 05 09:12:52.311
> 2010] [10216:8452] [info] jk_ajp_common.c (2540):
> (worker1) sending request to tomcat failed (recoverable), because of
> error during request sending (attempt=2) [Thu Aug 05 09:12:52.327
> 2010] [10216:8452] [error] jk_ajp_common.c (2559):
> (worker1) connecting to tomcat failed.
> [Thu Aug 05 09:12:52.342 2010] [10216:8452] [error] jk_isapi_plugin.c
> (2195): service() failed with http error 503 [Thu Aug 05 09:12:52.374
> 2010] [10216:8452] [debug] jk_ajp_common.c (757):
> (worker1) resetting endpoint with sd = 4294967295 (socket shutdown)
> [Thu Aug 05 09:12:52.389 2010] [10216:8452] [debug] jk_ajp_common.c
(3010):
> recycling connection pool slot=0 for worker worker1
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by Rainer Jung <ra...@kippdata.de>.
See inline
On 05.08.2010 15:15, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Thanks again for being patient with me. I've seen some different behavior
> this morning. When I am trying to access my page, I get "Service Temporary
> Unavailable", which is better than what I was receiving.
>
> [Thu Aug 05 09:12:49.655 2010] [10216:8452] [debug] jk_uri_worker_map.c
> (1036): Attempting to map URI '/geoweb1b.eims.local/geoportal' from 2 maps
> [Thu Aug 05 09:12:49.686 2010] [10216:8452] [debug] jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal/*=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.702 2010] [10216:8452] [debug] jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.733 2010] [10216:8452] [debug] jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal/*=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.749 2010] [10216:8452] [debug] jk_uri_worker_map.c
> (850): Attempting to map context URI '/geoportal=worker1' source
> 'uriworkermap'
> [Thu Aug 05 09:12:49.764 2010] [10216:8452] [debug] jk_uri_worker_map.c
> (873): Found an exact match '/geoportal=worker1'
OK, uriworkermap.proprties worked, it found a match and wants to use the
worker named "worker1".
> [Thu Aug 05 09:12:49.780 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (1916): check if [/geoportal] points to the web-inf directory
> [Thu Aug 05 09:12:49.795 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (1932): [/geoportal] is a servlet url - should redirect to worker1
> [Thu Aug 05 09:12:49.811 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (1972): fowarding escaped URI [/geoportal]
> [Thu Aug 05 09:12:49.827 2010] [10216:8452] [debug] jk_worker.c (339):
> Maintaining worker worker1
> [Thu Aug 05 09:12:49.842 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2792): Reading extension header HTTP_TOMCATWORKER6A6B0000: worker1
> [Thu Aug 05 09:12:49.858 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B0000: 1
> [Thu Aug 05 09:12:49.889 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2794): Reading extension header HTTP_TOMCATURI6A6B0000: /geoportal
> [Thu Aug 05 09:12:49.905 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2795): Reading extension header HTTP_TOMCATQUERY6A6B0000: (null)
> [Thu Aug 05 09:12:49.920 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2850): Applying service extensions
> [Thu Aug 05 09:12:49.936 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2930): Client Certificate encoding:1 sz:1022 flags:1
> [Thu Aug 05 09:12:49.952 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (3108): Service protocol=HTTP/1.1 method=GET host=150.xxx.xx.xx
> addr=150.xxx.xx.xx name=myserver.server.local port=443 auth=SSL/PCT
> user=EIMS\john.doe uri=/geoportal
> [Thu Aug 05 09:12:49.967 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (3120): Service request headers=8 attributes=9 chunked=no content-length=0
> available=0
> [Thu Aug 05 09:12:49.983 2010] [10216:8452] [debug] jk_worker.c (116): found
> a worker worker1
> [Thu Aug 05 09:12:49.999 2010] [10216:8452] [debug] jk_isapi_plugin.c
> (2162): got a worker for name worker1
> [Thu Aug 05 09:12:50.030 2010] [10216:8452] [debug] jk_ajp_common.c (3093):
> acquired connection pool slot=0 after 0 retries
> [Thu Aug 05 09:12:50.045 2010] [10216:8452] [debug] jk_ajp_common.c (605):
> ajp marshaling done
> [Thu Aug 05 09:12:50.061 2010] [10216:8452] [debug] jk_ajp_common.c (2376):
> processing worker1 with 2 retries
> [Thu Aug 05 09:12:50.077 2010] [10216:8452] [debug] jk_ajp_common.c (1579):
> (worker1) all endpoints are disconnected.
> [Thu Aug 05 09:12:50.092 2010] [10216:8452] [debug] jk_connect.c (480):
> socket TCP_NODELAY set to On
> [Thu Aug 05 09:12:50.108 2010] [10216:8452] [debug] jk_connect.c (604):
> trying to connect socket 712 to 127.0.0.1:8009
Here it tries to open a new connction to the address 127.0.0.1 and port
8009 (as configured for the worker named worker1 in workers.properties).
> [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_connect.c (622):
> connect to 127.0.0.1:8009 failed (errno=61)
It fails to open a TCP connection. Error is 61, which means winsock
10061, which is "Connection refused".
So either your Tomcat isn't started or not listening on port 8009 on
localhost, or something else (Firewal etc.) blocks access to that port.
Check whether you can see Tomcat listening on 8009 using "netstat -ano".
You should see "*:8009" in status LISTEN and the pid would be the
process ID of your Tomcat Java process. If it is there, you can try
whether you can connect to that port using telnet. As long as you can't
connect, the redirector can't either.
If Tomcat is running on some other system, you need to adjust
worker.worker1.host in workers.properties accordingly.
> [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_ajp_common.c (959):
> Failed opening socket to (127.0.0.1:8009) (errno=61)
> [Thu Aug 05 09:12:51.092 2010] [10216:8452] [error] jk_ajp_common.c (1585):
> (worker1) connecting to backend failed. Tomcat is probably not started or is
> listening on the wrong port (errno=61)
> [Thu Aug 05 09:12:51.108 2010] [10216:8452] [info] jk_ajp_common.c (2540):
> (worker1) sending request to tomcat failed (recoverable), because of error
> during request sending (attempt=1)
> [Thu Aug 05 09:12:51.124 2010] [10216:8452] [debug] jk_ajp_common.c (2397):
> retry 1, sleeping for 100 ms before retrying
> [Thu Aug 05 09:12:51.249 2010] [10216:8452] [debug] jk_ajp_common.c (1579):
> (worker1) all endpoints are disconnected.
