Re: Unable to start tomcat

[dkumar]

Dear Jason,

Thank you for link. As per below link. I have started our Window Server 
and problem has been resolved. We are able to start our tomcat. 
But my worry is, I am unable to find out Root Cause of problem. And how to 
handle it in future. 
Do we have any way to monitor buffer space or queue size or do we have any 
other way to free buffer space or queue size without starting the window 
server. 
---
have you try google?
https://stackoverflow.com/questions/4415175/an-operation-on-a-socket-could-not-be-performed-because-the-system-lacked-suffi


On Wed, Feb 26, 2020 at 2:47 PM  wrote:
>
> Dear Jason,
>
> Thank for your reply. I am unable to understand below hint. Will you
> please help me out. What action should I take to start my tomcat. And 
how
> I can see my buffer space or queue size.
>
> --
> This looks informative and should give u hint and where you should
> begin troubleshooting.
>
> org.apache.tomcat.jni.Error: 730055: An operation on a socket could not
> be performed because the system lacked sufficient buffer space or 
because
> a queue was full.
>
> On Wed, Feb 26, 2020 at 2:30 PM  wrote:
> >
> > Dear Team
> >
> > I have updated JRE from jre1.8.0_25 to jre1.8.0_211 on my window 
server
> > 2012. and My tomcat version is apache-tomcat-8.0.41.
> > It was running fine last 6 hours but now I am getting error while
> stating
> > the tomcat
> >
> > 26-Feb-2020 11:22:23.600 SEVERE [main]
> > org.apache.tomcat.util.net.AprEndpoint.allocatePoller Poller creation
> > failed
> >  org.apache.tomcat.jni.Error: 730055: An operation on a socket could 
not
> > be performed because the system lacked sufficient buffer space or
> because
> > a queue was full.
> > at org.apache.tomcat.jni.Poll.create(Native Method)
> > at
> >
> 
org.apache.tomcat.util.net.AprEndpoint.allocatePoller(AprEndpoint.java:881)
> > at
> >
> 
org.apache.tomcat.util.net.AprEndpoint$Poller.init(AprEndpoint.java:1431)
> > at
> >
> 
org.apache.tomcat.util.net.AprEndpoint.startInternal(AprEndpoint.java:707)
> > at
> >
> 
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:828)
> > at
> > org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:491)
> > at
> >
> 
org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> > at
> >
> 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> > at
> >
> 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:789)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> > at 
org.apache.catalina.startup.Catalina.start(Catalina.java:629)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:483)
> > at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351)
> > at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)
> >
> > Please suggest .
> >
> > Thanks & Regards
> > Deepak Kumar
> > CCIL - IT
> > 022-61546230
> > CIN of CCIL- U65990MH2001PLC131804




"Disclaimer and confidentiality clause -
 This message and any attachments relating to official business of CCIL OR ANY 
OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original 
addressee only.
The message may contain information that is confidential and subject to legal 
privilege. 
Any views expressed in this message are those of the individual sender. 
If you have received this message in error, please notify the original sender 
immediately and destroy the message and copies thereof and any attachments 
contained in it .
 If you are not the intended recipient of this message, you are hereby notified 
that you must not disseminate, copy, use, distribute, or take any action in 
connection therewith. 
 CCIL cannot ensure that the integrity of this communication has been 
maintained nor that it is free of errors, viruses, interception and/or 
interference. 
CCIL is not liable whatsoever for loss or damage resulting from the opening of 
this message and/or attachments and/or the use of the information contained in 
this message and/or attachments."

Re: Unable to start tomcat

[Jason Wee]

have you try google?
https://stackoverflow.com/questions/4415175/an-operation-on-a-socket-could-not-be-performed-because-the-system-lacked-suffi

On Wed, Feb 26, 2020 at 2:47 PM  wrote:
>
> Dear Jason,
>
> Thank for your reply. I am unable to understand below hint. Will you
> please help me out. What action should I take to start my tomcat. And how
> I can see my buffer space or queue size.
>
> --
> This looks informative and should give u hint and where you should
> begin troubleshooting.
>
> org.apache.tomcat.jni.Error: 730055: An operation on a socket could not
> be performed because the system lacked sufficient buffer space or because
> a queue was full.
>
> On Wed, Feb 26, 2020 at 2:30 PM  wrote:
> >
> > Dear Team
> >
> > I have updated JRE from jre1.8.0_25 to jre1.8.0_211 on my window server
> > 2012. and My tomcat version is apache-tomcat-8.0.41.
> > It was running fine last 6 hours but now I am getting error while
> stating
> > the tomcat
> >
> > 26-Feb-2020 11:22:23.600 SEVERE [main]
> > org.apache.tomcat.util.net.AprEndpoint.allocatePoller Poller creation
> > failed
> >  org.apache.tomcat.jni.Error: 730055: An operation on a socket could not
> > be performed because the system lacked sufficient buffer space or
> because
> > a queue was full.
> > at org.apache.tomcat.jni.Poll.create(Native Method)
> > at
> >
> org.apache.tomcat.util.net.AprEndpoint.allocatePoller(AprEndpoint.java:881)
> > at
> >
> org.apache.tomcat.util.net.AprEndpoint$Poller.init(AprEndpoint.java:1431)
> > at
> >
> org.apache.tomcat.util.net.AprEndpoint.startInternal(AprEndpoint.java:707)
> > at
> >
> org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:828)
> > at
> > org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:491)
> > at
> >
> org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> > at
> >
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> > at
> >
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:789)
> > at
> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> > at org.apache.catalina.startup.Catalina.start(Catalina.java:629)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:483)
> > at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351)
> > at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)
> >
> > Please suggest .
> >
> > Thanks & Regards
> > Deepak Kumar
> > CCIL - IT
> > 022-61546230
> > CIN of CCIL- U65990MH2001PLC131804
> > "Disclaimer and confidentiality clause -
> >  This message and any attachments relating to official business of CCIL
> OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the
> original addressee only.
> > The message may contain information that is confidential and subject to
> legal privilege.
> > Any views expressed in this message are those of the individual sender.
> > If you have received this message in error, please notify the original
> sender immediately and destroy the message and copies thereof and any
> attachments contained in it .
> >  If you are not the intended recipient of this message, you are hereby
> notified that you must not disseminate, copy, use, distribute, or take any
> action in connection therewith.
> >  CCIL cannot ensure that the integrity of this communication has been
> maintained nor that it is free of errors, viruses, interception and/or
> interference.
> > CCIL is not liable whatsoever for loss or damage resulting from the
> opening of this message and/or attachments and/or the use of the
> information contained in this message and/or attachments."
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> "Disclaimer and confidentiality clause -
>  This message and any attachments relating to official business of CCIL OR 
> ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original 
> addressee only.
> The message may contain information that is confidential and subject to legal 
> privilege.
> Any views expressed in this message are those of the individual sender.
> If you have received this message in error, please notify the original sender 
> immediately and destroy the message and copies thereof and any attachments 
> contained in it .
>  If you a

Re: Unable to start tomcat

[dkumar]

Dear Jason,

Thank for your reply. I am unable to understand below hint. Will you 
please help me out. What action should I take to start my tomcat. And how 
I can see my buffer space or queue size.

--
This looks informative and should give u hint and where you should
begin troubleshooting.

org.apache.tomcat.jni.Error: 730055: An operation on a socket could not
be performed because the system lacked sufficient buffer space or because
a queue was full.

On Wed, Feb 26, 2020 at 2:30 PM  wrote:
>
> Dear Team
>
> I have updated JRE from jre1.8.0_25 to jre1.8.0_211 on my window server
> 2012. and My tomcat version is apache-tomcat-8.0.41.
> It was running fine last 6 hours but now I am getting error while 
stating
> the tomcat
>
> 26-Feb-2020 11:22:23.600 SEVERE [main]
> org.apache.tomcat.util.net.AprEndpoint.allocatePoller Poller creation
> failed
>  org.apache.tomcat.jni.Error: 730055: An operation on a socket could not
> be performed because the system lacked sufficient buffer space or 
because
> a queue was full.
> at org.apache.tomcat.jni.Poll.create(Native Method)
> at
> 
org.apache.tomcat.util.net.AprEndpoint.allocatePoller(AprEndpoint.java:881)
> at
> 
org.apache.tomcat.util.net.AprEndpoint$Poller.init(AprEndpoint.java:1431)
> at
> 
org.apache.tomcat.util.net.AprEndpoint.startInternal(AprEndpoint.java:707)
> at
> 
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:828)
> at
> org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:491)
> at
> 
org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at
> 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at
> 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:789)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351)
> at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)
>
> Please suggest .
>
> Thanks & Regards
> Deepak Kumar
> CCIL - IT
> 022-61546230
> CIN of CCIL- U65990MH2001PLC131804
> "Disclaimer and confidentiality clause -
>  This message and any attachments relating to official business of CCIL 
OR ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the 
original addressee only.
> The message may contain information that is confidential and subject to 
legal privilege.
> Any views expressed in this message are those of the individual sender.
> If you have received this message in error, please notify the original 
sender immediately and destroy the message and copies thereof and any 
attachments contained in it .
>  If you are not the intended recipient of this message, you are hereby 
notified that you must not disseminate, copy, use, distribute, or take any 
action in connection therewith.
>  CCIL cannot ensure that the integrity of this communication has been 
maintained nor that it is free of errors, viruses, interception and/or 
interference.
> CCIL is not liable whatsoever for loss or damage resulting from the 
opening of this message and/or attachments and/or the use of the 
information contained in this message and/or attachments."

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



"Disclaimer and confidentiality clause -
 This message and any attachments relating to official business of CCIL OR ANY 
OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original 
addressee only.
The message may contain information that is confidential and subject to legal 
privilege. 
Any views expressed in this message are those of the individual sender. 
If you have received this message in error, please notify the original sender 
immediately and destroy the message and copies thereof and any attachments 
contained in it .
 If you are not the intended recipient of this message, you are hereby notified 
that you must not disseminate, copy, use, distribute, or take any action in 
connection therewith. 
 CCIL cannot ensure that the integrity of this communication has been 
maintained nor that it is free of errors, viruses, interception and/or 
interference. 
CCIL is not liable whatsoever for loss or damage resulting f

Re: Unable to start tomcat

[Jason Wee]

This looks informative and should give u hint and where you should
begin troubleshooting.

org.apache.tomcat.jni.Error: 730055: An operation on a socket could not
be performed because the system lacked sufficient buffer space or because
a queue was full.

