RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Significant would mean that I notice how slow the page loads (painfully - 10 to 20 times longer) compared to hitting the web application on 8080. I had ServletExec AS running on our server and did not experience these issues. We are required to use Single Sign On when accessing web applications from our secure web server. Has anyone successfully configured Tomcat-IIS that is using a secure web server? -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, August 09, 2010 6:30 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Chuck, I was able to get everything working on my end. There is a *significant* performance decrease when running my application through IIS and Tomcat using the isapi_redirect.dll, as opposed to port 8080. No way to know what you mean by significant, but from the tone of it I guess you mean humanly perceptible. In that case, it is not normal. The overhead introduced by isapi_redirect itself may be in the order of the millisecond. Are you sure that the extra delay is not due to something happening in IIS, like the user authentication e.g. ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Rainer, I've gone through the install of 6.0.28, I can successfully launch my webapp from localhost. When I try accessing using the AJP/1.3, I am getting HTTP:404 errors The page cannot be found. I have not seen error messages in my isapi_redirect.log, any help would be great. Seems as though the application is not even being seen as a valid URL when trying to hit on port 8009, eventhough it's listening. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Friday, August 06, 2010 2:39 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL Just in case you didn't yet realize: the changelog is public: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html 6.0.29 has only 5 changes that were relevant for the changelog. Three of them link to an issue that can be viewed publicly, one is a pure enhancement, and the one fix without a link to bugzilla doesn't even have an issue link, because it wasn't observed as a problem in the wild. It is not to hard to check the three issue links to get a better basis for your decision of using 6.0.28 instead of 6.0.29 and to recognize faster in cse you run into one of the few fixed problems. Regards, Rainer On 06.08.2010 17:56, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Chuck, Besides the latest version, is there one that you recommend? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:50 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! There was one regression in 6.0.28 that you should be aware of: https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 Its existence prompted the rapid release of 6.0.29, where the problem is fixed. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Chuck, I was able to get everything working on my end. There is a *significant* performance decrease when running my application through IIS and Tomcat using the isapi_redirect.dll, as opposed to port 8080. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:50 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! There was one regression in 6.0.28 that you should be aware of: https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 Its existence prompted the rapid release of 6.0.29, where the problem is fixed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Chuck, I was able to get everything working on my end. There is a *significant* performance decrease when running my application through IIS and Tomcat using the isapi_redirect.dll, as opposed to port 8080. No way to know what you mean by significant, but from the tone of it I guess you mean humanly perceptible. In that case, it is not normal. The overhead introduced by isapi_redirect itself may be in the order of the millisecond. Are you sure that the extra delay is not due to something happening in IIS, like the user authentication e.g. ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Andre, Thanks for all of the help and literature. When I tried to launch my application today, I'm getting a 404 error. At This point I am going to uninstall, per you recommendation and reinstall. Question for you: Would it be better to install the 32-bit if our IIS is running as 32-bit? I did this with the isapi_redirect.dll -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, August 05, 2010 5:36 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Charles, I was just putting that protocol in there to prevent the 8080 from being hit, I've actually commented it out. I got this server.xml file from the install (Note:that not everything is on here). I can load my webapp now, but the page takes a little while to load using the isapi_redirect.dll (which I was referring to below as the redirect file...sorry my in head language) I believe that at this point, you may want to : a) save your web application somewhere else; also save the isapi configuration files if they are located under the Tomcat installation directory. (*) b) de-install the Tomcat you have, and remove all its files (and specially the logfiles) c) download a new Tomcat from the Tomcat website, and re-install it Then restore your application under (tomcat_install_dir)/webapps. All the above will take only 5 minutes, and you will at least have a clean Tomcat. Then try it, both directly using HTTP to port 8080, and through IIS and isapi_redirect using whatver SSL port you use for that. With the part under IIS (including isapi_redirect) apparently being fine (as shown before by your previous logs), the downloaded Tomcat should work out of the box, through IIS and all. THEN, when you have verified that the above is working, comment out all Connector tags you do not want, except the one for the AJP Connector on port 8009, and restart Tomcat. And check the Tomcat logfiles if you have any problem. Apart from the ones which Chuck mentioned earlier, your pasted server.xml had a couple of additional mistakes which make it really hard for us to figure out what is really going on. (Or it was your cut and paste which was not accurate, but anyway we can't follow what's happening on the base of inaccurate information). In any case, with a correct configuration, the difference in access time between a direct access to Tomcat via HTTP port 8080, and an indirect access through IIS and isapi_redirector, should be so small as to be humanly indistinguishable. (We are talking 1 millisecond or so). Unless it is IIS which for some reason is introducing the delay. (*) This by the way would be illogical, as these files belong really to IIS and its add-on module isapi_redirect.dll, and not to Tomcat. The only part of Tomcat which plays a role here, is the AJP Connector on port 8009. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Would it be better to install the 32-bit if our IIS is running as 32-bit? Other than the optional APR connector and service wrapper, Tomcat is pure Java and uses the TCP/IP stack to communicate with IIS, so it doesn't matter which you use to with IIS. What does matter is that you install the same modes of APR and service wrapper as the mode of the JVM you have. So if you're using a 64-bit JVM, you must use the 64-bit version of Tomcat. Likewise, if you have a 32-bit JVM, you must use the 32-bit version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Chuck, I am going to install version 6.0.18, are there preferred versions of JVM you recommend, or is the latest and greatest sufficient? Thanks again for your help. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:07 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Would it be better to install the 32-bit if our IIS is running as 32-bit? Other than the optional APR connector and service wrapper, Tomcat is pure Java and uses the TCP/IP stack to communicate with IIS, so it doesn't matter which you use to with IIS. What does matter is that you install the same modes of APR and service wrapper as the mode of the JVM you have. So if you're using a 64-bit JVM, you must use the 64-bit version of Tomcat. Likewise, if you have a 32-bit JVM, you must use the 32-bit version of Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL I am going to install version 6.0.18 Much better to use 6.0.29 - stay current. are there preferred versions of JVM you recommend 6u21b07 (the latest) seems to be fine. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Well I'd like to but 6.0.18 is the most recent version approved on our network. I installed the 6.0.18 version by running the .exe from the Archive. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:14 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL I am going to install version 6.0.18 Much better to use 6.0.29 - stay current. are there preferred versions of JVM you recommend 6u21b07 (the latest) seems to be fine. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well I'd like to but 6.0.18 is the most recent version approved on our network. You might want the powers that be to review the fixes that have gone in over the last two years - including some significant security-related ones. 6.0.18 is rather sadly out of date. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
I had this same issue at my workplace, and was actually able to strong arm them and force them to let me use 6.0.26! : ) -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 10:40 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well I'd like to but 6.0.18 is the most recent version approved on our network. You might want the powers that be to review the fixes that have gone in over the last two years - including some significant security-related ones. 6.0.18 is rather sadly out of date. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Well good news, 6.0.28 was JUST approved...WooHOO!!! -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:40 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well I'd like to but 6.0.18 is the most recent version approved on our network. You might want the powers that be to review the fixes that have gone in over the last two years - including some significant security-related ones. 6.0.18 is rather sadly out of date. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! There was one regression in 6.0.28 that you should be aware of: https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 Its existence prompted the rapid release of 6.0.29, where the problem is fixed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Alright! -Original Message- From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Sent: Friday, August 06, 2010 10:45 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:40 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well I'd like to but 6.0.18 is the most recent version approved on our network. You might want the powers that be to review the fixes that have gone in over the last two years - including some significant security-related ones. 6.0.18 is rather sadly out of date. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Chuck, Besides the latest version, is there one that you recommend? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:50 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! There was one regression in 6.0.28 that you should be aware of: https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 Its existence prompted the rapid release of 6.0.29, where the problem is fixed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 6 Aug 2010, at 16:56, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 jason.t.hansel@navy.mil wrote: Chuck, Besides the latest version, is there one that you recommend? You want Chuck to recommend a version that has *less* bug fixes than the most recent two? p -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:50 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! There was one regression in 6.0.28 that you should be aware of: https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 Its existence prompted the rapid release of 6.0.29, where the problem is fixed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Besides the latest version, is there one that you recommend? Not really. Many other fixes are in 6.0.28; whether or not the one regression is important to you depends on what your webapp code is doing. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Cool, thanks Chuck. I need to provide justification to the powers that be. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 12:19 PM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Besides the latest version, is there one that you recommend? Not really. Many other fixes are in 6.0.28; whether or not the one regression is important to you depends on what your webapp code is doing. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Just in case you didn't yet realize: the changelog is public: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html 6.0.29 has only 5 changes that were relevant for the changelog. Three of them link to an issue that can be viewed publicly, one is a pure enhancement, and the one fix without a link to bugzilla doesn't even have an issue link, because it wasn't observed as a problem in the wild. It is not to hard to check the three issue links to get a better basis for your decision of using 6.0.28 instead of 6.0.29 and to recognize faster in cse you run into one of the few fixed problems. Regards, Rainer On 06.08.2010 17:56, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Chuck, Besides the latest version, is there one that you recommend? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, August 06, 2010 11:50 AM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL Well good news, 6.0.28 was JUST approved...WooHOO!!! There was one regression in 6.0.28 that you should be aware of: https://issues.apache.org/bugzilla/show_bug.cgi?id=49598 Its existence prompted the rapid release of 6.0.29, where the problem is fixed. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
] jk_ajp_common.c (1585): (worker1) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=61) [Thu Aug 05 09:12:52.311 2010] [10216:8452] [info] jk_ajp_common.c (2540): (worker1) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2) [Thu Aug 05 09:12:52.327 2010] [10216:8452] [error] jk_ajp_common.c (2559): (worker1) connecting to tomcat failed. [Thu Aug 05 09:12:52.342 2010] [10216:8452] [error] jk_isapi_plugin.c (2195): service() failed with http error 503 [Thu Aug 05 09:12:52.374 2010] [10216:8452] [debug] jk_ajp_common.c (757): (worker1) resetting endpoint with sd = 4294967295 (socket shutdown) [Thu Aug 05 09:12:52.389 2010] [10216:8452] [debug] jk_ajp_common.c (3010): recycling connection pool slot=0 for worker worker1 -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, August 05, 2010 4:13 AM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL See below On 04.08.2010 22:17, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Rainer, Do you have a suggestion? Do I need to change my worker.properties? Sorry, I'm new to Tomcat, I appreciate your help. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 4:09 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I did read your post and I changed the Port Number. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / This connector should be used depending on your redirector config which we haven't seen yet Here is my workers.properties: worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 Here is my uriworkermap.properties: /geoportal|/*=worker1 This didn't work, since the log snippet said it tried to use a worker named ajp13, not worker1. This = uriworkermap.properties. So what did you do to let IIS find your uriworkermap.properties? Can we be sure that works? Does your redirector debug log file indicate - that it finds and reads the right uriworkermap.properties file - that it finds the right map in there and thus tries to use a worker named worker1 - is your request URL actually starting with /geoportal/ or equal to geoportal? What is the URL you are testing with? Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 3:40 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Jung, I'm still getting the errors. Why shouldn't you? Did you actually read my post? Which parts didn't you understand? Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / This connector is *not* involved when using Browser - IIS/Redirector - Tomcat Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / This one neither. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? This connector should be used depending on your redirector config which we haven't seen yet. The error message you provided doesn't have to do with authentication. Authentication problems might show up after you solved your worker configuration problem. Until now your IIS doesn't even talk to Tomcat. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportalhttps://site/geoportalmy credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
See inline On 05.08.2010 15:15, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Rainer, Thanks again for being patient with me. I've seen some different behavior this morning. When I am trying to access my page, I get Service Temporary Unavailable, which is better than what I was receiving. [Thu Aug 05 09:12:49.655 2010] [10216:8452] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/geoweb1b.eims.local/geoportal' from 2 maps [Thu Aug 05 09:12:49.686 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal/*=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.702 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.733 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal/*=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.749 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.764 2010] [10216:8452] [debug] jk_uri_worker_map.c (873): Found an exact match '/geoportal=worker1' OK, uriworkermap.proprties worked, it found a match and wants to use the worker named worker1. [Thu Aug 05 09:12:49.780 2010] [10216:8452] [debug] jk_isapi_plugin.c (1916): check if [/geoportal] points to the web-inf directory [Thu Aug 05 09:12:49.795 2010] [10216:8452] [debug] jk_isapi_plugin.c (1932): [/geoportal] is a servlet url - should redirect to worker1 [Thu Aug 05 09:12:49.811 