> [Thu Aug 05 09:12:51.249 2010] [10216:8452] [debug] jk_connect.c (480):
> socket TCP_NODELAY set to On
> [Thu Aug 05 09:12:51.280 2010] [10216:8452] [debug] jk_connect.c (604):
> trying to connect socket 712 to 127.0.0.1:8009
> [Thu Aug 05 09:12:52.264 2010] [10216:8452] [info] jk_connect.c (622):
> connect to 127.0.0.1:8009 failed (errno=61)
> [Thu Aug 05 09:12:52.280 2010] [10216:8452] [info] jk_ajp_common.c (959):
> Failed opening socket to (127.0.0.1:8009) (errno=61)
> [Thu Aug 05 09:12:52.295 2010] [10216:8452] [error] jk_ajp_common.c (1585):
> (worker1) connecting to backend failed. Tomcat is probably not started or is
> listening on the wrong port (errno=61)
> [Thu Aug 05 09:12:52.311 2010] [10216:8452] [info] jk_ajp_common.c (2540):
> (worker1) sending request to tomcat failed (recoverable), because of error
> during request sending (attempt=2)
> [Thu Aug 05 09:12:52.327 2010] [10216:8452] [error] jk_ajp_common.c (2559):
> (worker1) connecting to tomcat failed.
> [Thu Aug 05 09:12:52.342 2010] [10216:8452] [error] jk_isapi_plugin.c
> (2195): service() failed with http error 503
> [Thu Aug 05 09:12:52.374 2010] [10216:8452] [debug] jk_ajp_common.c (757):
> (worker1) resetting endpoint with sd = 4294967295 (socket shutdown)
> [Thu Aug 05 09:12:52.389 2010] [10216:8452] [debug] jk_ajp_common.c (3010):
> recycling connection pool slot=0 for worker worker1
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Rainer,
Thanks again for being patient with me. I've seen some different behavior
this morning. When I am trying to access my page, I get "Service Temporary
Unavailable", which is better than what I was receiving.
[Thu Aug 05 09:12:49.655 2010] [10216:8452] [debug] jk_uri_worker_map.c
(1036): Attempting to map URI '/geoweb1b.eims.local/geoportal' from 2 maps
[Thu Aug 05 09:12:49.686 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal/*=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.702 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.733 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal/*=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.749 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.764 2010] [10216:8452] [debug] jk_uri_worker_map.c
(873): Found an exact match '/geoportal=worker1'
[Thu Aug 05 09:12:49.780 2010] [10216:8452] [debug] jk_isapi_plugin.c
(1916): check if [/geoportal] points to the web-inf directory
[Thu Aug 05 09:12:49.795 2010] [10216:8452] [debug] jk_isapi_plugin.c
(1932): [/geoportal] is a servlet url - should redirect to worker1
[Thu Aug 05 09:12:49.811 2010] [10216:8452] [debug] jk_isapi_plugin.c
(1972): fowarding escaped URI [/geoportal]
[Thu Aug 05 09:12:49.827 2010] [10216:8452] [debug] jk_worker.c (339):
Maintaining worker worker1
[Thu Aug 05 09:12:49.842 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2792): Reading extension header HTTP_TOMCATWORKER6A6B0000: worker1
[Thu Aug 05 09:12:49.858 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B0000: 1
[Thu Aug 05 09:12:49.889 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2794): Reading extension header HTTP_TOMCATURI6A6B0000: /geoportal
[Thu Aug 05 09:12:49.905 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2795): Reading extension header HTTP_TOMCATQUERY6A6B0000: (null)
[Thu Aug 05 09:12:49.920 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2850): Applying service extensions
[Thu Aug 05 09:12:49.936 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2930): Client Certificate encoding:1 sz:1022 flags:1
[Thu Aug 05 09:12:49.952 2010] [10216:8452] [debug] jk_isapi_plugin.c
(3108): Service protocol=HTTP/1.1 method=GET host=150.xxx.xx.xx
addr=150.xxx.xx.xx name=myserver.server.local port=443 auth=SSL/PCT
user=EIMS\john.doe uri=/geoportal
[Thu Aug 05 09:12:49.967 2010] [10216:8452] [debug] jk_isapi_plugin.c
(3120): Service request headers=8 attributes=9 chunked=no content-length=0
available=0
[Thu Aug 05 09:12:49.983 2010] [10216:8452] [debug] jk_worker.c (116): found
a worker worker1
[Thu Aug 05 09:12:49.999 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2162): got a worker for name worker1
[Thu Aug 05 09:12:50.030 2010] [10216:8452] [debug] jk_ajp_common.c (3093):
acquired connection pool slot=0 after 0 retries
[Thu Aug 05 09:12:50.045 2010] [10216:8452] [debug] jk_ajp_common.c (605):
ajp marshaling done
[Thu Aug 05 09:12:50.061 2010] [10216:8452] [debug] jk_ajp_common.c (2376):
processing worker1 with 2 retries
[Thu Aug 05 09:12:50.077 2010] [10216:8452] [debug] jk_ajp_common.c (1579):
(worker1) all endpoints are disconnected.
[Thu Aug 05 09:12:50.092 2010] [10216:8452] [debug] jk_connect.c (480):
socket TCP_NODELAY set to On
[Thu Aug 05 09:12:50.108 2010] [10216:8452] [debug] jk_connect.c (604):
trying to connect socket 712 to 127.0.0.1:8009
[Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_connect.c (622):
connect to 127.0.0.1:8009 failed (errno=61)
[Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_ajp_common.c (959):
Failed opening socket to (127.0.0.1:8009) (errno=61)
[Thu Aug 05 09:12:51.092 2010] [10216:8452] [error] jk_ajp_common.c (1585):
(worker1) connecting to backend failed. Tomcat is probably not started or is
listening on the wrong port (errno=61)
[Thu Aug 05 09:12:51.108 2010] [10216:8452] [info] jk_ajp_common.c (2540):
(worker1) sending request to tomcat failed (recoverable), because of error
during request sending (attempt=1)
[Thu Aug 05 09:12:51.124 2010] [10216:8452] [debug] jk_ajp_common.c (2397):
retry 1, sleeping for 100 ms before retrying
[Thu Aug 05 09:12:51.249 2010] [10216:8452] [debug] jk_ajp_common.c (1579):
(worker1) all endpoints are disconnected.