On Wed, Feb 26, 2020 at 2:30 PM  wrote:
>
> Dear Team
>
> I have updated JRE from jre1.8.0_25 to jre1.8.0_211 on my window server
> 2012. and My tomcat version is apache-tomcat-8.0.41.
> It was running fine last 6 hours but now I am getting error while stating
> the tomcat
>
> 26-Feb-2020 11:22:23.600 SEVERE [main]
> org.apache.tomcat.util.net.AprEndpoint.allocatePoller Poller creation
> failed
>  org.apache.tomcat.jni.Error: 730055: An operation on a socket could not
> be performed because the system lacked sufficient buffer space or because
> a queue was full.
> at org.apache.tomcat.jni.Poll.create(Native Method)
> at
> org.apache.tomcat.util.net.AprEndpoint.allocatePoller(AprEndpoint.java:881)
> at
> org.apache.tomcat.util.net.AprEndpoint$Poller.init(AprEndpoint.java:1431)
> at
> org.apache.tomcat.util.net.AprEndpoint.startInternal(AprEndpoint.java:707)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:828)
> at
> org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:491)
> at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:789)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)
>
> Please suggest .
>
> Thanks & Regards
> Deepak Kumar
> CCIL - IT
> 022-61546230
> CIN of CCIL- U65990MH2001PLC131804
> "Disclaimer and confidentiality clause -
>  This message and any attachments relating to official business of CCIL OR 
> ANY OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original 
> addressee only.
> The message may contain information that is confidential and subject to legal 
> privilege.
> Any views expressed in this message are those of the individual sender.
> If you have received this message in error, please notify the original sender 
> immediately and destroy the message and copies thereof and any attachments 
> contained in it .
>  If you are not the intended recipient of this message, you are hereby 
> notified that you must not disseminate, copy, use, distribute, or take any 
> action in connection therewith.
>  CCIL cannot ensure that the integrity of this communication has been 
> maintained nor that it is free of errors, viruses, interception and/or 
> interference.
> CCIL is not liable whatsoever for loss or damage resulting from the opening 
> of this message and/or attachments and/or the use of the information 
> contained in this message and/or attachments."

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Unable to start tomcat

[dkumar]

Dear Team

I have updated JRE from jre1.8.0_25 to jre1.8.0_211 on my window server 
2012. and My tomcat version is apache-tomcat-8.0.41.
It was running fine last 6 hours but now I am getting error while stating 
the tomcat

26-Feb-2020 11:22:23.600 SEVERE [main] 
org.apache.tomcat.util.net.AprEndpoint.allocatePoller Poller creation 
failed
 org.apache.tomcat.jni.Error: 730055: An operation on a socket could not 
be performed because the system lacked sufficient buffer space or because 
a queue was full. 
at org.apache.tomcat.jni.Poll.create(Native Method)
at 
org.apache.tomcat.util.net.AprEndpoint.allocatePoller(AprEndpoint.java:881)
at 
org.apache.tomcat.util.net.AprEndpoint$Poller.init(AprEndpoint.java:1431)
at 
org.apache.tomcat.util.net.AprEndpoint.startInternal(AprEndpoint.java:707)
at 
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:828)
at 
org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:491)
at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:986)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:789)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at org.apache.catalina.startup.Catalina.start(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485)

Please suggest .

Thanks & Regards
Deepak Kumar
CCIL - IT
022-61546230
CIN of CCIL- U65990MH2001PLC131804
"Disclaimer and confidentiality clause -
 This message and any attachments relating to official business of CCIL OR ANY 
OF IT'S SUBSIDIARIES is proprietary to CCIL and intended for the original 
addressee only.
The message may contain information that is confidential and subject to legal 
privilege. 
Any views expressed in this message are those of the individual sender. 
If you have received this message in error, please notify the original sender 
immediately and destroy the message and copies thereof and any attachments 
contained in it .
 If you are not the intended recipient of this message, you are hereby notified 
that you must not disseminate, copy, use, distribute, or take any action in 
connection therewith. 
 CCIL cannot ensure that the integrity of this communication has been 
maintained nor that it is free of errors, viruses, interception and/or 
interference. 
CCIL is not liable whatsoever for loss or damage resulting from the opening of 
this message and/or attachments and/or the use of the information contained in 
this message and/or attachments."

javax.servlet.ServletContainerInitializer defined in jar not loading on Tomcat 7.0.100

[SS jong]

We have an webapp that has been running fine on Tomcat 7.0.99, but failed to 
load properly on Tomcat 7.0.100, upon investigation, it looks like

javax.servlet.ServletContainerInitializer that we defined in jar is not being 
loaded, and to make sure, we created a blank new webapp with a blank 
implementation of ServletContainerInitializer



public class TestSCI implements ServletContainerInitializer{

@Override

public void onStartup(Set> arg0, ServletContext arg1) 
throws ServletException {


System.out.println("");

}

}



And add this class and also the 
“META-INF/services/javax.servlet.ServletContainerInitializer” entry in a jar 
and place this jar in WEB-INF/lib folder, with this simple setup, test shows 
that the ServletContainerInitializer is being loaded on Tomcat 7.0.99, but is 
not being loaded on Tomcat 7.0.100, is this change intentional on Tomcat 
7.0.100 or is this a bug?



Looking at org.apache.catalina.startup.WebappServiceLoader from source code of 
Tomcat 7.0.100, it seems that the leading slash added on line 111 may have 
caused the issue, but I am not entirely sure.



On Tomat 7.0.100, ServletContainerInitializer will load if it is placed as 
plain text file entry in WEB-INF/classes, but the same 
ServletContainerInitializer will NOT load when the 
“META-INF/services/javax.servlet.ServletContainerInitializer” entry is placed 
in a jar file, Tomcat 7.0.99 will load the ServletContainerInitializer 
regardless where the 
“META-INF/services/javax.servlet.ServletContainerInitializer” entry is placed.



Has anyone encountered this issue on Tomcat 7.0.100 and if this behavior change 
is intentional?



Thanks.

Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[Ellen Meiselman]

Hi Chris,


> Does this mean that incoming connections require SSL or aso outgoing
> (e.g. proxy) connections? I'm super ignorant of IIS configuration.
> Incoming connections require SSL or will be upgraded to SSL. So if you
> type in http, it will change to https.


Right now because I do not have SSL set as required, I can type in http and
it stays http. At that point, it starts working  - I no longer get the 403
from Tomcat.

My recommendation would be to take this opportunity to switch to HTTPS
> and dump AJP.

OK, I am willing to try - so to do that, would this be the procedure?
1. Set up certificates in Tomcat (big black box for me, but I'll try to
figure it out)
2. Change the worker.worker1.type to HTTPS
3. Change the worker.worker1.port to 8443
Anything else?

Ellen






On Tue, Feb 25, 2020 at 5:47 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ellen,
>
> Oops pressed SEND before I was done...
>
> On 2/25/20 16:47, Ellen Meiselman wrote:
> > So it turned out that the logs were mostly set at FINE already, so
> > Johann’s suggestion was already done.
> >
> > But I think I now know where the problem lies. Secure IIS request
> > > to > non-secire AJP.
> >
> > I don’t think this was a problem on the other servers before but
> > the security has probably been tightened, and it just doesn’t
> > produce an error - it just won’t allow it.
> >
> > I have had IIS set to require SSL
>
> Does this mean that incoming connections require SSL or aso outgoing
> (e.g. proxy) connections? I'm super ignorant of IIS configuration.
>
> > but I turned it off to test and it actually worked all the way
> > through to the simple.html file. so it’s some sort of policy about
> > downgrading - which seems quite rational in retrospect. For
> > example, this HTTP address does work.
> >
> > http://my.servers.domain.com/exposedApplication/simple.html
> >
> > I never tried it because I knew I had set SSL to required.
> > Sometimes you make assumptions that block progress.
> >
> > This HTTPS address does not work - I get the 403 from tomcat.
> > https://my.servers.domain.com/exposedApplication/simple.html
> >
> > So  - if this makes sense to any of you, please tell me roughly
> > what I need to do to make the AJP requests as secure as the port 80
> > requests.
>
> Um...
>
> > I know keystores and .pem files are involved, but please give me
> > the big picture - what port does AJP need to run on, and where do
> > I go to find out how to tell it to use a “real" cert.
>
> Traditionally, AJP is run over port 8009 but you can always choose any
> port you wish as long as both sides of the connection (IIs, Tomcat)
> agree on which port to use.
>
> AJP is a non-secure protocol, full stop. You can tunnel it through
> other things but, as some have mentioned, since you are using
> localhost it's not super important to use encryption.
>
> If you DO need encryption, you have two choices:
>
> 1. tunnel AJP over e.g. TLS using a tool like stunnel, which is
> actually available for Windows. It's a little more "at home" in *NIX
> environments, but I've header it works just as well on Windows. If you
> do this, you WILL need to deal with keys and certs.
>
> 2. Drop AJP and use HTTPS. I don't believe there aren't any features
> you can't get working through HTTP that AJP provides. I think this
> also means you no longer need a special IIS redirector plug-in
> anymore, so it's 100% vanilla IIS at that point. If you do this, you
> WILL need to deal with keys and certs.
>
> But are you sure you need encryption?
>
> If you are using localhost, it's worthless IMHO. If you are traversing
> a network -- even a "trusted" one -- it's a hard requirement also IMHO.
>
> My recommendation would be to take this opportunity to switch to HTTPS
> and dump AJP.
>
> > Also I’ll have to figure out how to shut off port 8080 or require
> > SSL on tomcat once I get everything going. Actually I’d like to
> > limit Tomcat to responding to requests from the server itself.
> > Nothing should be talking to Tomcat but the isapi connector.
>
> Bind to address="127.0.0.1" and only on ports that IIS is using for
> proxying. If that means AJP over 8009, then use that. If that means
> HTTPS over port 8443, then use that. Just comment-out the connector
> you DON'T need.
>
> You'll never really know what protocol the client is using to talk to
> the (reverse) proxy, so you have to make some assumptions. If you have
> configured IIS to only proxy requests over a secure channel from the
> client (which I highly recommend!) then you can assume that all
> connections, regardless of protocol or port are indeed secure where it
> counts: between the client and the reverse proxy.
>
> If you only want "secure" connections from the client, then you will
> want to set both secure="true, scheme="https", and proxyPort="443" on
> your . This makes Tomcat generate https:// URLs with the
> right port number, etc. for redirects, 

Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

Oops pressed SEND before I was done...

On 2/25/20 16:47, Ellen Meiselman wrote:
> So it turned out that the logs were mostly set at FINE already, so
> Johann’s suggestion was already done.
>
> But I think I now know where the problem lies. Secure IIS request
> > to > non-secire AJP.
>
> I don’t think this was a problem on the other servers before but
> the security has probably been tightened, and it just doesn’t
> produce an error - it just won’t allow it.
>
> I have had IIS set to require SSL

Does this mean that incoming connections require SSL or aso outgoing
(e.g. proxy) connections? I'm super ignorant of IIS configuration.