2010] [10216:8452] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/geoportal] [Thu Aug 05 09:12:49.827 2010] [10216:8452] [debug] jk_worker.c (339): Maintaining worker worker1 [Thu Aug 05 09:12:49.842 2010] [10216:8452] [debug] jk_isapi_plugin.c (2792): Reading extension header HTTP_TOMCATWORKER6A6B: worker1 [Thu Aug 05 09:12:49.858 2010] [10216:8452] [debug] jk_isapi_plugin.c (2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B: 1 [Thu Aug 05 09:12:49.889 2010] [10216:8452] [debug] jk_isapi_plugin.c (2794): Reading extension header HTTP_TOMCATURI6A6B: /geoportal [Thu Aug 05 09:12:49.905 2010] [10216:8452] [debug] jk_isapi_plugin.c (2795): Reading extension header HTTP_TOMCATQUERY6A6B: (null) [Thu Aug 05 09:12:49.920 2010] [10216:8452] [debug] jk_isapi_plugin.c (2850): Applying service extensions [Thu Aug 05 09:12:49.936 2010] [10216:8452] [debug] jk_isapi_plugin.c (2930): Client Certificate encoding:1 sz:1022 flags:1 [Thu Aug 05 09:12:49.952 2010] [10216:8452] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.xxx.xx.xx addr=150.xxx.xx.xx name=myserver.server.local port=443 auth=SSL/PCT user=EIMS\john.doe uri=/geoportal [Thu Aug 05 09:12:49.967 2010] [10216:8452] [debug] jk_isapi_plugin.c (3120): Service request headers=8 attributes=9 chunked=no content-length=0 available=0 [Thu Aug 05 09:12:49.983 2010] [10216:8452] [debug] jk_worker.c (116): found a worker worker1 [Thu Aug 05 09:12:49.999 2010] [10216:8452] [debug] jk_isapi_plugin.c (2162): got a worker for name worker1 [Thu Aug 05 09:12:50.030 2010] [10216:8452] [debug] jk_ajp_common.c (3093): acquired connection pool slot=0 after 0 retries [Thu Aug 05 09:12:50.045 2010] [10216:8452] [debug] jk_ajp_common.c (605): ajp marshaling done [Thu Aug 05 09:12:50.061 2010] [10216:8452] [debug] jk_ajp_common.c (2376): processing worker1 with 2 retries [Thu Aug 05 09:12:50.077 2010] [10216:8452] [debug] jk_ajp_common.c (1579): (worker1) all endpoints are disconnected. [Thu Aug 05 09:12:50.092 2010] [10216:8452] [debug] jk_connect.c (480): socket TCP_NODELAY set to On [Thu Aug 05 09:12:50.108 2010] [10216:8452] [debug] jk_connect.c (604): trying to connect socket 712 to 127.0.0.1:8009 Here it tries to open a new connction to the address 127.0.0.1 and port 8009 (as configured for the worker named worker1 in workers.properties). [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_connect.c (622): connect to 127.0.0.1:8009 failed (errno=61) It fails to open a TCP connection. Error is 61, which means winsock 10061, which is Connection refused. So either your Tomcat isn't started or not listening on port 8009 on localhost, or something else (Firewal etc.) blocks access to that port. Check whether you can see Tomcat listening on 8009 using netstat -ano. You should see *:8009 in status LISTEN and the pid would be the process ID of your Tomcat Java process. If it is there, you can try whether you can connect to that port using telnet. As long as you can't connect, the redirector can't either. If Tomcat is running on some other system, you need to adjust worker.worker1.host in workers.properties accordingly. [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_ajp_common.c (959): Failed opening socket to (127.0.0.1:8009) (errno=61) [Thu Aug 05 09:12:51.092 2010] [10216:8452] [error] jk_ajp_common.c (1585): (worker1) connecting to backend
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Rainer, Thanks again for being patient with me. I've seen some different behavior this morning. When I am trying to access my page, I get Service Temporary Unavailable, which is better than what I was receiving. Yes, that looks good, from the point of view of IIS and isapi_redirect. Unfortunately, there does not seem to be a Tomcat listening on AJP port 8009. Can you run the following command in a command window on the server and paste the result here : netstat -anob -p tcp Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Tomcat is not listening on Port 8009 using the AJP/1.3 protocol. I can change this line of code (just did it as a test) to reference port 8009 and I can see it's listening, however this Is not the protocol I am wanting. Connector port=8009 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / No, you don't want to do that. Leave that one to the port 8080 or so like it was before (or totally delete/comment it if you do not want Tomcat to offer a HTTP interface. I have the isapi_redirect.dll deployed under 'Default' Websites in IIS with a Green Arrow. I used the 32-bit because we are running 32-bit as 64-bit. Seems that this connector is not even being read: !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Verify : 1) that this Connector tag is not somehow being commented-out. 2) that in server.xml, it is located between the Service name=Catalina tag, and the tag Engine name=Catalina defaultHost=localhost (If it is in the wrong section, it will be ignored). Then restart Tomcat and try the netstat command again. If it now shows Tomcat listebing on port 8009, then try to access it again through IIS. I also suggest that when you start Tomcat, you have a look at its logfiles, to see if any bad-looking message shows up. It may be easier to stop Tomcat, delete all the logfiles in (tomcat_dir)/logs, then start Tomcat again. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Andre, I created a folder within the Tomcat 6.0 directory called 'connector'. That is where all of my redirect files are locared. Here is my server.xml Service name=Catalina !--The connectors can use a shared executor, you can define one or more named thread pools-- !-- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ -- !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=8080 protocol=Java HTTP connectionTimeout=2 redirectPort=80 / !-- A Connector using the shared thread pool-- !-- Connector executor=tomcatThreadPool port=8443 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=443 / !-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -- !