[Thu Aug 05 09:12:51.249 2010] [10216:8452] [debug] jk_connect.c (480):
socket TCP_NODELAY set to On
[Thu Aug 05 09:12:51.280 2010] [10216:8452] [debug] jk_connect.c (604):
trying to connect socket 712 to 127.0.0.1:8009
[Thu Aug 05 09:12:52.264 2010] [10216:8452] [info] jk_connect.c (622):
connect to 127.0.0.1:8009 failed (errno=61)
[Thu Aug 05 09:12:52.280 2010] [10216:8452] [info] jk_ajp_common.c (959):
Failed opening socket to (127.0.0.1:8009) (errno=61)
[Thu Aug 05 09:12:52.295 2010] [10216:8452] [error] jk_ajp_common.c (1585):
(worker1) connecting to backend failed. Tomcat is probably not started or is
listening on the wrong port (errno=61)
[Thu Aug 05 09:12:52.311 2010] [10216:8452] [info] jk_ajp_common.c (2540):
(worker1) sending request to tomcat failed (recoverable), because of error
during request sending (attempt=2)
[Thu Aug 05 09:12:52.327 2010] [10216:8452] [error] jk_ajp_common.c (2559):
(worker1) connecting to tomcat failed.
[Thu Aug 05 09:12:52.342 2010] [10216:8452] [error] jk_isapi_plugin.c
(2195): service() failed with http error 503
[Thu Aug 05 09:12:52.374 2010] [10216:8452] [debug] jk_ajp_common.c (757):
(worker1) resetting endpoint with sd = 4294967295 (socket shutdown)
[Thu Aug 05 09:12:52.389 2010] [10216:8452] [debug] jk_ajp_common.c (3010):
recycling connection pool slot=0 for worker worker1
-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: Thursday, August 05, 2010 4:13 AM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
See below
On 04.08.2010 22:17, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Do you have a suggestion? Do I need to change my worker.properties?
> Sorry, I'm new to Tomcat, I appreciate your help.
>
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 4:09 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
wrote:
>> I did read your post and I changed the Port Number.
>>
>> "<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>> This connector should be used depending on your redirector config
>> which we haven't seen yet
>>
>> Here is my workers.properties:
>>
>> worker.list=worker1
>> worker.worker1.type=ajp13
>> worker.worker1.host=127.0.0.1
>> worker.worker1.port=8009
>>
>> Here is my uriworkermap.properties:
>>
>> /geoportal|/*=worker1
>
> This didn't work, since the log snippet said it tried to use a worker
> named "ajp13", not "worker1".
"This" = uriworkermap.properties.
So what did you do to let IIS find your uriworkermap.properties?
Can we be sure that works? Does your redirector debug log file indicate
- that it finds and reads the right uriworkermap.properties file
- that it finds the right map in there and thus tries to use a worker named
"worker1"
- is your request URL actually starting with "/geoportal/" or equal to
"geoportal"? What is the URL you are testing with?
Regards,
Rainer
>> -----Original Message-----
>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>> Sent: Wednesday, August 04, 2010 3:40 PM
>> To: Tomcat Users List
>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> wrote:
>>> Jung,
>>> I'm still getting the errors.
>>
>> Why shouldn't you?
>> Did you actually read my post?
>> Which parts didn't you understand?
>>
>>> <Connector port="8080" protocol="Java HTTP" ----What protocol should I
>> use
>>> here (do not want to expose)
>>> connectionTimeout="20000"
>>> redirectPort="80" />
>>
>> This connector is *not* involved when using
>>
>> Browser -> IIS/Redirector -> Tomcat
>>
>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>> -------------Does this look right?
>>> maxThreads="150" scheme="https" secure="true"
>>> clientAuth="false" sslProtocol="TLSv1"
>>> keystoreFile="C:\Program Files (x86)\Apache
> Software
>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>> keystorePass="password"
>>> keystoreType="pkcs12" />
>>
>> This one neither.
>>
>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>> -----------------Is this where my actual authentication is taking place?
>> This connector should be used depending on your redirector config
>> which we haven't seen yet.
>>
>> The error message you provided doesn't have to do with authentication.
>> Authentication problems might show up after you solved your worker
>> configuration problem. Until now your IIS doesn't even talk to Tomcat.
>>
>> Regards,
>>
>> Rainer
>>
>>>
>>> -----Original Message-----
>>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>>> Sent: Wednesday, August 04, 2010 1:38 PM
>>> To: Tomcat Users List
>>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>>
>>> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC,
>>> 55E00
>> wrote:
>>>>
>>>>
>>>> I am trying to get Tomcat and IIS configured on my secure web
>>>> server
>>>> (SSL) so that I can access my deployed web application via https
>>>> and NOT over http. Connection to non-SSL works, but I cannot have
>>>> that connection due to security.
>>>>
>>>> I want to run Tomcat through IIS, and I have configured it using
>>>> the isapi_redirect.dll (thanks to Electronjockey). However, when I try
>>>> and hit my https://site/geoportal<https://site/geoportal> my
>>>> credentials do not carry me through to the web application, instead
>>>> I receive "Internet Explorer Cannot Display Webpage". Can someone
>>>> help me out on how to configure my server.xml and interpretting my
>>>> log files
>> please?
>>>> I have even tried to export my server certificate, and call it
>>>> using the keystore:"", still not working. I'm a Tomcat green horn,
>>>> any help would be awesome.
>>>>
>>>> Isapi_redirect.log file: Looks like some sort of authentication is
>>>> being passed, then the ajp13 is not found?
>>>>
>>>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
>>>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
>>>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>>>
>>>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (3120): Service request headers=5 attributes=9 chunked=no
>>>> content-length=0 available=0
>>>>
>>>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>>>> did not find a worker ajp13
>>>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (2162): could not get a worker for name ajp13 [Wed Aug 04
>>>> 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
>>>> (2210): could not get a worker for name ajp13
>>>
>>> Hard to tell without knowing the version of the isapi redirector,
>>> not having your configuration. This looks like:
>>>
>>> - it is trying to use a worker named ajp13 to connect to Tomcat.
>>> Lile y you have configured the redirector to use this worker within
>>> your uriworkermap.properties file
>>>
>>> - the redirector doesn't know how to use this worker. Either you are
>>> missing the workers.properties configuration file or there is no
>>> definition for a worker named ajp13 in the file.
>>>
>>> A good starting point for a workers.properties file is the example
>>> file contained in the source distribution of version 1.2.30. Please
>>> do also use this version of the redirector.
>>>
>>> Note: from the point of view of Tomcat it doesn't really matter
>>> whether you are talking http or https in the browser. This protocol
>>> is only used between the browser and IIS. Between IIS and Tomcat
>>> when using the isapi redirector the protocol is always AJP13 (it is
>>> just coincidence, that this is the same name as the name of the
>>> worker in your logs). The protocol is similar to HTTP but binary and
>>> it transports the information whether the browser used http or
>>> https, so Tomcat is aware of this. This protocol does not use the
>>> http or https
>> connectors in server.xml, only the AJP13 connector.