> but I turned it off to test and it actually worked all the way
> through to the simple.html file. so it’s some sort of policy about
> downgrading - which seems quite rational in retrospect. For
> example, this HTTP address does work.
>
> http://my.servers.domain.com/exposedApplication/simple.html
>
> I never tried it because I knew I had set SSL to required.
> Sometimes you make assumptions that block progress.
>
> This HTTPS address does not work - I get the 403 from tomcat.
> https://my.servers.domain.com/exposedApplication/simple.html
>
> So  - if this makes sense to any of you, please tell me roughly
> what I need to do to make the AJP requests as secure as the port 80
> requests.

Um...

> I know keystores and .pem files are involved, but please give me
> the big picture - what port does AJP need to run on, and where do
> I go to find out how to tell it to use a “real" cert.

Traditionally, AJP is run over port 8009 but you can always choose any
port you wish as long as both sides of the connection (IIs, Tomcat)
agree on which port to use.

AJP is a non-secure protocol, full stop. You can tunnel it through
other things but, as some have mentioned, since you are using
localhost it's not super important to use encryption.

If you DO need encryption, you have two choices:

1. tunnel AJP over e.g. TLS using a tool like stunnel, which is
actually available for Windows. It's a little more "at home" in *NIX
environments, but I've header it works just as well on Windows. If you
do this, you WILL need to deal with keys and certs.

2. Drop AJP and use HTTPS. I don't believe there aren't any features
you can't get working through HTTP that AJP provides. I think this
also means you no longer need a special IIS redirector plug-in
anymore, so it's 100% vanilla IIS at that point. If you do this, you
WILL need to deal with keys and certs.

But are you sure you need encryption?

If you are using localhost, it's worthless IMHO. If you are traversing
a network -- even a "trusted" one -- it's a hard requirement also IMHO.

My recommendation would be to take this opportunity to switch to HTTPS
and dump AJP.

> Also I’ll have to figure out how to shut off port 8080 or require
> SSL on tomcat once I get everything going. Actually I’d like to
> limit Tomcat to responding to requests from the server itself.
> Nothing should be talking to Tomcat but the isapi connector.

Bind to address="127.0.0.1" and only on ports that IIS is using for
proxying. If that means AJP over 8009, then use that. If that means
HTTPS over port 8443, then use that. Just comment-out the connector
you DON'T need.

You'll never really know what protocol the client is using to talk to
the (reverse) proxy, so you have to make some assumptions. If you have
configured IIS to only proxy requests over a secure channel from the
client (which I highly recommend!) then you can assume that all
connections, regardless of protocol or port are indeed secure where it
counts: between the client and the reverse proxy.

If you only want "secure" connections from the client, then you will
want to set both secure="true, scheme="https", and proxyPort="443" on
your . This makes Tomcat generate https:// URLs with the
right port number, etc. for redirects, and also won't cause a redirect
storm if the application specifies that it wants to use only "secure"
connections (which I also highly recommend).

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VpAUACgkQHPApP6U8
pFhTGhAAuvtGHsUj3/67e27AV7LLwMxFBQ/FtsdiXEgx0AjX6iwmgmtqQTvtUchv
aTKoVTPMI+y/2+JOo+BXa7M63Tf7z7OuTbsyTN2b9ooAsWLKQMt0jVycbT65oAEx
kRLgpoWAxgy6dwEu8BF/qW13HA4VCmAuU0PSMzsbFWVEyLuG8K8FA9oT2S0p5tuZ
pbgPFjcda0uGs6KTb2jx+IWHBe22wdBxM4rcOFmhynfTmMpc4klXLpypoNDys/AK
vy1a3xvGGy4d9BxOUs9/h/LZIMfZV+NoE5cEu9VgvURQonnbFjbGspBqljAjiuTn
NplgdovCcfXKSryFDPtxG7q/vmUnrhgxyzW6fqhHjZvCTJXVAXUONTK375EkUNve
5Eada14fISxRR4r2Xyh2f6x/sJBnDkQaDVxD1FVYEAXCDarkq8kvfbWZiSkwEMIv
0NPWppUsMDFI0LG2pwpEwSWtg4bSnPxkF3/AtIKUrreqUMTQQzNfChLkXRm+pzv0
s2+qrCAeQxQ/K4PUknGErOQjcOAI7t5kcmx3u+r9ir9F3DvPISUVaZaCHoVDNzgH
Q3O4DCPZ25N4AgV7hE+vm5rxcEUQkWdCu2uylNJBULqnkgx8vSHHxcif7qhzbf1K
rPoujP3Dsm3UwHcJPqUr4d3pyauxl4YYT6xoz2eP0tQckCMmFvw=
=WS1y
-END PGP SIGNATURE-

Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

On 2/25/20 16:47, Ellen Meiselman wrote:
> So it turned out that the logs were mostly set at FINE already, so
>  Johann’s suggestion was already done.
>
> But I think I now know where the problem lies. Secure IIS request >
>  to > non-secire AJP.
>
> I don’t think this was a problem on the other servers before but
> the security has probably been tightened, and it just doesn’t
> produce an error - it just won’t allow it.
>
> I have had IIS set to require SSL

Does this mean that incoming connections require SSL or aso outgoing
(e.g. proxy) connections? I'm super ignorant of IIS configuration.

> but I turned it off to test and it actually worked all the way
> through to the simple.html file. so it’s some sort of policy about
> downgrading - which seems quite rational in retrospect. For
> example, this HTTP address does work.
>
> http://my.servers.domain.com/exposedApplication/simple.html
>
> I never tried it because I knew I had set SSL to required.
> Sometimes you make assumptions that block progress.
>
> This HTTPS address does not work - I get the 403 from tomcat.
> https://my.servers.domain.com/exposedApplication/simple.html
>
> So  - if this makes sense to any of you, please tell me roughly
> what I need to do to make the AJP requests as secure as the port
> 80 requests.

Um...

> I know keystores and .pem files are involved, but please give me
> the big picture - what port does AJP need to run on, and where do I
> go to find out how to tell it to use a “real" cert.
Traditionally, AJP is run over port 8009 but you can always choose any
port you wish as long as both sides of the connection (IIs, Tomcat)
agree on which port to use.

AJP is a non-secure protocol, full stop. You can tunnel it through
other things but, as some have mentioned, since you are using
localhost it's not super important to use encryption.

>
> Also I’ll have to figure out how to shut off port 8080 or require
> SSL on tomcat once I get everything going. Actually I’d like to
> limit Tomcat to responding to requests from the server itself.
> Nothing should be talking to Tomcat but the isapi connector.
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VoXkACgkQHPApP6U8
pFigog//bSaKIqRjLoNiyuoELd2PYcYx7Xw15sDxMXmI9/RziE8iECprRfUQhj47
EkUCe79vYa/Sowx72T4gsyZC/F76XRWMNuXKZjChkzQHBZtjStV/xdfi8NSKLLN4
e5qSFn9DtTwnQueLC91Uoq6sXaZ0ld2hRDBN0z1k3nTS+RK1t3BTjr63KLcyn/Ep
RL386efU7HGESpcCNMJlh4Z6o12p6LNVhRF1nc/QYcaQW5dRElU5UJjW/trnuzsd
JjUJtpdOdUO2FBkAlMyqvLlfj+OYOQ6rGQRhQP2VmqSUozp4EOekNrthQE3AWRVL
4eM1nRXhrmmBFGp7S1J49VELFqe8e+6RCvg1KNpSqLuKX+/UfN97IvGZd757fLdp
T5jvMODuAztZyj1lgvU8se70B46cjSOSvsUXeiHUWppDAWUto5gwao66ry41UhRC
6sEP1UBhGvrXNs/w+mxW+3OuyTtey2wbtN5bydJulpi3w7sv5360sv56m9uJFEmn
3X1z0nyevkZySEuLJu12WPbGmbS9KJ6tpnZdpQ45q4124/1/2IbdsBxL8AKukAwn
D0n8fTA9PRKYqA5iyQOHI/1hlcTYQKsPbmxd11ysnrnM6pFwstXq76rT00aEDMCB
YhGARExsqqQUGf/Uusbzk14xcFX6vG4+ngVbMvXhmrx7SxMZOII=
=a+rE
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[jonmcalexander]

Good News!

You can shut-off port 8080 by commenting out the HTTP Connector in the 
server.xml. Did you have the require SSL on the IIS Side? AJP doesn't use SSL, 
so it should work either way going thru IIS.


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 
– 12/31

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Ellen Meiselman  
Sent: Tuesday, February 25, 2020 3:48 PM
To: Tomcat Users List 
Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

So it turned out that the logs were mostly set at FINE already, so Johann’s 
suggestion was already done.

But I think I now know where the problem lies. Secure IIS request >  to > 
non-secire AJP. 

I don’t think this was a problem on the other servers before but the security 
has probably been tightened, and it just doesn’t produce an error - it just 
won’t allow it.   

I have had IIS set to require SSL, but I turned it off to test and it actually 
worked all the way through to the simple.html file. so it’s some sort of policy 
about downgrading - which seems quite rational in retrospect.  

 For example, this HTTP address does work.

http://my.servers.domain.com/exposedApplication/simple.html 

 I never tried it because I knew I had set SSL to required. Sometimes you make 
assumptions that block progress.

This HTTPS address does not work - I get the 403 from tomcat.
https://my.servers.domain.com/exposedApplication/simple.html 


So  - if this makes sense to any of you, please tell me roughly what I need to 
do to make the AJP requests as secure as the port 80 requests. I know keystores 
and .pem files are involved, but please give me the big picture - what port 
does AJP need to run on, and where do I go to find out how to tell it to use a 
“real" cert. 

Also I’ll have to figure out how to shut off port 8080 or require SSL on tomcat 
once I get everything going. Actually I’d like to limit Tomcat to responding to 
requests from the server itself. Nothing should be talking to Tomcat but the 
isapi connector. 

Thanks, 

Ellen



I 
> On Feb 25, 2020, at 4:07 PM, js84  wrote:
> 
> Hello!
> 
> What for are you using secret property when running tomcat locally using 
> loopback interface? 
> 
> I suggest to increase loglevel to „debug“ temporary. (Don’t forget to 
> reset it because performance will slow down dramatically if 
> isapi_redirect logfile grows on a Windows machine.)
> 
> Best regards,
> Johann
> 
> Von: Christopher Schultz
> Gesendet: Dienstag, 25. Februar 2020 21:42
> An: users@tomcat.apache.org
> Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector 
> andTomcat
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Ellen,
> 
> On 2/25/20 13:10, Ellen Meiselman wrote:
>> No, just that I don't know how to set this particular connector up 
>> another way. I based this on the instructions on the isapi_connector 
>> site http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>> and on the 2 older servers we have which are working.> I'm sort of 
>> thinking of suggesting that we get rid of IIS entirely and switch to 
>> Tomcat. Then we can run the necessary Java application and also serve 
>> all the HTML items we need to using the same web server.
> Tomcat is a perfectly good "plain old" web server. Some security 
> people get all freaked-out when you suggest that Tomcat be exposed 
> "directly" but IMHO it can't be any worse than IIS.
> 
> But also IMHO there are always reasons to use a reverse proxy:
> flexibility and availability. When you are restarting Tomcat for 
> whatever reason, what will clients see if they try to access your 
> application? CONNECTION REFUSED? :( With the proxy in the way, that is 
> much less likely. Also, if you want to serve Java web applications, 
> python web applications, .NET whatevers, you'll be able to do that 
> much more flexibly with a reverse-proxy in the mix.
> 
> - -chris
> 
>> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < 
>> ch...@christopherschultz.net> wrote:
>> 
>> Ellen,
>> 
>> On 2/25/20 12:55, Ellen Meiselman wrote:
> Sorry - no, the quotes were not there except for a 5 minute test 
> of a ho

Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[Ellen Meiselman]

So it turned out that the logs were mostly set at FINE already, so Johann’s 
suggestion was already done.