-- You should set jvmRoute to support load-balancing via AJP ie : Engine name=Standalone defaultHost=localhost jvmRoute=jvm1 -- Engine name=Catalina defaultHost=localhost -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Thursday, August 05, 2010 11:44 AM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Tomcat is not listening on Port 8009 using the AJP/1.3 protocol. I can change this line of code (just did it as a test) to reference port 8009 and I can see it's listening, however this Is not the protocol I am wanting. Connector port=8009 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / No, you don't want to do that. Leave that one to the port 8080 or so like it was before (or totally delete/comment it if you do not want Tomcat to offer a HTTP interface. I have the isapi_redirect.dll deployed under 'Default' Websites in IIS with a Green Arrow. I used the 32-bit because we are running 32-bit as 64-bit. Seems that this connector is not even being read: !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Verify : 1) that this Connector tag is not somehow being commented-out. 2) that in server.xml, it is located between the Service name=Catalina tag, and the tag Engine name=Catalina defaultHost=localhost (If it is in the wrong section, it will be ignored). Then restart Tomcat and try the netstat command again. If it now shows Tomcat listebing on port 8009, then try to access it again through IIS. I also suggest that when you start Tomcat, you have a look at its logfiles, to see if any bad-looking message shows up. It may be easier to stop Tomcat, delete all the logfiles in (tomcat_dir)/logs, then start Tomcat again. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL I created a folder within the Tomcat 6.0 directory called 'connector'. That is where all of my redirect files are locared. For curiosity's sake, what are you referring to with the term redirect file? Connector port=8080 protocol=Java HTTP connectionTimeout=2 redirectPort=80 / Exactly what did you have in mind with that value for the protocol attribute? Do you see it anywhere in the Tomcat documentation? Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 And right here you have a problem - badly formed XML. You might want to syntax check your server.xml, since it looks really broken from here. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Rainer, Good news amigo, I am connecting to my web application. Looks like the uncommented SSL section was causing my isapi_redirect.dll to not work. The one thing I have noticed though is that it's kind of slow, any pointers w/respect to speed? Thanks man. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Thursday, August 05, 2010 10:31 AM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL See inline On 05.08.2010 15:15, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Rainer, Thanks again for being patient with me. I've seen some different behavior this morning. When I am trying to access my page, I get Service Temporary Unavailable, which is better than what I was receiving. [Thu Aug 05 09:12:49.655 2010] [10216:8452] [debug] jk_uri_worker_map.c (1036): Attempting to map URI '/geoweb1b.eims.local/geoportal' from 2 maps [Thu Aug 05 09:12:49.686 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal/*=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.702 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.733 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal/*=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.749 2010] [10216:8452] [debug] jk_uri_worker_map.c (850): Attempting to map context URI '/geoportal=worker1' source 'uriworkermap' [Thu Aug 05 09:12:49.764 2010] [10216:8452] [debug] jk_uri_worker_map.c (873): Found an exact match '/geoportal=worker1' OK, uriworkermap.proprties worked, it found a match and wants to use the worker named worker1. [Thu Aug 05 09:12:49.780 2010] [10216:8452] [debug] jk_isapi_plugin.c (1916): check if [/geoportal] points to the web-inf directory [Thu Aug 05 09:12:49.795 2010] [10216:8452] [debug] jk_isapi_plugin.c (1932): [/geoportal] is a servlet url - should redirect to worker1 [Thu Aug 05 09:12:49.811 2010] [10216:8452] [debug] jk_isapi_plugin.c (1972): fowarding escaped URI [/geoportal] [Thu Aug 05 09:12:49.827 2010] [10216:8452] [debug] jk_worker.c (339): Maintaining worker worker1 [Thu Aug 05 09:12:49.842 2010] [10216:8452] [debug] jk_isapi_plugin.c (2792): Reading extension header HTTP_TOMCATWORKER6A6B: worker1 [Thu Aug 05 09:12:49.858 2010] [10216:8452] [debug] jk_isapi_plugin.c (2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B: 1 [Thu Aug 05 09:12:49.889 2010] [10216:8452] [debug] jk_isapi_plugin.c (2794): Reading extension header HTTP_TOMCATURI6A6B: /geoportal [Thu Aug 05 09:12:49.905 2010] [10216:8452] [debug] jk_isapi_plugin.c (2795): Reading extension header HTTP_TOMCATQUERY6A6B: (null) [Thu Aug 05 09:12:49.920 2010] [10216:8452] [debug] jk_isapi_plugin.c (2850): Applying service extensions [Thu Aug 05 09:12:49.936 2010] [10216:8452] [debug] jk_isapi_plugin.c (2930): Client Certificate encoding:1 sz:1022 flags:1 [Thu Aug 05 09:12:49.952 2010] [10216:8452] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.xxx.xx.xx addr=150.xxx.xx.xx name=myserver.server.local port=443 auth=SSL/PCT user=EIMS\john.doe uri=/geoportal [Thu Aug 05 09:12:49.967 2010] [10216:8452] [debug] jk_isapi_plugin.c (3120): Service request headers=8 attributes=9 chunked=no content-length=0 available=0 [Thu Aug 05 09:12:49.983 2010] [10216:8452] [debug] jk_worker.c (116): found a worker worker1 [Thu Aug 05 09:12:49.999 2010] [10216:8452] [debug] jk_isapi_plugin.c (2162): got a worker for name worker1 [Thu Aug 05 09:12:50.030 2010] [10216:8452] [debug] jk_ajp_common.c (3093): acquired connection pool slot=0 after 0 retries [Thu Aug 05 09:12:50.045 2010] [10216:8452] [debug] jk_ajp_common.c (605): ajp marshaling done [Thu Aug 05 09:12:50.061 2010] [10216:8452] [debug] jk_ajp_common.c (2376): processing worker1 with 2 retries [Thu Aug 05 09:12:50.077 2010] [10216:8452] [debug] jk_ajp_common.c (1579): (worker1) all endpoints are disconnected. [Thu Aug 05 09:12:50.092 2010] [10216:8452] [debug] jk_connect.c (480): socket TCP_NODELAY set to On [Thu Aug 05 09:12:50.108 2010] [10216:8452] [debug] jk_connect.c (604): trying to connect socket 712 to 127.0.0.1:8009 Here it tries to open a new connction to the address 127.0.0.1 and port 8009 (as configured for the worker named worker1 in workers.properties). [Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_connect.c (622): connect to 127.0.0.1:8009 failed (errno=61) It fails to open a TCP connection. Error is 61, which means winsock 10061, which is Connection refused. So either your Tomcat isn't started or not listening on port 8009 on localhost, or something else (Firewal etc.) blocks access to that port. Check whether you can see Tomcat listening on 8009 using netstat -ano. You should see *:8009 in status LISTEN and the pid would be the process ID