>>>
>>>> Here is the meat of my server.xml (pretty sure it's wrong):
>>>>
>>>> <!-- A "Connector" represents an endpoint by which requests are
>>>> received and responses are returned. Documentation at :
>>>> Java HTTP Connector: /docs/config/http.html (blocking& non-blocking)
>>>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>>>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>>>> -->
>>>> <Connector port="8080" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="80" />
>>>> <!-- A "Connector" using the shared thread pool-->
>>>>
>>>> <Connector executor="tomcatThreadPool"
>>>> port="8009" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="443" />
>>>>
>>>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector
>>>> uses the JSSE configuration, when using APR, the connector should
>>>> be using the OpenSSL style configuration described in the APR
>>>> documentation
>>>> -->
>>>>
>>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>>> maxThreads="150" scheme="https" secure="true"
>>>> clientAuth="false" sslProtocol="TLSv1"
>>>> keystoreFile="C:\Program Files (x86)\Apache Software
>>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>>> keystorePass="mypassword"
>>>> keystoreType="pkcs12" />
>>>>
>>>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector
>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>>
>>> Two connectors, both on port 8009, will not work. Use the latter one.
>>>
>>> Regards,
>>>
>>> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by Rainer Jung <ra...@kippdata.de>.
See below
On 04.08.2010 22:17, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Do you have a suggestion? Do I need to change my worker.properties? Sorry,
> I'm new to Tomcat, I appreciate your help.
>
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 4:09 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
>> I did read your post and I changed the Port Number.
>>
>> "<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> This
>> connector should be used depending on your redirector config which we
>> haven't seen yet
>>
>> Here is my workers.properties:
>>
>> worker.list=worker1
>> worker.worker1.type=ajp13
>> worker.worker1.host=127.0.0.1
>> worker.worker1.port=8009
>>
>> Here is my uriworkermap.properties:
>>
>> /geoportal|/*=worker1
>
> This didn't work, since the log snippet said it tried to use a worker named
> "ajp13", not "worker1".
"This" = uriworkermap.properties.
So what did you do to let IIS find your uriworkermap.properties?
Can we be sure that works? Does your redirector debug log file indicate
- that it finds and reads the right uriworkermap.properties file
- that it finds the right map in there and thus tries to use a worker
named "worker1"
- is your request URL actually starting with "/geoportal/" or equal to
"geoportal"? What is the URL you are testing with?
Regards,
Rainer
>> -----Original Message-----
>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>> Sent: Wednesday, August 04, 2010 3:40 PM
>> To: Tomcat Users List
>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> wrote:
>>> Jung,
>>> I'm still getting the errors.
>>
>> Why shouldn't you?
>> Did you actually read my post?
>> Which parts didn't you understand?
>>
>>> <Connector port="8080" protocol="Java HTTP" ----What protocol should I
>> use
>>> here (do not want to expose)
>>> connectionTimeout="20000"
>>> redirectPort="80" />
>>
>> This connector is *not* involved when using
>>
>> Browser -> IIS/Redirector -> Tomcat
>>
>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>> -------------Does this look right?
>>> maxThreads="150" scheme="https" secure="true"
>>> clientAuth="false" sslProtocol="TLSv1"
>>> keystoreFile="C:\Program Files (x86)\Apache
> Software
>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>> keystorePass="password"
>>> keystoreType="pkcs12" />
>>
>> This one neither.
>>
>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>> -----------------Is this where my actual authentication is taking place?
>> This connector should be used depending on your redirector config
>> which we haven't seen yet.
>>
>> The error message you provided doesn't have to do with authentication.
>> Authentication problems might show up after you solved your worker
>> configuration problem. Until now your IIS doesn't even talk to Tomcat.
>>
>> Regards,
>>
>> Rainer
>>
>>>
>>> -----Original Message-----
>>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>>> Sent: Wednesday, August 04, 2010 1:38 PM
>>> To: Tomcat Users List
>>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>>
>>> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>> wrote:
>>>>
>>>>
>>>> I am trying to get Tomcat and IIS configured on my secure web server
>>>> (SSL) so that I can access my deployed web application via https and
>>>> NOT over http. Connection to non-SSL works, but I cannot have that
>>>> connection due to security.
>>>>
>>>> I want to run Tomcat through IIS, and I have configured it using the
>>>> isapi_redirect.dll (thanks to Electronjockey). However, when I try
>>>> and hit my https://site/geoportal<https://site/geoportal> my
>>>> credentials do not carry me through to the web application, instead
>>>> I receive "Internet Explorer Cannot Display Webpage". Can someone
>>>> help me out on how to configure my server.xml and interpretting my
>>>> log files
>> please?
>>>> I have even tried to export my server certificate, and call it using
>>>> the keystore:"", still not working. I'm a Tomcat green horn, any
>>>> help would be awesome.
>>>>
>>>> Isapi_redirect.log file: Looks like some sort of authentication is
>>>> being passed, then the ajp13 is not found?
>>>>
>>>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
>>>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
>>>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>>>
>>>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (3120): Service request headers=5 attributes=9 chunked=no
>>>> content-length=0 available=0
>>>>
>>>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>>>> did not find a worker ajp13
>>>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (2162): could not get a worker for name ajp13 [Wed Aug 04
>>>> 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
>>>> (2210): could not get a worker for name ajp13
>>>
>>> Hard to tell without knowing the version of the isapi redirector, not
>>> having your configuration. This looks like:
>>>
>>> - it is trying to use a worker named ajp13 to connect to Tomcat. Lile
>>> y you have configured the redirector to use this worker within your
>>> uriworkermap.properties file
>>>
>>> - the redirector doesn't know how to use this worker. Either you are
>>> missing the workers.properties configuration file or there is no
>>> definition for a worker named ajp13 in the file.
>>>
>>> A good starting point for a workers.properties file is the example
>>> file contained in the source distribution of version 1.2.30. Please
>>> do also use this version of the redirector.
>>>
>>> Note: from the point of view of Tomcat it doesn't really matter
>>> whether you are talking http or https in the browser. This protocol
>>> is only used between the browser and IIS. Between IIS and Tomcat when
>>> using the isapi redirector the protocol is always AJP13 (it is just
>>> coincidence, that this is the same name as the name of the worker in
>>> your logs). The protocol is similar to HTTP but binary and it
>>> transports the information whether the browser used http or https, so
>>> Tomcat is aware of this. This protocol does not use the http or https
>> connectors in server.xml, only the AJP13 connector.