But I think I now know where the problem lies. Secure IIS request >  to > 
non-secire AJP. 

I don’t think this was a problem on the other servers before but the security 
has probably been tightened, and it just doesn’t produce an error - it just 
won’t allow it.   

I have had IIS set to require SSL, but I turned it off to test and it actually 
worked all the way through to the simple.html file. so it’s some sort of policy 
about downgrading - which seems quite rational in retrospect.  

 For example, this HTTP address does work.

http://my.servers.domain.com/exposedApplication/simple.html 

 I never tried it because I knew I had set SSL to required. Sometimes you make 
assumptions that block progress.

This HTTPS address does not work - I get the 403 from tomcat.
https://my.servers.domain.com/exposedApplication/simple.html 


So  - if this makes sense to any of you, please tell me roughly what I need to 
do to make the AJP requests as secure as the port 80 requests. I know keystores 
and .pem files are involved, but please give me the big picture - what port 
does AJP need to run on, and where do I go to find out how to tell it to use a 
“real" cert. 

Also I’ll have to figure out how to shut off port 8080 or require SSL on tomcat 
once I get everything going. Actually I’d like to limit Tomcat to responding to 
requests from the server itself. Nothing should be talking to Tomcat but the 
isapi connector. 

Thanks, 

Ellen



I 
> On Feb 25, 2020, at 4:07 PM, js84  wrote:
> 
> Hello!
> 
> What for are you using secret property when running tomcat locally using 
> loopback interface? 
> 
> I suggest to increase loglevel to „debug“ temporary. (Don’t forget to reset 
> it because performance will slow down dramatically if isapi_redirect logfile 
> grows on a Windows machine.)
> 
> Best regards,
> Johann  
> 
> Von: Christopher Schultz
> Gesendet: Dienstag, 25. Februar 2020 21:42
> An: users@tomcat.apache.org
> Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Ellen,
> 
> On 2/25/20 13:10, Ellen Meiselman wrote:
>> No, just that I don't know how to set this particular connector up
>> another way. I based this on the instructions on the
>> isapi_connector site
>> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>> and on the 2 older servers we have which are working.> I'm sort of
>> thinking of suggesting that we get rid of IIS entirely and switch
>> to Tomcat. Then we can run the necessary Java application and also
>> serve all the HTML items we need to using the same web server.
> Tomcat is a perfectly good "plain old" web server. Some security
> people get all freaked-out when you suggest that Tomcat be exposed
> "directly" but IMHO it can't be any worse than IIS.
> 
> But also IMHO there are always reasons to use a reverse proxy:
> flexibility and availability. When you are restarting Tomcat for
> whatever reason, what will clients see if they try to access your
> application? CONNECTION REFUSED? :( With the proxy in the way, that is
> much less likely. Also, if you want to serve Java web applications,
> python web applications, .NET whatevers, you'll be able to do that
> much more flexibly with a reverse-proxy in the mix.
> 
> - -chris
> 
>> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>> 
>> Ellen,
>> 
>> On 2/25/20 12:55, Ellen Meiselman wrote:
> Sorry - no, the quotes were not there except for a 5 minute
> test of a hopeless theory that they might be needed. Right
> now there is no secret at all in the workers.properties, and
>> in the
> ajp connector, i have secretRequired ="false".
> Workers.properties: worker.worker1.type=ajp13
> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
> 
> Server.xml:  address="127.0.0.1" port="8009" secretRequired="false"
> redirectPort="8443" />
>> 
>> Hmm. I think we've all been operating under the assumption that
>> the "secret" (by whatever name) was the source of the problem. It
>> appears that was incorrect.
>> 
>> Have a look at Jon's question about file permissions.
>> 
>> Was this a configuration that had been working until recently, or
>> is this a new configuration that you haven't (yet) been able to get
>> working ?
>> 
>> Any reason not to use HTTP(S) for your protocol instead of AJP?
>> 
>> -chris
>> 
> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Ellen,
> 
> On 2/25/20 12:06, Ellen Meiselman wrote:
 Yes, everything is on the same server.
 
 workers.properties: # Set properties for worker1
 (ajp13) worker.worker1.type=ajp13

RE: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[jonmcalexander]

What is in your URIWorkermap.properties file?


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 
– 12/31

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Ellen Meiselman  
Sent: Tuesday, February 25, 2020 3:12 PM
To: Tomcat Users List 
Subject: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

Hi Johann, 

I’ve been trying both ways - with and without secret. Happy to have it set up 
any way it works that won’t arouse the ire of our security team. 

I’ll increase the log levels and see what else I can find.

Thanks, 

Ellen


> On Feb 25, 2020, at 4:07 PM, js84  wrote:
> 
> Hello!
> 
> What for are you using secret property when running tomcat locally using 
> loopback interface? 
> 
> I suggest to increase loglevel to „debug“ temporary. (Don’t forget to 
> reset it because performance will slow down dramatically if 
> isapi_redirect logfile grows on a Windows machine.)
> 
> Best regards,
> Johann
> 
> Von: Christopher Schultz
> Gesendet: Dienstag, 25. Februar 2020 21:42
> An: users@tomcat.apache.org
> Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector 
> andTomcat
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Ellen,
> 
> On 2/25/20 13:10, Ellen Meiselman wrote:
>> No, just that I don't know how to set this particular connector up 
>> another way. I based this on the instructions on the isapi_connector 
>> site http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>> and on the 2 older servers we have which are working.> I'm sort of 
>> thinking of suggesting that we get rid of IIS entirely and switch to 
>> Tomcat. Then we can run the necessary Java application and also serve 
>> all the HTML items we need to using the same web server.
> Tomcat is a perfectly good "plain old" web server. Some security 
> people get all freaked-out when you suggest that Tomcat be exposed 
> "directly" but IMHO it can't be any worse than IIS.
> 
> But also IMHO there are always reasons to use a reverse proxy:
> flexibility and availability. When you are restarting Tomcat for 
> whatever reason, what will clients see if they try to access your 
> application? CONNECTION REFUSED? :( With the proxy in the way, that is 
> much less likely. Also, if you want to serve Java web applications, 
> python web applications, .NET whatevers, you'll be able to do that 
> much more flexibly with a reverse-proxy in the mix.
> 
> - -chris
> 
>> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz < 
>> ch...@christopherschultz.net> wrote:
>> 
>> Ellen,
>> 
>> On 2/25/20 12:55, Ellen Meiselman wrote:
> Sorry - no, the quotes were not there except for a 5 minute test 
> of a hopeless theory that they might be needed. Right now there is 
> no secret at all in the workers.properties, and
>> in the
> ajp connector, i have secretRequired ="false".
> Workers.properties: worker.worker1.type=ajp13
> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
> 
> Server.xml:  address="127.0.0.1" port="8009" secretRequired="false"
> redirectPort="8443" />
>> 
>> Hmm. I think we've all been operating under the assumption that the 
>> "secret" (by whatever name) was the source of the problem. It appears 
>> that was incorrect.
>> 
>> Have a look at Jon's question about file permissions.
>> 
>> Was this a configuration that had been working until recently, or is 
>> this a new configuration that you haven't (yet) been able to get 
>> working ?
>> 
>> Any reason not to use HTTP(S) for your protocol instead of AJP?
>> 
>> -chris
>> 
> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz < 
> ch...@christopherschultz.net> wrote:
> 
> Ellen,
> 
> On 2/25/20 12:06, Ellen Meiselman wrote:
 Yes, everything is on the same server.
 
 workers.properties: # Set properties for worker1
 (ajp13) worker.worker1.type=ajp13
 worker.worker1.host=127.0.0.1 worker.worker1.port=8009 
 worker.worker1.secret="mySecret".
> 
> Just so there is no confusion: your "mySecret" should have neither 
> quotes nor the trailing period.
> 
> Are those literally in your ISS config file?
> 
> -chris
> 
 On Tue, Feb 25, 2020 at 11:27 AM 
  wrote:
 
>>>

Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[Ellen Meiselman]

Hi Johann, 

I’ve been trying both ways - with and without secret. Happy to have it set up 
any way it works that won’t arouse the ire of our security team. 

I’ll increase the log levels and see what else I can find.

Thanks, 

Ellen


> On Feb 25, 2020, at 4:07 PM, js84  wrote:
> 
> Hello!
> 
> What for are you using secret property when running tomcat locally using 
> loopback interface? 
> 
> I suggest to increase loglevel to „debug“ temporary. (Don’t forget to reset 
> it because performance will slow down dramatically if isapi_redirect logfile 
> grows on a Windows machine.)
> 
> Best regards,
> Johann  
> 
> Von: Christopher Schultz
> Gesendet: Dienstag, 25. Februar 2020 21:42
> An: users@tomcat.apache.org
> Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Ellen,
> 
> On 2/25/20 13:10, Ellen Meiselman wrote:
>> No, just that I don't know how to set this particular connector up
>> another way. I based this on the instructions on the
>> isapi_connector site
>> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>> and on the 2 older servers we have which are working.> I'm sort of
>> thinking of suggesting that we get rid of IIS entirely and switch
>> to Tomcat. Then we can run the necessary Java application and also
>> serve all the HTML items we need to using the same web server.
> Tomcat is a perfectly good "plain old" web server. Some security
> people get all freaked-out when you suggest that Tomcat be exposed
> "directly" but IMHO it can't be any worse than IIS.
> 
> But also IMHO there are always reasons to use a reverse proxy:
> flexibility and availability. When you are restarting Tomcat for
> whatever reason, what will clients see if they try to access your
> application? CONNECTION REFUSED? :( With the proxy in the way, that is
> much less likely. Also, if you want to serve Java web applications,
> python web applications, .NET whatevers, you'll be able to do that
> much more flexibly with a reverse-proxy in the mix.
> 
> - -chris
> 
>> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>> 
>> Ellen,
>> 
>> On 2/25/20 12:55, Ellen Meiselman wrote:
> Sorry - no, the quotes were not there except for a 5 minute
> test of a hopeless theory that they might be needed. Right
> now there is no secret at all in the workers.properties, and
>> in the
> ajp connector, i have secretRequired ="false".
> Workers.properties: worker.worker1.type=ajp13
> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
> 
> Server.xml:  address="127.0.0.1" port="8009" secretRequired="false"
> redirectPort="8443" />
>> 
>> Hmm. I think we've all been operating under the assumption that
>> the "secret" (by whatever name) was the source of the problem. It
>> appears that was incorrect.
>> 
>> Have a look at Jon's question about file permissions.
>> 
>> Was this a configuration that had been working until recently, or
>> is this a new configuration that you haven't (yet) been able to get
>> working ?
>> 
>> Any reason not to use HTTP(S) for your protocol instead of AJP?
>> 
>> -chris
>> 
> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Ellen,
> 
> On 2/25/20 12:06, Ellen Meiselman wrote:
 Yes, everything is on the same server.
 