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Charles, I was just putting that protocol in there to prevent the 8080 from being hit, I've actually commented it out. I got this server.xml file from the install (Note:that not everything is on here). I can load my webapp now, but the page takes a little while to load using the isapi_redirect.dll (which I was referring to below as the redirect file...sorry my in head language) -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thursday, August 05, 2010 3:45 PM To: Tomcat Users List Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Tomcat 6.0.18/ IIS 6.0 /SSL I created a folder within the Tomcat 6.0 directory called 'connector'. That is where all of my redirect files are locared. For curiosity's sake, what are you referring to with the term redirect file? Connector port=8080 protocol=Java HTTP connectionTimeout=2 redirectPort=80 / Exactly what did you have in mind with that value for the protocol attribute? Do you see it anywhere in the Tomcat documentation? Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 And right here you have a problem - badly formed XML. You might want to syntax check your server.xml, since it looks really broken from here. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Charles, I was just putting that protocol in there to prevent the 8080 from being hit, I've actually commented it out. I got this server.xml file from the install (Note:that not everything is on here). I can load my webapp now, but the page takes a little while to load using the isapi_redirect.dll (which I was referring to below as the redirect file...sorry my in head language) I believe that at this point, you may want to : a) save your web application somewhere else; also save the isapi configuration files if they are located under the Tomcat installation directory. (*) b) de-install the Tomcat you have, and remove all its files (and specially the logfiles) c) download a new Tomcat from the Tomcat website, and re-install it Then restore your application under (tomcat_install_dir)/webapps. All the above will take only 5 minutes, and you will at least have a clean Tomcat. Then try it, both directly using HTTP to port 8080, and through IIS and isapi_redirect using whatver SSL port you use for that. With the part under IIS (including isapi_redirect) apparently being fine (as shown before by your previous logs), the downloaded Tomcat should work out of the box, through IIS and all. THEN, when you have verified that the above is working, comment out all Connector tags you do not want, except the one for the AJP Connector on port 8009, and restart Tomcat. And check the Tomcat logfiles if you have any problem. Apart from the ones which Chuck mentioned earlier, your pasted server.xml had a couple of additional mistakes which make it really hard for us to figure out what is really going on. (Or it was your cut and paste which was not accurate, but anyway we can't follow what's happening on the base of inaccurate information). In any case, with a correct configuration, the difference in access time between a direct access to Tomcat via HTTP port 8080, and an indirect access through IIS and isapi_redirector, should be so small as to be humanly indistinguishable. (We are talking 1 millisecond or so). Unless it is IIS which for some reason is introducing the delay. (*) This by the way would be illogical, as these files belong really to IIS and its add-on module isapi_redirect.dll, and not to Tomcat. The only part of Tomcat which plays a role here, is the AJP Connector on port 8009. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Maybe to avoid further meandering in what should or should not work, here is a short tutorial of how all this stuff works. At the end of the chain, you have a Tomcat Engine. This engine processes HTTP requests which it receives in some internal Tomcat format. The requests are processed by forwarding them to web applications within Tomcat, who process the request and generate a response. On top of the Tomcat engine are sitting one or more Connector's. Each of these Connector's is at the same time a TCP socket listening on some port, and a sophisticated translation engine. Each Connector translates the requests received on its port, from the external communications protocol format used (e.g. HTTP or HTTPS or AJP) into the common internal Tomcat request format, and then passes it to the Tomcat engine. Graphically, it looks like this : Connector 1 Connector 2Connector 3 HTTP AJPHTTPS \ | / Tomcat engine / | \ webapp1 webapp2 webapp3 You can send a request (using the appropriate format) through any of the enabled Connector's. For Tomcat in the end it does not matter. It will send the response via the same Connector, which will perform the appropriate reverse translation according to its protocol. Now imagine a front-end server, like IIS. For reasons of your own, you want to send the request to IIS first, and would like IIS to determine if this request is to handle locally by itself, or to be forwarded to a back-end Tomcat, and to do that if needed. That is where the IIS add-on module isapi_redirect comes into play. IIS gives it the URL of a request just received. isapi_redirect, in function of its configuration, decides if this request is for a back-end Tomcat or not. (That is what uriworkermap helps in doing). If it decides that this URL is not for