>>>
>>>> Here is the meat of my server.xml (pretty sure it's wrong):
>>>>
>>>> <!-- A "Connector" represents an endpoint by which requests are
>>>> received and responses are returned. Documentation at :
>>>> Java HTTP Connector: /docs/config/http.html (blocking& non-blocking)
>>>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>>>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>>>> -->
>>>> <Connector port="8080" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="80" />
>>>> <!-- A "Connector" using the shared thread pool-->
>>>>
>>>> <Connector executor="tomcatThreadPool"
>>>> port="8009" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="443" />
>>>>
>>>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector
>>>> uses the JSSE configuration, when using APR, the connector should be
>>>> using the OpenSSL style configuration described in the APR
>>>> documentation
>>>> -->
>>>>
>>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>>> maxThreads="150" scheme="https" secure="true"
>>>> clientAuth="false" sslProtocol="TLSv1"
>>>> keystoreFile="C:\Program Files (x86)\Apache Software
>>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>>> keystorePass="mypassword"
>>>> keystoreType="pkcs12" />
>>>>
>>>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector
>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>>
>>> Two connectors, both on port 8009, will not work. Use the latter one.
>>>
>>> Regards,
>>>
>>> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Rainer,
Do you have a suggestion? Do I need to change my worker.properties? Sorry,
I'm new to Tomcat, I appreciate your help.
-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: Wednesday, August 04, 2010 4:09 PM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> I did read your post and I changed the Port Number.
>
> "<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> This
> connector should be used depending on your redirector config which we
> haven't seen yet
>
> Here is my workers.properties:
>
> worker.list=worker1
> worker.worker1.type=ajp13
> worker.worker1.host=127.0.0.1
> worker.worker1.port=8009
>
> Here is my uriworkermap.properties:
>
> /geoportal|/*=worker1
This didn't work, since the log snippet said it tried to use a worker named
"ajp13", not "worker1".
Regards,
Rainer
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 3:40 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
wrote:
>> Jung,
>> I'm still getting the errors.
>
> Why shouldn't you?
> Did you actually read my post?
> Which parts didn't you understand?
>
>> <Connector port="8080" protocol="Java HTTP" ----What protocol should I
> use
>> here (do not want to expose)
>> connectionTimeout="20000"
>> redirectPort="80" />
>
> This connector is *not* involved when using
>
> Browser -> IIS/Redirector -> Tomcat
>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> -------------Does this look right?
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLSv1"
>> keystoreFile="C:\Program Files (x86)\Apache
Software
>> Foundation\Tomcat 6.0\conf\cert.pfx"
>> keystorePass="password"
>> keystoreType="pkcs12" />
>
> This one neither.
>
>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>> -----------------Is this where my actual authentication is taking place?
> This connector should be used depending on your redirector config
> which we haven't seen yet.
>
> The error message you provided doesn't have to do with authentication.
> Authentication problems might show up after you solved your worker
> configuration problem. Until now your IIS doesn't even talk to Tomcat.
>
> Regards,
>
> Rainer
>
>>
>> -----Original Message-----
>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>> Sent: Wednesday, August 04, 2010 1:38 PM
>> To: Tomcat Users List
>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> wrote:
>>>
>>>
>>> I am trying to get Tomcat and IIS configured on my secure web server
>>> (SSL) so that I can access my deployed web application via https and
>>> NOT over http. Connection to non-SSL works, but I cannot have that
>>> connection due to security.
>>>
>>> I want to run Tomcat through IIS, and I have configured it using the
>>> isapi_redirect.dll (thanks to Electronjockey). However, when I try
>>> and hit my https://site/geoportal<https://site/geoportal> my
>>> credentials do not carry me through to the web application, instead
>>> I receive "Internet Explorer Cannot Display Webpage". Can someone
>>> help me out on how to configure my server.xml and interpretting my
>>> log files
> please?
>>> I have even tried to export my server certificate, and call it using
>>> the keystore:"", still not working. I'm a Tomcat green horn, any
>>> help would be awesome.
>>>
>>> Isapi_redirect.log file: Looks like some sort of authentication is
>>> being passed, then the ajp13 is not found?
>>>
>>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug]
>>> jk_isapi_plugin.c
>>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
>>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
>>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>>
>>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug]
>>> jk_isapi_plugin.c
>>> (3120): Service request headers=5 attributes=9 chunked=no
>>> content-length=0 available=0
>>>
>>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>>> did not find a worker ajp13
>>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug]
>>> jk_isapi_plugin.c
>>> (2162): could not get a worker for name ajp13 [Wed Aug 04
>>> 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
>>> (2210): could not get a worker for name ajp13
>>
>> Hard to tell without knowing the version of the isapi redirector, not
>> having your configuration. This looks like:
>>
>> - it is trying to use a worker named ajp13 to connect to Tomcat. Lile
>> y you have configured the redirector to use this worker within your
>> uriworkermap.properties file
>>
>> - the redirector doesn't know how to use this worker. Either you are
>> missing the workers.properties configuration file or there is no
>> definition for a worker named ajp13 in the file.
>>
>> A good starting point for a workers.properties file is the example
>> file contained in the source distribution of version 1.2.30. Please
>> do also use this version of the redirector.
>>
>> Note: from the point of view of Tomcat it doesn't really matter
>> whether you are talking http or https in the browser. This protocol
>> is only used between the browser and IIS. Between IIS and Tomcat when
>> using the isapi redirector the protocol is always AJP13 (it is just
>> coincidence, that this is the same name as the name of the worker in
>> your logs). The protocol is similar to HTTP but binary and it
>> transports the information whether the browser used http or https, so
>> Tomcat is aware of this. This protocol does not use the http or https
> connectors in server.xml, only the AJP13 connector.
>>
>>> Here is the meat of my server.xml (pretty sure it's wrong):
>>>
>>> <!-- A "Connector" represents an endpoint by which requests are
>>> received and responses are returned. Documentation at :
>>> Java HTTP Connector: /docs/config/http.html (blocking& non-blocking)
>>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>>> -->
>>> <Connector port="8080" protocol="HTTP/1.1"
>>> connectionTimeout="20000"
>>> redirectPort="80" />
>>> <!-- A "Connector" using the shared thread pool-->
>>>
>>> <Connector executor="tomcatThreadPool"
>>> port="8009" protocol="HTTP/1.1"
>>> connectionTimeout="20000"
>>> redirectPort="443" />
>>>
>>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector
>>> uses the JSSE configuration, when using APR, the connector should be
>>> using the OpenSSL style configuration described in the APR
>>> documentation
>>> -->
>>>
>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> clientAuth="false" sslProtocol="TLSv1"
>>> keystoreFile="C:\Program Files (x86)\Apache Software
>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>> keystorePass="mypassword"
>>> keystoreType="pkcs12" />
>>>
>>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector
>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>
>> Two connectors, both on port 8009, will not work. Use the latter one.
>>
>> Regards,
>>
>> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by Rainer Jung <ra...@kippdata.de>.
On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> I did read your post and I changed the Port Number.