 workers.properties: # Set properties for worker1
 (ajp13) worker.worker1.type=ajp13
 worker.worker1.host=127.0.0.1 worker.worker1.port=8009
 worker.worker1.secret="mySecret".
> 
> Just so there is no confusion: your "mySecret" should have
> neither quotes nor the trailing period.
> 
> Are those literally in your ISS config file?
> 
> -chris
> 
 On Tue, Feb 25, 2020 at 11:27 AM
  wrote:
 
> -Original Message- From: Ellen Meiselman
>  Sent: Tuesday, February 25, 2020
> 10:01 AM To: Tomcat Users List
>  Subject: Re: At wits end:
> Difficulties with IIS ISAPI connector and Tomcat
> 
>> Hi,
> 
>> I've been testing, and so far, there is no change
>> in the behavior. I am
> still getting the same tomcat->based 403 error.
> 
>> Based on what you said above...
>> 
>> secretRequired="true" (which is the default, so it
>> can be removed) secret="xxx"
> 
> 
>> ...I removed secretRequired="true" and left secret.
>> So the connector
> definition now looks like this:
>> > port="8009" secret="mySecret" redirectPort="8443"
>> />
> 
> 
> 
> I'm assuming that your web-front-end is on the same
> server as your Tomcat instance, based on you having
> the address set to 127.0.0.1, correct? What do you
> hav

AW: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[js84]

Hello!

What for are you using secret property when running tomcat locally using 
loopback interface? 

I suggest to increase loglevel to „debug“ temporary. (Don’t forget to reset it 
because performance will slow down dramatically if isapi_redirect logfile grows 
on a Windows machine.)

Best regards,
Johann  

Von: Christopher Schultz
Gesendet: Dienstag, 25. Februar 2020 21:42
An: users@tomcat.apache.org
Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

On 2/25/20 13:10, Ellen Meiselman wrote:
> No, just that I don't know how to set this particular connector up
> another way. I based this on the instructions on the
> isapi_connector site
> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> and on the 2 older servers we have which are working.> I'm sort of
> thinking of suggesting that we get rid of IIS entirely and switch
> to Tomcat. Then we can run the necessary Java application and also
> serve all the HTML items we need to using the same web server.
Tomcat is a perfectly good "plain old" web server. Some security
people get all freaked-out when you suggest that Tomcat be exposed
"directly" but IMHO it can't be any worse than IIS.

But also IMHO there are always reasons to use a reverse proxy:
flexibility and availability. When you are restarting Tomcat for
whatever reason, what will clients see if they try to access your
application? CONNECTION REFUSED? :( With the proxy in the way, that is
much less likely. Also, if you want to serve Java web applications,
python web applications, .NET whatevers, you'll be able to do that
much more flexibly with a reverse-proxy in the mix.

- -chris

> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Ellen,
>
> On 2/25/20 12:55, Ellen Meiselman wrote:
 Sorry - no, the quotes were not there except for a 5 minute
 test of a hopeless theory that they might be needed. Right
 now there is no secret at all in the workers.properties, and
> in the
 ajp connector, i have secretRequired ="false".
 Workers.properties: worker.worker1.type=ajp13
 worker.worker1.host=127.0.0.1 worker.worker1.port=8009

 Server.xml: >>> address="127.0.0.1" port="8009" secretRequired="false"
 redirectPort="8443" />
>
> Hmm. I think we've all been operating under the assumption that
> the "secret" (by whatever name) was the source of the problem. It
> appears that was incorrect.
>
> Have a look at Jon's question about file permissions.
>
> Was this a configuration that had been working until recently, or
> is this a new configuration that you haven't (yet) been able to get
> working ?
>
> Any reason not to use HTTP(S) for your protocol instead of AJP?
>
> -chris
>
 On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
 ch...@christopherschultz.net> wrote:

 Ellen,

 On 2/25/20 12:06, Ellen Meiselman wrote:
>>> Yes, everything is on the same server.
>>>
>>> workers.properties: # Set properties for worker1
>>> (ajp13) worker.worker1.type=ajp13
>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
>>> worker.worker1.secret="mySecret".

 Just so there is no confusion: your "mySecret" should have
 neither quotes nor the trailing period.

 Are those literally in your ISS config file?

 -chris

>>> On Tue, Feb 25, 2020 at 11:27 AM
>>>  wrote:
>>>
 -Original Message- From: Ellen Meiselman
  Sent: Tuesday, February 25, 2020
 10:01 AM To: Tomcat Users List
  Subject: Re: At wits end:
 Difficulties with IIS ISAPI connector and Tomcat

> Hi,

> I've been testing, and so far, there is no change
> in the behavior. I am
 still getting the same tomcat->based 403 error.

> Based on what you said above...
>
> secretRequired="true" (which is the default, so it
> can be removed) secret="xxx"


> ...I removed secretRequired="true" and left secret.
> So the connector
 definition now looks like this:
>  port="8009" secret="mySecret" redirectPort="8443"
> />

 

 I'm assuming that your web-front-end is on the same
 server as your Tomcat instance, based on you having
 the address set to 127.0.0.1, correct? What do you
 have in your workers.properties file?

>>>
>
> --
- ---
>
>
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:
> users-h...@tomcat.apache.org
>
>

>>
>> -
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands,

AW: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

[js84]

Hello!

What for are you using secret property when running tomcat locally using 
loopback interface? 

I suggest to increase loglevel to „debug“ temporary. (Don’t forget to reset it 
because performance will slow down dramatically if isapi_redirect logfile grows 
on a Windows machine.)

Best regards,
Johann  

Von: Christopher Schultz
Gesendet: Dienstag, 25. Februar 2020 21:42
An: users@tomcat.apache.org
Betreff: Re: [OT] At wits end: Difficulties with IIS ISAPI connector andTomcat

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

On 2/25/20 13:10, Ellen Meiselman wrote:
> No, just that I don't know how to set this particular connector up
> another way. I based this on the instructions on the
> isapi_connector site
> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> and on the 2 older servers we have which are working.> I'm sort of
> thinking of suggesting that we get rid of IIS entirely and switch
> to Tomcat. Then we can run the necessary Java application and also
> serve all the HTML items we need to using the same web server.
Tomcat is a perfectly good "plain old" web server. Some security
people get all freaked-out when you suggest that Tomcat be exposed
"directly" but IMHO it can't be any worse than IIS.

But also IMHO there are always reasons to use a reverse proxy:
flexibility and availability. When you are restarting Tomcat for
whatever reason, what will clients see if they try to access your
application? CONNECTION REFUSED? :( With the proxy in the way, that is
much less likely. Also, if you want to serve Java web applications,
python web applications, .NET whatevers, you'll be able to do that
much more flexibly with a reverse-proxy in the mix.

- -chris

> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Ellen,
>
> On 2/25/20 12:55, Ellen Meiselman wrote:
 Sorry - no, the quotes were not there except for a 5 minute
 test of a hopeless theory that they might be needed. Right
 now there is no secret at all in the workers.properties, and
> in the
 ajp connector, i have secretRequired ="false".
 Workers.properties: worker.worker1.type=ajp13
 worker.worker1.host=127.0.0.1 worker.worker1.port=8009

 Server.xml: >>> address="127.0.0.1" port="8009" secretRequired="false"
 redirectPort="8443" />
>
> Hmm. I think we've all been operating under the assumption that
> the "secret" (by whatever name) was the source of the problem. It
> appears that was incorrect.
>
> Have a look at Jon's question about file permissions.
>
> Was this a configuration that had been working until recently, or
> is this a new configuration that you haven't (yet) been able to get
> working ?
>
> Any reason not to use HTTP(S) for your protocol instead of AJP?
>
> -chris
>
 On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
 ch...@christopherschultz.net> wrote:

 Ellen,

 On 2/25/20 12:06, Ellen Meiselman wrote:
>>> Yes, everything is on the same server.
>>>
>>> workers.properties: # Set properties for worker1
>>> (ajp13) worker.worker1.type=ajp13
>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
>>> worker.worker1.secret="mySecret".

 Just so there is no confusion: your "mySecret" should have
 neither quotes nor the trailing period.

 Are those literally in your ISS config file?

 -chris

>>> On Tue, Feb 25, 2020 at 11:27 AM
>>>  wrote:
>>>
 -Original Message- From: Ellen Meiselman
  Sent: Tuesday, February 25, 2020
 10:01 AM To: Tomcat Users List
  Subject: Re: At wits end:
 Difficulties with IIS ISAPI connector and Tomcat

> Hi,

> I've been testing, and so far, there is no change
> in the behavior. I am
 still getting the same tomcat->based 403 error.

> Based on what you said above...
>
> secretRequired="true" (which is the default, so it
> can be removed) secret="xxx"


> ...I removed secretRequired="true" and left secret.
> So the connector
 definition now looks like this:
>  port="8009" secret="mySecret" redirectPort="8443"
> />

 

 I'm assuming that your web-front-end is on the same
 server as your Tomcat instance, based on you having
 the address set to 127.0.0.1, correct? What do you
 have in your workers.properties file?

>>>
>
> --
- ---
>
>
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:
> users-h...@tomcat.apache.org
>
>

>>
>> -
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands,

Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

Hi Chris, 

Thank you very much for the suggestion and all the help. 
 