Tomcat, it returns to IIS saying sorry, not for me, and IIS looks for other ways to satisfy this request. If isapi_redirect decides that this request is for a back-end Tomcat, then it checks for which one. For isapi_redirect, each back-end Tomcat to which it can redirect requests is called a worker. (In a simple case, there is only one.). (Here is where the workers.properties settings matter) When isapi_redirect has determined to which worker it should pass the request, it tries to set up a TCP channel with this worker (Tomcat), on a port which understands the AJP protocol (aka, an AJP Connector of that Tomcat). If this does not work (because the worker is not configured properly or the corresponding Tomcat is simply not running), isapi_redirect will return an error to IIS. If it works, then isapi_redirect encodes the request according to the requirements of the AJP protocol, and sends it to Tomcat through this TCP channel. isapi_redirect then waits for the response, on the same TCP channel. When it gets the response, it returns it to IIS, which returns it to the browser. So the full graphic now looks like this : browser | TCP channel (SSL/HTTPS) | IIS | isapi_redirector | TCP channel (non-SSL) | Connector 1 Connector 2Connector 3 HTTP AJPHTTPS \ | / Tomcat engine / | \ webapp1 webapp2 webapp3 Of course, Tomcat can deal with HTTPS all on its own, so you do not necessarily need an IIS in front for that. You could also have the browsers use HTTPS to talk directly to Tomcat. Then the configuration would be this : browser | TCP channel (SSL/HTTPS) | Connector 1 Connector 2Connector 3 HTTP AJPHTTPS \ | / Tomcat engine / | \ webapp1 webapp2 webapp3 and as far as Tomcat is concerned, it will not make much difference (except that now the Tomcat HTTPS Connector will be doing more work, and the AJP Connector less work). There are good reasons to use a front-end Apache httpd, or IIS, in front of Tomcat. There are also bad reasons, such as a simple lack of information. If your only reason to put IIS/isapi_redirect in front of Tomcat is to handle HTTPS connections, then it is not a very good reason, and it makes the setup more complicated than it could be.
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportal https://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name of the worker in your logs). The protocol is similar to HTTP but binary and it transports the information whether the browser used http or https, so Tomcat is aware of this. This protocol does not use the http or https connectors in server.xml, only the AJP13 connector. Here is the meat of my server.xml (pretty sure it's wrong): !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=80 / !-- A Connector using the shared thread pool-- Connector executor=tomcatThreadPool port=8009 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=mypassword keystoreType=pkcs12 / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Two connectors, both on port 8009, will not work. Use the latter one. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Jung, I'm still getting the errors. Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportal https://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name of the worker in your logs). The protocol is similar to HTTP but binary and it transports the information whether the browser used http or https, so Tomcat is aware of this. This protocol does not use the http or https connectors in server.xml, only the AJP13 connector. Here is the meat of my server.xml (pretty sure it's wrong): !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=80 / !-- A Connector using the shared thread pool-- Connector executor=tomcatThreadPool port=8009 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Jung, I'm still getting the errors. Why shouldn't you? Did you actually read my post? Which parts didn't you understand? Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / This connector is *not* involved when using Browser - IIS/Redirector - Tomcat Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / This one neither. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? This connector should be used depending on your redirector config which we haven't seen yet. The error message you provided doesn't have to do with authentication. Authentication problems might show up after you solved your worker configuration problem. Until now your IIS doesn't even talk to Tomcat. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportalhttps://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name of the worker in your logs). The protocol is similar to HTTP but binary and it transports the information whether the browser used http or https, so Tomcat is aware of this. This protocol does not use the http or https connectors in server.xml, only the AJP13 connector. Here is the meat of my server.xml (pretty sure it's wrong): !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=80 / !-- A Connector using the shared thread pool
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
I did read your post and I changed the Port Number. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / This connector should be used depending on your redirector config which we haven't seen yet Here is my workers.properties: worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 Here is my uriworkermap.properties: /geoportal|/*=worker1 -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 3:40 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Jung, I'm still getting the errors. Why shouldn't you? Did you actually read my post? Which parts didn't you understand? Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / This connector is *not* involved when using Browser - IIS/Redirector - Tomcat Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / This one neither. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? This connector should be used depending on your redirector config which we haven't seen yet. The error message you provided doesn't have to do with authentication. Authentication problems might show up after you solved your worker configuration problem. Until now your IIS doesn't even talk to Tomcat. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportalhttps://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name of the worker in your logs). The protocol is similar to HTTP but binary and it transports the information whether