>
> "<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> This connector should be used depending on your redirector config which we
> haven't seen yet
>
> Here is my workers.properties:
>
> worker.list=worker1
> worker.worker1.type=ajp13
> worker.worker1.host=127.0.0.1
> worker.worker1.port=8009
>
> Here is my uriworkermap.properties:
>
> /geoportal|/*=worker1
This didn't work, since the log snippet said it tried to use a worker
named "ajp13", not "worker1".
Regards,
Rainer
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 3:40 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
>> Jung,
>> I'm still getting the errors.
>
> Why shouldn't you?
> Did you actually read my post?
> Which parts didn't you understand?
>
>> <Connector port="8080" protocol="Java HTTP" ----What protocol should I
> use
>> here (do not want to expose)
>> connectionTimeout="20000"
>> redirectPort="80" />
>
> This connector is *not* involved when using
>
> Browser -> IIS/Redirector -> Tomcat
>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> -------------Does this look right?
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLSv1"
>> keystoreFile="C:\Program Files (x86)\Apache Software
>> Foundation\Tomcat 6.0\conf\cert.pfx"
>> keystorePass="password"
>> keystoreType="pkcs12" />
>
> This one neither.
>
>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>> -----------------Is this where my actual authentication is taking place?
> This connector should be used depending on your redirector config which we
> haven't seen yet.
>
> The error message you provided doesn't have to do with authentication.
> Authentication problems might show up after you solved your worker
> configuration problem. Until now your IIS doesn't even talk to Tomcat.
>
> Regards,
>
> Rainer
>
>>
>> -----Original Message-----
>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>> Sent: Wednesday, August 04, 2010 1:38 PM
>> To: Tomcat Users List
>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> wrote:
>>>
>>>
>>> I am trying to get Tomcat and IIS configured on my secure web server
>>> (SSL) so that I can access my deployed web application via https and
>>> NOT over http. Connection to non-SSL works, but I cannot have that
>>> connection due to security.
>>>
>>> I want to run Tomcat through IIS, and I have configured it using the
>>> isapi_redirect.dll (thanks to Electronjockey). However, when I try
>>> and hit my https://site/geoportal<https://site/geoportal> my
>>> credentials do not carry me through to the web application, instead I
>>> receive "Internet Explorer Cannot Display Webpage". Can someone help
>>> me out on how to configure my server.xml and interpretting my log files
> please?
>>> I have even tried to export my server certificate, and call it using
>>> the keystore:"", still not working. I'm a Tomcat green horn, any help
>>> would be awesome.
>>>
>>> Isapi_redirect.log file: Looks like some sort of authentication is
>>> being passed, then the ajp13 is not found?
>>>
>>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c
>>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
>>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
>>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>>
>>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c
>>> (3120): Service request headers=5 attributes=9 chunked=no
>>> content-length=0 available=0
>>>
>>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>>> did not find a worker ajp13
>>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c
>>> (2162): could not get a worker for name ajp13 [Wed Aug 04
>>> 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
>>> (2210): could not get a worker for name ajp13
>>
>> Hard to tell without knowing the version of the isapi redirector, not
>> having your configuration. This looks like:
>>
>> - it is trying to use a worker named ajp13 to connect to Tomcat. Lile
>> y you have configured the redirector to use this worker within your
>> uriworkermap.properties file
>>
>> - the redirector doesn't know how to use this worker. Either you are
>> missing the workers.properties configuration file or there is no
>> definition for a worker named ajp13 in the file.
>>
>> A good starting point for a workers.properties file is the example
>> file contained in the source distribution of version 1.2.30. Please do
>> also use this version of the redirector.
>>
>> Note: from the point of view of Tomcat it doesn't really matter
>> whether you are talking http or https in the browser. This protocol is
>> only used between the browser and IIS. Between IIS and Tomcat when
>> using the isapi redirector the protocol is always AJP13 (it is just
>> coincidence, that this is the same name as the name of the worker in
>> your logs). The protocol is similar to HTTP but binary and it
>> transports the information whether the browser used http or https, so
>> Tomcat is aware of this. This protocol does not use the http or https
> connectors in server.xml, only the AJP13 connector.
>>
>>> Here is the meat of my server.xml (pretty sure it's wrong):
>>>
>>> <!-- A "Connector" represents an endpoint by which requests are
>>> received and responses are returned. Documentation at :
>>> Java HTTP Connector: /docs/config/http.html (blocking& non-blocking)
>>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>>> -->
>>> <Connector port="8080" protocol="HTTP/1.1"
>>> connectionTimeout="20000"
>>> redirectPort="80" />
>>> <!-- A "Connector" using the shared thread pool-->
>>>
>>> <Connector executor="tomcatThreadPool"
>>> port="8009" protocol="HTTP/1.1"
>>> connectionTimeout="20000"
>>> redirectPort="443" />
>>>
>>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses
>>> the JSSE configuration, when using APR, the connector should be using
>>> the OpenSSL style configuration described in the APR documentation
>>> -->
>>>
>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>> maxThreads="150" scheme="https" secure="true"
>>> clientAuth="false" sslProtocol="TLSv1"
>>> keystoreFile="C:\Program Files (x86)\Apache Software
>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>> keystorePass="mypassword"
>>> keystoreType="pkcs12" />
>>>
>>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector
>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>
>> Two connectors, both on port 8009, will not work. Use the latter one.
>>
>> Regards,
>>
>> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
I did read your post and I changed the Port Number.
"<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
This connector should be used depending on your redirector config which we
haven't seen yet
Here is my workers.properties:
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8009
Here is my uriworkermap.properties:
/geoportal|/*=worker1
-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: Wednesday, August 04, 2010 3:40 PM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Jung,
> I'm still getting the errors.
Why shouldn't you?
Did you actually read my post?
Which parts didn't you understand?
> <Connector port="8080" protocol="Java HTTP" ----What protocol should I
use
> here (do not want to expose)
> connectionTimeout="20000"
> redirectPort="80" />
This connector is *not* involved when using
Browser -> IIS/Redirector -> Tomcat
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> -------------Does this look right?
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLSv1"
> keystoreFile="C:\Program Files (x86)\Apache Software
> Foundation\Tomcat 6.0\conf\cert.pfx"
> keystorePass="password"
> keystoreType="pkcs12" />
This one neither.
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> -----------------Is this where my actual authentication is taking place?
This connector should be used depending on your redirector config which we
haven't seen yet.
The error message you provided doesn't have to do with authentication.
Authentication problems might show up after you solved your worker
configuration problem. Until now your IIS doesn't even talk to Tomcat.
Regards,
Rainer
>
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 1:38 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
wrote:
>>
>>
>> I am trying to get Tomcat and IIS configured on my secure web server
>> (SSL) so that I can access my deployed web application via https and
>> NOT over http. Connection to non-SSL works, but I cannot have that
>> connection due to security.