Ellen

> On Feb 25, 2020, at 3:42 PM, Christopher Schultz 
>  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Ellen,
> 
> On 2/25/20 13:10, Ellen Meiselman wrote:
>> No, just that I don't know how to set this particular connector up
>> another way. I based this on the instructions on the
>> isapi_connector site
>> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>> and on the 2 older servers we have which are working.> I'm sort of
>> thinking of suggesting that we get rid of IIS entirely and switch
>> to Tomcat. Then we can run the necessary Java application and also
>> serve all the HTML items we need to using the same web server.
> Tomcat is a perfectly good "plain old" web server. Some security
> people get all freaked-out when you suggest that Tomcat be exposed
> "directly" but IMHO it can't be any worse than IIS.
> 
> But also IMHO there are always reasons to use a reverse proxy:
> flexibility and availability. When you are restarting Tomcat for
> whatever reason, what will clients see if they try to access your
> application? CONNECTION REFUSED? :( With the proxy in the way, that is
> much less likely. Also, if you want to serve Java web applications,
> python web applications, .NET whatevers, you'll be able to do that
> much more flexibly with a reverse-proxy in the mix.
> 
> - -chris
> 
>> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>> 
>> Ellen,
>> 
>> On 2/25/20 12:55, Ellen Meiselman wrote:
> Sorry - no, the quotes were not there except for a 5 minute
> test of a hopeless theory that they might be needed. Right
> now there is no secret at all in the workers.properties, and
>> in the
> ajp connector, i have secretRequired ="false".
> Workers.properties: worker.worker1.type=ajp13
> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
> 
> Server.xml:  address="127.0.0.1" port="8009" secretRequired="false"
> redirectPort="8443" />
>> 
>> Hmm. I think we've all been operating under the assumption that
>> the "secret" (by whatever name) was the source of the problem. It
>> appears that was incorrect.
>> 
>> Have a look at Jon's question about file permissions.
>> 
>> Was this a configuration that had been working until recently, or
>> is this a new configuration that you haven't (yet) been able to get
>> working ?
>> 
>> Any reason not to use HTTP(S) for your protocol instead of AJP?
>> 
>> -chris
>> 
> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Ellen,
> 
> On 2/25/20 12:06, Ellen Meiselman wrote:
 Yes, everything is on the same server.
 
 workers.properties: # Set properties for worker1
 (ajp13) worker.worker1.type=ajp13
 worker.worker1.host=127.0.0.1 worker.worker1.port=8009
 worker.worker1.secret="mySecret".
> 
> Just so there is no confusion: your "mySecret" should have
> neither quotes nor the trailing period.
> 
> Are those literally in your ISS config file?
> 
> -chris
> 
 On Tue, Feb 25, 2020 at 11:27 AM
  wrote:
 
> -Original Message- From: Ellen Meiselman
>  Sent: Tuesday, February 25, 2020
> 10:01 AM To: Tomcat Users List
>  Subject: Re: At wits end:
> Difficulties with IIS ISAPI connector and Tomcat
> 
>> Hi,
> 
>> I've been testing, and so far, there is no change
>> in the behavior. I am
> still getting the same tomcat->based 403 error.
> 
>> Based on what you said above...
>> 
>> secretRequired="true" (which is the default, so it
>> can be removed) secret="xxx"
> 
> 
>> ...I removed secretRequired="true" and left secret.
>> So the connector
> definition now looks like this:
>> > port="8009" secret="mySecret" redirectPort="8443"
>> />
> 
> 
> 
> I'm assuming that your web-front-end is on the same
> server as your Tomcat instance, based on you having
> the address set to 127.0.0.1, correct? What do you
> have in your workers.properties file?
> 
 
>> 
>> --
> - ---
>> 
>> 
>> 
>> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail:
>> users-h...@tomcat.apache.org
>> 
>> 
> 
>>> 
>>> -
>>> 
>>> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>>> 
>> 
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.ne

Re: [OT] At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

On 2/25/20 13:10, Ellen Meiselman wrote:
> No, just that I don't know how to set this particular connector up
> another way. I based this on the instructions on the
> isapi_connector site
> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> and on the 2 older servers we have which are working.> I'm sort of
> thinking of suggesting that we get rid of IIS entirely and switch
> to Tomcat. Then we can run the necessary Java application and also
> serve all the HTML items we need to using the same web server.
Tomcat is a perfectly good "plain old" web server. Some security
people get all freaked-out when you suggest that Tomcat be exposed
"directly" but IMHO it can't be any worse than IIS.

But also IMHO there are always reasons to use a reverse proxy:
flexibility and availability. When you are restarting Tomcat for
whatever reason, what will clients see if they try to access your
application? CONNECTION REFUSED? :( With the proxy in the way, that is
much less likely. Also, if you want to serve Java web applications,
python web applications, .NET whatevers, you'll be able to do that
much more flexibly with a reverse-proxy in the mix.

- -chris

> On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Ellen,
>
> On 2/25/20 12:55, Ellen Meiselman wrote:
 Sorry - no, the quotes were not there except for a 5 minute
 test of a hopeless theory that they might be needed. Right
 now there is no secret at all in the workers.properties, and
> in the
 ajp connector, i have secretRequired ="false".
 Workers.properties: worker.worker1.type=ajp13
 worker.worker1.host=127.0.0.1 worker.worker1.port=8009

 Server.xml: >>> address="127.0.0.1" port="8009" secretRequired="false"
 redirectPort="8443" />
>
> Hmm. I think we've all been operating under the assumption that
> the "secret" (by whatever name) was the source of the problem. It
> appears that was incorrect.
>
> Have a look at Jon's question about file permissions.
>
> Was this a configuration that had been working until recently, or
> is this a new configuration that you haven't (yet) been able to get
> working ?
>
> Any reason not to use HTTP(S) for your protocol instead of AJP?
>
> -chris
>
 On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
 ch...@christopherschultz.net> wrote:

 Ellen,

 On 2/25/20 12:06, Ellen Meiselman wrote:
>>> Yes, everything is on the same server.
>>>
>>> workers.properties: # Set properties for worker1
>>> (ajp13) worker.worker1.type=ajp13
>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
>>> worker.worker1.secret="mySecret".

 Just so there is no confusion: your "mySecret" should have
 neither quotes nor the trailing period.

 Are those literally in your ISS config file?

 -chris

>>> On Tue, Feb 25, 2020 at 11:27 AM
>>>  wrote:
>>>
 -Original Message- From: Ellen Meiselman
  Sent: Tuesday, February 25, 2020
 10:01 AM To: Tomcat Users List
  Subject: Re: At wits end:
 Difficulties with IIS ISAPI connector and Tomcat

> Hi,

> I've been testing, and so far, there is no change
> in the behavior. I am
 still getting the same tomcat->based 403 error.

> Based on what you said above...
>
> secretRequired="true" (which is the default, so it
> can be removed) secret="xxx"


> ...I removed secretRequired="true" and left secret.
> So the connector
 definition now looks like this:
>  port="8009" secret="mySecret" redirectPort="8443"
> />

 

 I'm assuming that your web-front-end is on the same
 server as your Tomcat instance, based on you having
 the address set to 127.0.0.1, correct? What do you
 have in your workers.properties file?

>>>
>
> --
- ---
>
>
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:
> users-h...@tomcat.apache.org
>
>

>>
>> -
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5Vhr0ACgkQHPApP6U8
pFh5Rg//WTLD7EEH9UVwjEri7uzawYO1IFneURN9LQYaMd7EkrC5NKbwoQieLwwW
3ylab6iSK1mjjKs3SiMVSIgBynDBBym6r7GtAd1xKGjlBHIYpeFFom1Y1W1K/PYg
Cdzdcbu6uOHmwOvprAxlH8IRAkvLTQy1P4dUeNHaoZljdrzVDRuoYJIrnoR3TFhD
1EwrrITH5we9iQ93KoreaxQMqcR5GoxWe8kbVP8rzflZGbeQfpPT5P3XypWaRFIg
8pmyEP+x4U70JvXbAHHtj

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

Hi,  
 
Requests directly to Tomcat on port 8080 to pages within the connector-exposed 
web application work fine. 
For example, both of these work:
localhost:8080/exposedApplication/simple.html. (viewed on the server’s browser)
my.servers.domain.com:8080/exposedApplication/simple.html 
 (viewed 
anywhere else)

 
Requests that go through IIS and the connector to the connector-exposed 
application result in a 403 error.
For example, this does not work:
https:my.servers.domain.com/exposedApplication/simple.html 



This Windows 2019 setup has the following versions of tomcat, windows, etc:

Tomcat version 8.5.51
Isapi_redirect.dll version 1.2.46.0
IIS 10/Windows server 2019

I also have two older, similar Windows Server environments that work perfectly. 
They both use these versions:

Tomcat version 8.5.3 (64 bit) as a service
Isapi_redirect.dll version 1.2.40.0 64 bit
IIS 8/Windows server 2012R2


Thanks, 

Ellen

> On Feb 25, 2020, at 2:29 PM,  
>  wrote:
> 
> -Original Message-
>> From: Ellen Meiselman  
>> Sent: Tuesday, February 25, 2020 12:27 PM
>> To: Tomcat Users List 
>> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
> 
>> Hi Jon,
> 
>> The best information I have about the error is from the localhost log:
> 
>> 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET 
>> /exposedApplication/simple.html  HTTP/1.1"
>> 403 618
>> 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET 
>> /exposedApplication/simple.html HTTP/1.1" 403 618
>> 10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET 
>> //exposedApplication/simple.html HTTP/1.1"
>> 403 618
> 
>> On Tue, Feb 25, 2020 at 1:19 PM 
>> wrote:
> 
> 
> What do you get if you go to the Tomcat Instance directly, via the HTTP/HTTPS 
> Port, bypassing IIS?
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> 
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> 

RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[jonmcalexander]

-Original Message-
> From: Ellen Meiselman  
> Sent: Tuesday, February 25, 2020 12:27 PM
> To: Tomcat Users List 
> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

> Hi Jon,

> The best information I have about the error is from the localhost log:

> 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET 
> /exposedApplication/simple.html  HTTP/1.1"
> 403 618
> 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET 
> /exposedApplication/simple.html HTTP/1.1" 403 618
> 10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET 
> //exposedApplication/simple.html HTTP/1.1"
> 403 618

> On Tue, Feb 25, 2020 at 1:19 PM 
> wrote:


What do you get if you go to the Tomcat Instance directly, via the HTTP/HTTPS 
Port, bypassing IIS?