Re: Tomcat 6.0.18/ IIS 6.0 /SSL
On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I did read your post and I changed the Port Number. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / This connector should be used depending on your redirector config which we haven't seen yet Here is my workers.properties: worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 Here is my uriworkermap.properties: /geoportal|/*=worker1 This didn't work, since the log snippet said it tried to use a worker named ajp13, not worker1. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 3:40 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Jung, I'm still getting the errors. Why shouldn't you? Did you actually read my post? Which parts didn't you understand? Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / This connector is *not* involved when using Browser - IIS/Redirector - Tomcat Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / This one neither. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? This connector should be used depending on your redirector config which we haven't seen yet. The error message you provided doesn't have to do with authentication. Authentication problems might show up after you solved your worker configuration problem. Until now your IIS doesn't even talk to Tomcat. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportalhttps://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained in the source distribution of version 1.2.30. Please do also use this version of the redirector. Note: from the point of view of Tomcat it doesn't really matter whether you are talking http or https in the browser. This protocol is only used between the browser and IIS. Between IIS and Tomcat when using the isapi redirector the protocol is always AJP13 (it is just coincidence, that this is the same name as the name
RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Rainer, Do you have a suggestion? Do I need to change my worker.properties? Sorry, I'm new to Tomcat, I appreciate your help. -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 4:09 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I did read your post and I changed the Port Number. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / This connector should be used depending on your redirector config which we haven't seen yet Here is my workers.properties: worker.list=worker1 worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 Here is my uriworkermap.properties: /geoportal|/*=worker1 This didn't work, since the log snippet said it tried to use a worker named ajp13, not worker1. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 3:40 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: Jung, I'm still getting the errors. Why shouldn't you? Did you actually read my post? Which parts didn't you understand? Connector port=8080 protocol=Java HTTP What protocol should I use here (do not want to expose) connectionTimeout=2 redirectPort=80 / This connector is *not* involved when using Browser - IIS/Redirector - Tomcat Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true -Does this look right? maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLSv1 keystoreFile=C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\cert.pfx keystorePass=password keystoreType=pkcs12 / This one neither. Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / -Is this where my actual authentication is taking place? This connector should be used depending on your redirector config which we haven't seen yet. The error message you provided doesn't have to do with authentication. Authentication problems might show up after you solved your worker configuration problem. Until now your IIS doesn't even talk to Tomcat. Regards, Rainer -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Wednesday, August 04, 2010 1:38 PM To: Tomcat Users List Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am trying to get Tomcat and IIS configured on my secure web server (SSL) so that I can access my deployed web application via https and NOT over http. Connection to non-SSL works, but I cannot have that connection due to security. I want to run Tomcat through IIS, and I have configured it using the isapi_redirect.dll (thanks to Electronjockey). However, when I try and hit my https://site/geoportalhttps://site/geoportal my credentials do not carry me through to the web application, instead I receive Internet Explorer Cannot Display Webpage. Can someone help me out on how to configure my server.xml and interpretting my log files please? I have even tried to export my server certificate, and call it using the keystore:, still not working. I'm a Tomcat green horn, any help would be awesome. Isapi_redirect.log file: Looks like some sort of authentication is being passed, then the ajp13 is not found? [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c (3120): Service request headers=5 attributes=9 chunked=no content-length=0 available=0 [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116): did not find a worker ajp13 [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c (2162): could not get a worker for name ajp13 [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c (2210): could not get a worker for name ajp13 Hard to tell without knowing the version of the isapi redirector, not having your configuration. This looks like: - it is trying to use a worker named ajp13 to connect to Tomcat. Lile y you have configured the redirector to use this worker within your uriworkermap.properties file - the redirector doesn't know how to use this worker. Either you are missing the workers.properties configuration file or there is no definition for a worker named ajp13 in the file. A good starting point for a workers.properties file is the example file contained