>>
>> I want to run Tomcat through IIS, and I have configured it using the
>> isapi_redirect.dll (thanks to Electronjockey). However, when I try
>> and hit my https://site/geoportal<https://site/geoportal> my
>> credentials do not carry me through to the web application, instead I
>> receive "Internet Explorer Cannot Display Webpage". Can someone help
>> me out on how to configure my server.xml and interpretting my log files
please?
>> I have even tried to export my server certificate, and call it using
>> the keystore:"", still not working. I'm a Tomcat green horn, any help
>> would be awesome.
>>
>> Isapi_redirect.log file: Looks like some sort of authentication is
>> being passed, then the ajp13 is not found?
>>
>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c
>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>
>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c
>> (3120): Service request headers=5 attributes=9 chunked=no
>> content-length=0 available=0
>>
>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>> did not find a worker ajp13
>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c
>> (2162): could not get a worker for name ajp13 [Wed Aug 04
>> 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
>> (2210): could not get a worker for name ajp13
>
> Hard to tell without knowing the version of the isapi redirector, not
> having your configuration. This looks like:
>
> - it is trying to use a worker named ajp13 to connect to Tomcat. Lile
> y you have configured the redirector to use this worker within your
> uriworkermap.properties file
>
> - the redirector doesn't know how to use this worker. Either you are
> missing the workers.properties configuration file or there is no
> definition for a worker named ajp13 in the file.
>
> A good starting point for a workers.properties file is the example
> file contained in the source distribution of version 1.2.30. Please do
> also use this version of the redirector.
>
> Note: from the point of view of Tomcat it doesn't really matter
> whether you are talking http or https in the browser. This protocol is
> only used between the browser and IIS. Between IIS and Tomcat when
> using the isapi redirector the protocol is always AJP13 (it is just
> coincidence, that this is the same name as the name of the worker in
> your logs). The protocol is similar to HTTP but binary and it
> transports the information whether the browser used http or https, so
> Tomcat is aware of this. This protocol does not use the http or https
connectors in server.xml, only the AJP13 connector.
>
>> Here is the meat of my server.xml (pretty sure it's wrong):
>>
>> <!-- A "Connector" represents an endpoint by which requests are
>> received and responses are returned. Documentation at :
>> Java HTTP Connector: /docs/config/http.html (blocking& non-blocking)
>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>> -->
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="80" />
>> <!-- A "Connector" using the shared thread pool-->
>>
>> <Connector executor="tomcatThreadPool"
>> port="8009" protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="443" />
>>
>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses
>> the JSSE configuration, when using APR, the connector should be using
>> the OpenSSL style configuration described in the APR documentation
>> -->
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLSv1"
>> keystoreFile="C:\Program Files (x86)\Apache Software
>> Foundation\Tomcat 6.0\conf\cert.pfx"
>> keystorePass="mypassword"
>> keystoreType="pkcs12" />
>>
>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector
>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
> Two connectors, both on port 8009, will not work. Use the latter one.
>
> Regards,
>
> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by Rainer Jung <ra...@kippdata.de>.
On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Jung,
> I'm still getting the errors.
Why shouldn't you?
Did you actually read my post?
Which parts didn't you understand?
> <Connector port="8080" protocol="Java HTTP" ----What protocol should I use
> here (do not want to expose)
> connectionTimeout="20000"
> redirectPort="80" />
This connector is *not* involved when using
Browser -> IIS/Redirector -> Tomcat
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> -------------Does this look right?
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLSv1"
> keystoreFile="C:\Program Files (x86)\Apache Software
> Foundation\Tomcat 6.0\conf\cert.pfx"
> keystorePass="password"
> keystoreType="pkcs12" />
This one neither.
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> -----------------Is this where my actual authentication is taking place?
This connector should be used depending on your redirector config which
we haven't seen yet.
The error message you provided doesn't have to do with authentication.
Authentication problems might show up after you solved your worker
configuration problem. Until now your IIS doesn't even talk to Tomcat.
Regards,
Rainer
>
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 1:38 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
>>
>>
>> I am trying to get Tomcat and IIS configured on my secure web server
>> (SSL) so that I can access my deployed web application via https and
>> NOT over http. Connection to non-SSL works, but I cannot have that
>> connection due to security.
>>
>> I want to run Tomcat through IIS, and I have configured it using the
>> isapi_redirect.dll (thanks to Electronjockey). However, when I try and
>> hit my https://site/geoportal<https://site/geoportal> my credentials
>> do not carry me through to the web application, instead I receive
>> "Internet Explorer Cannot Display Webpage". Can someone help me out on
>> how to configure my server.xml and interpretting my log files please?
>> I have even tried to export my server certificate, and call it using
>> the keystore:"", still not working. I'm a Tomcat green horn, any help
>> would be awesome.
>>
>> Isapi_redirect.log file: Looks like some sort of authentication is
>> being passed, then the ajp13 is not found?
>>
>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c
>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>
>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c
>> (3120): Service request headers=5 attributes=9 chunked=no
>> content-length=0 available=0
>>
>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>> did not find a worker ajp13
>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c
>> (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979
>> 2010] [10712:8360] [error] jk_isapi_plugin.c
>> (2210): could not get a worker for name ajp13
>
> Hard to tell without knowing the version of the isapi redirector, not having
> your configuration. This looks like:
>
> - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you
> have configured the redirector to use this worker within your
> uriworkermap.properties file
>
> - the redirector doesn't know how to use this worker. Either you are missing
> the workers.properties configuration file or there is no definition for a
> worker named ajp13 in the file.
>
> A good starting point for a workers.properties file is the example file
> contained in the source distribution of version 1.2.30. Please do also use
> this version of the redirector.
>
> Note: from the point of view of Tomcat it doesn't really matter whether you
> are talking http or https in the browser. This protocol is only used between
> the browser and IIS. Between IIS and Tomcat when using the isapi redirector
> the protocol is always AJP13 (it is just coincidence, that this is the same
> name as the name of the worker in your logs). The protocol is similar to
> HTTP but binary and it transports the information whether the browser used
> http or https, so Tomcat is aware of this. This protocol does not use the
> http or https connectors in server.xml, only the AJP13 connector.