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

Hi Jon,

The best information I have about the error is from the localhost log:

10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET
/exposedApplication/simple.html  HTTP/1.1"
403 618
10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET
/exposedApplication/simple.html
HTTP/1.1" 403 618
10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET
//exposedApplication/simple.html HTTP/1.1"
403 618

On Tue, Feb 25, 2020 at 1:19 PM 
wrote:

> -Original Message-
> From: Ellen Meiselman 
> Sent: Tuesday, February 25, 2020 12:04 PM
> To: Tomcat Users List 
> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
>
> The directory containing the dll is at $TomcatHome/isapi/
>
> I opened that wide up for testing after more secure configurations did not
> work. Don't worry - this will absolutely NOT be used for production:
> IUSR, I_USRS, and USERS all have full control.
> DefaultAppPool has everything but full control - Modify, execute, write.
>
> However, the isapi_redirect.dll's logs show that it is not getting tomcat
> errors the way it used to, so I do think it is connecting but then being
> banned by Tomcat itself.
> For example the logs used to have messages that tomcat wasn't listening on
> 8009  until I figured out that the AJP connector is now commented out by
> default in server.xml. After fixing that and a few other things, the logs
> suddenly started spitting back the complete html of the 403 error pages -
> in other words I do think it is now connecting.
>
>
>
>
> On Tue, Feb 25, 2020 at 12:54 PM 
> wrote:
>
> > What permissions are on the file containing the DLL, and Worker files?
> >
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Asst Vice President
> >
> > Middleware Product Engineering
> > Enterprise CIO | Platform Services | Middleware | Infrastructure
> > Solutions
> >
> > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6,
> > 12/13,
> > 12/20 – 12/31
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> >
> >
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > -Original Message-
> > From: Ellen Meiselman 
> > Sent: Tuesday, February 25, 2020 11:51 AM
> > To: Tomcat Users List 
> > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and
> > Tomcat
> >
> > Thank you - when I remove the secret line, save and restart Tomcat, it
> > results in the same 403 error.
> >
> > On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) <
> > a...@ice-sa.com>
> > wrote:
> >
> > > The workers.properties below look good to me at first sight.
> > >
> > > Just to eliminate something, could you try the following changes :
> > >
> > > 1) workers.properties :
> > > remove the line
> > >  > worker.worker1.secret="mySecret".
> > >
> > > 2) AJP Connector in tomcat :
> > >
> > >  > >  address="127.0.0.1"
> > >  port="8009"
> > >  secretRequired="false"
> > >  redirectPort="8443" />
> > >
> > > then restart tomcat and IIS.
> > > What's happening then ?
> > >
> > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and
> > > earlier.
> > > Before, by default, the "secret" was disabled. Since 8.5.51, by
> > > default, the secret is enabled, and you have to disable it
> > > explicitly if you don't want it (as I did above).
> > >
> > > With the settings above, we are just trying to get back to a
> > > configuration without secret, to check if that works in your case.
> > > As indicated in the documentation
> > > (
> > > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imp
> > > le
> > > mentations)
> > > you can
> > > do that in your case, because the communication between IIS and
> > > Tomcat is fairly secure, since it happens all within the same host.
> > >
> > >
> > > On 25.02.2020 18:06, Ellen Meiselman wrote:
> > > > Yes, everything is on the same server.
> > > >
> > > > workers.properties:
> > > > # Set properties for worker1 (ajp13)
> > > > worker.worker1.type=ajp13
> > > > worker.worker1.host=127.0.0.1
> > > > worker.worker1.port=8009
> > > > worker.worker1.secret="mySecret".
> > > >
> > > > On Tue, Feb 25, 2020 at 11:27 AM
> > > > 
> > > > wrote:
> > > >
> > > >> -Original Message-
> > > >> From: Ellen Meiselman 
> > > >> Sent: Tuesday, February 25, 2020 10:01 AM
> > > >> To: Tomcat Users List 
> > > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector
> > > >> and
> > > Tomcat
> > > >>
> > > >>> Hi,
> > > >>
> > > >>> I've been testing, and so far, there is n

RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[jonmcalexander]

-Original Message-
From: Ellen Meiselman  
Sent: Tuesday, February 25, 2020 12:04 PM
To: Tomcat Users List 
Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

The directory containing the dll is at $TomcatHome/isapi/

I opened that wide up for testing after more secure configurations did not 
work. Don't worry - this will absolutely NOT be used for production:
IUSR, I_USRS, and USERS all have full control.
DefaultAppPool has everything but full control - Modify, execute, write.

However, the isapi_redirect.dll's logs show that it is not getting tomcat 
errors the way it used to, so I do think it is connecting but then being banned 
by Tomcat itself.
For example the logs used to have messages that tomcat wasn't listening on
8009  until I figured out that the AJP connector is now commented out by 
default in server.xml. After fixing that and a few other things, the logs 
suddenly started spitting back the complete html of the 403 error pages - in 
other words I do think it is now connecting.




On Tue, Feb 25, 2020 at 12:54 PM 
wrote:

> What permissions are on the file containing the DLL, and Worker files?
>
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Asst Vice President
>
> Middleware Product Engineering
> Enterprise CIO | Platform Services | Middleware | Infrastructure 
> Solutions
>
> Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 
> 12/13,
> 12/20 – 12/31
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
>
>
> This message may contain confidential and/or privileged information. 
> If you are not the addressee or authorized to receive this for the 
> addressee, you must not use, copy, disclose, or take any action based 
> on this message or any information herein. If you have received this 
> message in error, please advise the sender immediately by reply e-mail 
> and delete this message. Thank you for your cooperation.
>
>
> -Original Message-
> From: Ellen Meiselman 
> Sent: Tuesday, February 25, 2020 11:51 AM
> To: Tomcat Users List 
> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and 
> Tomcat
>
> Thank you - when I remove the secret line, save and restart Tomcat, it 
> results in the same 403 error.
>
> On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) < 
> a...@ice-sa.com>
> wrote:
>
> > The workers.properties below look good to me at first sight.
> >
> > Just to eliminate something, could you try the following changes :
> >
> > 1) workers.properties :
> > remove the line
> >  > worker.worker1.secret="mySecret".
> >
> > 2) AJP Connector in tomcat :
> >
> >  >  address="127.0.0.1"
> >  port="8009"
> >  secretRequired="false"
> >  redirectPort="8443" />
> >
> > then restart tomcat and IIS.
> > What's happening then ?
> >
> > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and 
> > earlier.
> > Before, by default, the "secret" was disabled. Since 8.5.51, by 
> > default, the secret is enabled, and you have to disable it 
> > explicitly if you don't want it (as I did above).
> >
> > With the settings above, we are just trying to get back to a 
> > configuration without secret, to check if that works in your case.
> > As indicated in the documentation
> > (
> > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imp
> > le
> > mentations)
> > you can
> > do that in your case, because the communication between IIS and 
> > Tomcat is fairly secure, since it happens all within the same host.
> >
> >
> > On 25.02.2020 18:06, Ellen Meiselman wrote:
> > > Yes, everything is on the same server.
> > >
> > > workers.properties:
> > > # Set properties for worker1 (ajp13)
> > > worker.worker1.type=ajp13
> > > worker.worker1.host=127.0.0.1
> > > worker.worker1.port=8009
> > > worker.worker1.secret="mySecret".
> > >
> > > On Tue, Feb 25, 2020 at 11:27 AM
> > > 
> > > wrote:
> > >
> > >> -Original Message-
> > >> From: Ellen Meiselman 
> > >> Sent: Tuesday, February 25, 2020 10:01 AM
> > >> To: Tomcat Users List 
> > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector 
> > >> and
> > Tomcat
> > >>
> > >>> Hi,
> > >>
> > >>> I've been testing, and so far, there is no change in the behavior.
> > >>> I am
> > >> still getting the same tomcat->based 403 error.
> > >>
> > >>> Based on what you said above...
> > >>>
> > >>> secretRequired="true" (which is the default, so it can be 
> > >>> removed) secret="xxx"
> > >>
> > >>
> > >>> ...I removed secretRequired="true" and left secret. So the 
> > >>> connector
> > >> definition now looks like this:
> > >>>  > >>>address="127.0.0.1"
> > >>>port="8009"
> > >>>secret="mySecret"
> > >>>redirectPort="8443" />
> > >>
> > >> 
> > >>
> > >> I'm assuming that your web-front-end is on the same server as 
> > >> yo

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

No, just that I don't know how to set this particular connector up another
way. I based this on the instructions on the isapi_connector site
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
and on the 2 older servers we have which are working.

I'm sort of thinking of suggesting that we get rid of IIS entirely and
switch to Tomcat. Then we can run the necessary Java application and also
serve all the HTML items we need to using the same web server.


On Tue, Feb 25, 2020 at 1:01 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ellen,
>
> On 2/25/20 12:55, Ellen Meiselman wrote:
> > Sorry - no, the quotes were not there except for a 5 minute test of
> > a hopeless theory that they might be needed. Right now there is no
> > secret at all in the workers.properties, and
> in the
> > ajp connector, i have secretRequired ="false". Workers.properties:
> > worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1
> > worker.worker1.port=8009
> >
> > Server.xml:  > port="8009" secretRequired="false" redirectPort="8443" />
>
> Hmm. I think we've all been operating under the assumption that the
> "secret" (by whatever name) was the source of the problem. It appears
> that was incorrect.
>
> Have a look at Jon's question about file permissions.
>
> Was this a configuration that had been working until recently, or is
> this a new configuration that you haven't (yet) been able to get working
> ?
>
> Any reason not to use HTTP(S) for your protocol instead of AJP?
>
> - -chris
>
> > On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Ellen,
> >
> > On 2/25/20 12:06, Ellen Meiselman wrote:
>  Yes, everything is on the same server.
> 
>  workers.properties: # Set properties for worker1 (ajp13)
>  worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1
>  worker.worker1.port=8009 worker.worker1.secret="mySecret".
> >
> > Just so there is no confusion: your "mySecret" should have neither
> > quotes nor the trailing period.
> >
> > Are those literally in your ISS config file?
> >
> > -chris
> >
>  On Tue, Feb 25, 2020 at 11:27 AM
>   wrote:
> 
> > -Original Message- From: Ellen Meiselman
> >  Sent: Tuesday, February 25, 2020 10:01
> > AM To: Tomcat Users List  Subject:
> > Re: At wits end: Difficulties with IIS ISAPI connector and
> > Tomcat
> >
> >> Hi,
> >
> >> I've been testing, and so far, there is no change in the
> >> behavior. I am
> > still getting the same tomcat->based 403 error.
> >
> >> Based on what you said above...
> >>
> >> secretRequired="true" (which is the default, so it can
> >> be removed) secret="xxx"
> >
> >
> >> ...I removed secretRequired="true" and left secret. So
> >> the connector
> > definition now looks like this:
> >>  >> port="8009" secret="mySecret" redirectPort="8443" />
> >
> > 
> >
> > I'm assuming that your web-front-end is on the same server
> > as your Tomcat instance, based on you having the address
> > set to 127.0.0.1, correct? What do you have in your
> > workers.properties file?
> >
> 
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VYQQACgkQHPApP6U8
> pFgLuw/8Dheh8K4XrQpcktN1BK0A9pKCeWg44uWfU9RgCgWZg4b4VSjIaftE4Bv0
> WF8Vt6WhnzjIDp6XKgaH69KXIwIZrXVbmWbkjkYlTtMAgrqKrvX/fd5XdTP4lJYX
> /gG6Zl2dqJeBGwg9maZgBLdQVXDRF3WnHVEvVfbnMl1UKxqNmVPdjODAhDCjzTqv
> h6kMPSDTqAdEW1Na7UF+4JgpI5owAoP4oXoy3YCpCi18jYwu3axHwse62hBi/UwR
> vWiQ8nQuV+6NcZ00A/K8d9OMpg+nheFbWJBTerxzDfHHelCbm17id7Em+XlOZ3aW
> QPYmWx1ERcNbyf8cpSEXeRFNJ4IhYE/QZJVw541WNzveKRJzEVuActTC735fmgd/
> QOt9ECsu+0wXRgR09FNhUChcoCbxQbOqqvkvdwa87DA1pevEBP6j7emG0YDx2YTC
> UKRjnk1OkajimSWRtsbnRoB2vdSF7tRurcNaveybIpkHn1xtcH76v7MvCTp1da4G
> zPkVNn9e65cscN4K0HbtHd8Won+AlHBVZWe2iZ19XrCHsebFVwdz3CwaLBHIF3XN
> O67SBp9Kdxof3Mt3SaDNrHYyOrmsWjSL3IKx5SSN48kNlEnk1acIFrHzmbIUD3n5
> IIVZk3HwvNqwkTH4f5UasVOUsO0i3+1JAe7f7Cft6RsuBOchRxM=
> =qIFw
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

The directory containing the dll is at $TomcatHome/isapi/

I opened that wide up for testing after more secure configurations did not
work. Don't worry - this will absolutely NOT be used for production:
IUSR, I_USRS, and USERS all have full control.
DefaultAppPool has everything but full control - Modify, execute, write.