>
>> Here is the meat of my server.xml (pretty sure it's wrong):
>>
>> <!-- A "Connector" represents an endpoint by which requests are
>> received and responses are returned. Documentation at :
>> Java HTTP Connector: /docs/config/http.html (blocking& non-blocking)
>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>> -->
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="80" />
>> <!-- A "Connector" using the shared thread pool-->
>>
>> <Connector executor="tomcatThreadPool"
>> port="8009" protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="443" />
>>
>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses
>> the JSSE configuration, when using APR, the connector should be using
>> the OpenSSL style configuration described in the APR documentation -->
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLSv1"
>> keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat
>> 6.0\conf\cert.pfx"
>> keystorePass="mypassword"
>> keystoreType="pkcs12" />
>>
>> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector
>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
> Two connectors, both on port 8009, will not work. Use the latter one.
>
> Regards,
>
> Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <ja...@navy.mil>.
Jung,
I'm still getting the errors.
<Connector port="8080" protocol="Java HTTP" ----What protocol should I use
here (do not want to expose)
connectionTimeout="20000"
redirectPort="80" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-------------Does this look right?
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1"
keystoreFile="C:\Program Files (x86)\Apache Software
Foundation\Tomcat 6.0\conf\cert.pfx"
keystorePass="password"
keystoreType="pkcs12" />
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-----------------Is this where my actual authentication is taking place?
-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de]
Sent: Wednesday, August 04, 2010 1:38 PM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
>
>
> I am trying to get Tomcat and IIS configured on my secure web server
> (SSL) so that I can access my deployed web application via https and
> NOT over http. Connection to non-SSL works, but I cannot have that
> connection due to security.
>
> I want to run Tomcat through IIS, and I have configured it using the
> isapi_redirect.dll (thanks to Electronjockey). However, when I try and
> hit my https://site/geoportal <https://site/geoportal> my credentials
> do not carry me through to the web application, instead I receive
> "Internet Explorer Cannot Display Webpage". Can someone help me out on
> how to configure my server.xml and interpretting my log files please?
> I have even tried to export my server certificate, and call it using
> the keystore:"", still not working. I'm a Tomcat green horn, any help
> would be awesome.
>
> Isapi_redirect.log file: Looks like some sort of authentication is
> being passed, then the ajp13 is not found?
>
> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>
> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (3120): Service request headers=5 attributes=9 chunked=no
> content-length=0 available=0
>
> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
> did not find a worker ajp13
> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979
> 2010] [10712:8360] [error] jk_isapi_plugin.c
> (2210): could not get a worker for name ajp13
Hard to tell without knowing the version of the isapi redirector, not having
your configuration. This looks like:
- it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you
have configured the redirector to use this worker within your
uriworkermap.properties file
- the redirector doesn't know how to use this worker. Either you are missing
the workers.properties configuration file or there is no definition for a
worker named ajp13 in the file.
A good starting point for a workers.properties file is the example file
contained in the source distribution of version 1.2.30. Please do also use
this version of the redirector.
Note: from the point of view of Tomcat it doesn't really matter whether you
are talking http or https in the browser. This protocol is only used between
the browser and IIS. Between IIS and Tomcat when using the isapi redirector
the protocol is always AJP13 (it is just coincidence, that this is the same
name as the name of the worker in your logs). The protocol is similar to
HTTP but binary and it transports the information whether the browser used
http or https, so Tomcat is aware of this. This protocol does not use the
http or https connectors in server.xml, only the AJP13 connector.
> Here is the meat of my server.xml (pretty sure it's wrong):
>
> <!-- A "Connector" represents an endpoint by which requests are
> received and responses are returned. Documentation at :
> Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
> -->
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="80" />
> <!-- A "Connector" using the shared thread pool-->
>
> <Connector executor="tomcatThreadPool"
> port="8009" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses
> the JSSE configuration, when using APR, the connector should be using
> the OpenSSL style configuration described in the APR documentation -->
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLSv1"
> keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat
> 6.0\conf\cert.pfx"
> keystorePass="mypassword"
> keystoreType="pkcs12" />
>
> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector
> port="8009" protocol="AJP/1.3" redirectPort="8443" />
Two connectors, both on port 8009, will not work. Use the latter one.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Posted by Rainer Jung <ra...@kippdata.de>.
On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
>
>
> I am trying to get Tomcat and IIS configured on my secure web server
> (SSL) so that I can access my deployed web application via https and NOT
> over http. Connection to non-SSL works, but I cannot have that
> connection due to security.
>
> I want to run Tomcat through IIS, and I have configured it using the
> isapi_redirect.dll (thanks to Electronjockey). However, when I try and
> hit my https://site/geoportal <https://site/geoportal> my credentials do
> not carry me through to the web application, instead I receive "Internet
> Explorer Cannot Display Webpage". Can someone help me out on how to
> configure my server.xml and interpretting my log files please? I have
> even tried to export my server certificate, and call it using the
> keystore:"", still not working. I'm a Tomcat green horn, any help would
> be awesome.
>
> Isapi_redirect.log file: Looks like some sort of authentication is being
> passed, then the ajp13 is not found?
>
> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>
> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (3120): Service request headers=5 attributes=9 chunked=no
> content-length=0 available=0
>
> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
> did not find a worker ajp13
> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (2162): could not get a worker for name ajp13
> [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
> (2210): could not get a worker for name ajp13
Hard to tell without knowing the version of the isapi redirector, not
having your configuration. This looks like:
- it is trying to use a worker named ajp13 to connect to Tomcat. Lile y
you have configured the redirector to use this worker within your
uriworkermap.properties file
- the redirector doesn't know how to use this worker. Either you are
missing the workers.properties configuration file or there is no
definition for a worker named ajp13 in the file.
A good starting point for a workers.properties file is the example file
contained in the source distribution of version 1.2.30. Please do also
use this version of the redirector.
Note: from the point of view of Tomcat it doesn't really matter whether
you are talking http or https in the browser. This protocol is only used
between the browser and IIS. Between IIS and Tomcat when using the isapi
redirector the protocol is always AJP13 (it is just coincidence, that
this is the same name as the name of the worker in your logs). The
protocol is similar to HTTP but binary and it transports the information
whether the browser used http or https, so Tomcat is aware of this. This
protocol does not use the http or https connectors in server.xml, only
the AJP13 connector.
> Here is the meat of my server.xml (pretty sure it's wrong):
>
> <!-- A "Connector" represents an endpoint by which requests are received
> and responses are returned. Documentation at :
> Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
> Java AJP Connector: /docs/config/ajp.html
> APR (HTTP/AJP) Connector: /docs/apr.html
> Define a non-SSL HTTP/1.1 Connector on port 8080
> -->
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="80" />
> <!-- A "Connector" using the shared thread pool-->
>
> <Connector executor="tomcatThreadPool"
> port="8009" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLSv1"
> keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat
> 6.0\conf\cert.pfx"
> keystorePass="mypassword"
> keystoreType="pkcs12" />
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Two connectors, both on port 8009, will not work. Use the latter one.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org