However, the isapi_redirect.dll's logs show that it is not getting tomcat
errors the way it used to, so I do think it is connecting but then being
banned by Tomcat itself.
For example the logs used to have messages that tomcat wasn't listening on
8009  until I figured out that the AJP connector is now commented out by
default in server.xml. After fixing that and a few other things, the logs
suddenly started spitting back the complete html of the 403 error pages -
in other words I do think it is now connecting.




On Tue, Feb 25, 2020 at 12:54 PM 
wrote:

> What permissions are on the file containing the DLL, and Worker files?
>
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Asst Vice President
>
> Middleware Product Engineering
> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
>
> Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13,
> 12/20 – 12/31
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
>
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
> -Original Message-
> From: Ellen Meiselman 
> Sent: Tuesday, February 25, 2020 11:51 AM
> To: Tomcat Users List 
> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
>
> Thank you - when I remove the secret line, save and restart Tomcat, it
> results in the same 403 error.
>
> On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) <
> a...@ice-sa.com>
> wrote:
>
> > The workers.properties below look good to me at first sight.
> >
> > Just to eliminate something, could you try the following changes :
> >
> > 1) workers.properties :
> > remove the line
> >  > worker.worker1.secret="mySecret".
> >
> > 2) AJP Connector in tomcat :
> >
> >  >  address="127.0.0.1"
> >  port="8009"
> >  secretRequired="false"
> >  redirectPort="8443" />
> >
> > then restart tomcat and IIS.
> > What's happening then ?
> >
> > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and
> > earlier.
> > Before, by default, the "secret" was disabled. Since 8.5.51, by
> > default, the secret is enabled, and you have to disable it explicitly
> > if you don't want it (as I did above).
> >
> > With the settings above, we are just trying to get back to a
> > configuration without secret, to check if that works in your case.
> > As indicated in the documentation
> > (
> > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imple
> > mentations)
> > you can
> > do that in your case, because the communication between IIS and Tomcat
> > is fairly secure, since it happens all within the same host.
> >
> >
> > On 25.02.2020 18:06, Ellen Meiselman wrote:
> > > Yes, everything is on the same server.
> > >
> > > workers.properties:
> > > # Set properties for worker1 (ajp13)
> > > worker.worker1.type=ajp13
> > > worker.worker1.host=127.0.0.1
> > > worker.worker1.port=8009
> > > worker.worker1.secret="mySecret".
> > >
> > > On Tue, Feb 25, 2020 at 11:27 AM
> > > 
> > > wrote:
> > >
> > >> -Original Message-
> > >> From: Ellen Meiselman 
> > >> Sent: Tuesday, February 25, 2020 10:01 AM
> > >> To: Tomcat Users List 
> > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and
> > Tomcat
> > >>
> > >>> Hi,
> > >>
> > >>> I've been testing, and so far, there is no change in the behavior.
> > >>> I am
> > >> still getting the same tomcat->based 403 error.
> > >>
> > >>> Based on what you said above...
> > >>>
> > >>> secretRequired="true" (which is the default, so it can be removed)
> > >>> secret="xxx"
> > >>
> > >>
> > >>> ...I removed secretRequired="true" and left secret. So the
> > >>> connector
> > >> definition now looks like this:
> > >>>  > >>>address="127.0.0.1"
> > >>>port="8009"
> > >>>secret="mySecret"
> > >>>redirectPort="8443" />
> > >>
> > >> 
> > >>
> > >> I'm assuming that your web-front-end is on the same server as your
> > Tomcat
> > >> instance, based on you having the address set to 127.0.0.1, correct?
> > What
> > >> do you have in your workers.properties file?
> > >>
> > >
> >
> >
> > --

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

On 2/25/20 12:55, Ellen Meiselman wrote:
> Sorry - no, the quotes were not there except for a 5 minute test of
> a hopeless theory that they might be needed. Right now there is no
> secret at all in the workers.properties, and
in the
> ajp connector, i have secretRequired ="false". Workers.properties:
> worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1
> worker.worker1.port=8009
>
> Server.xml:  port="8009" secretRequired="false" redirectPort="8443" />

Hmm. I think we've all been operating under the assumption that the
"secret" (by whatever name) was the source of the problem. It appears
that was incorrect.

Have a look at Jon's question about file permissions.

Was this a configuration that had been working until recently, or is
this a new configuration that you haven't (yet) been able to get working
?

Any reason not to use HTTP(S) for your protocol instead of AJP?

- -chris

> On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Ellen,
>
> On 2/25/20 12:06, Ellen Meiselman wrote:
 Yes, everything is on the same server.

 workers.properties: # Set properties for worker1 (ajp13)
 worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1
 worker.worker1.port=8009 worker.worker1.secret="mySecret".
>
> Just so there is no confusion: your "mySecret" should have neither
> quotes nor the trailing period.
>
> Are those literally in your ISS config file?
>
> -chris
>
 On Tue, Feb 25, 2020 at 11:27 AM
  wrote:

> -Original Message- From: Ellen Meiselman
>  Sent: Tuesday, February 25, 2020 10:01
> AM To: Tomcat Users List  Subject:
> Re: At wits end: Difficulties with IIS ISAPI connector and
> Tomcat
>
>> Hi,
>
>> I've been testing, and so far, there is no change in the
>> behavior. I am
> still getting the same tomcat->based 403 error.
>
>> Based on what you said above...
>>
>> secretRequired="true" (which is the default, so it can
>> be removed) secret="xxx"
>
>
>> ...I removed secretRequired="true" and left secret. So
>> the connector
> definition now looks like this:
>> > port="8009" secret="mySecret" redirectPort="8443" />
>
> 
>
> I'm assuming that your web-front-end is on the same server
> as your Tomcat instance, based on you having the address
> set to 127.0.0.1, correct? What do you have in your
> workers.properties file?
>

>>
>> -
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VYQQACgkQHPApP6U8
pFgLuw/8Dheh8K4XrQpcktN1BK0A9pKCeWg44uWfU9RgCgWZg4b4VSjIaftE4Bv0
WF8Vt6WhnzjIDp6XKgaH69KXIwIZrXVbmWbkjkYlTtMAgrqKrvX/fd5XdTP4lJYX
/gG6Zl2dqJeBGwg9maZgBLdQVXDRF3WnHVEvVfbnMl1UKxqNmVPdjODAhDCjzTqv
h6kMPSDTqAdEW1Na7UF+4JgpI5owAoP4oXoy3YCpCi18jYwu3axHwse62hBi/UwR
vWiQ8nQuV+6NcZ00A/K8d9OMpg+nheFbWJBTerxzDfHHelCbm17id7Em+XlOZ3aW
QPYmWx1ERcNbyf8cpSEXeRFNJ4IhYE/QZJVw541WNzveKRJzEVuActTC735fmgd/
QOt9ECsu+0wXRgR09FNhUChcoCbxQbOqqvkvdwa87DA1pevEBP6j7emG0YDx2YTC
UKRjnk1OkajimSWRtsbnRoB2vdSF7tRurcNaveybIpkHn1xtcH76v7MvCTp1da4G
zPkVNn9e65cscN4K0HbtHd8Won+AlHBVZWe2iZ19XrCHsebFVwdz3CwaLBHIF3XN
O67SBp9Kdxof3Mt3SaDNrHYyOrmsWjSL3IKx5SSN48kNlEnk1acIFrHzmbIUD3n5
IIVZk3HwvNqwkTH4f5UasVOUsO0i3+1JAe7f7Cft6RsuBOchRxM=
=qIFw
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

Sorry - no, the quotes were not there except for a 5 minute test of a
hopeless theory that they might be needed.
Right now there is no secret at all in the workers.properties, and in the
ajp connector, i have secretRequired ="false".
Workers.properties:
worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8009

Server.xml:


On Tue, Feb 25, 2020 at 12:35 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ellen,
>
> On 2/25/20 12:06, Ellen Meiselman wrote:
> > Yes, everything is on the same server.
> >
> > workers.properties: # Set properties for worker1 (ajp13)
> > worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1
> > worker.worker1.port=8009 worker.worker1.secret="mySecret".
>
> Just so there is no confusion: your "mySecret" should have neither
> quotes nor the trailing period.
>
> Are those literally in your ISS config file?
>
> - -chris
>
> > On Tue, Feb 25, 2020 at 11:27 AM
> >  wrote:
> >
> >> -Original Message- From: Ellen Meiselman
> >>  Sent: Tuesday, February 25, 2020 10:01 AM To:
> >> Tomcat Users List  Subject: Re: At wits
> >> end: Difficulties with IIS ISAPI connector and Tomcat
> >>
> >>> Hi,
> >>
> >>> I've been testing, and so far, there is no change in the
> >>> behavior. I am
> >> still getting the same tomcat->based 403 error.
> >>
> >>> Based on what you said above...
> >>>
> >>> secretRequired="true" (which is the default, so it can be
> >>> removed) secret="xxx"
> >>
> >>
> >>> ...I removed secretRequired="true" and left secret. So the
> >>> connector
> >> definition now looks like this:
> >>>  >>> secret="mySecret" redirectPort="8443" />
> >>
> >> 
> >>
> >> I'm assuming that your web-front-end is on the same server as
> >> your Tomcat instance, based on you having the address set to
> >> 127.0.0.1, correct? What do you have in your workers.properties
> >> file?
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VWtkACgkQHPApP6U8
> pFjIXA//caIbYn+Z9lDBNzpD6RDhEuSPw0Aq3pxGgSlI4sHFsIvA4PzJG1aAFYb0
> TzN2gms6GmTgeGDeIXgNub+ae7Pgers7ZVsJ9HDKTlT9uYEEShI5g7xfOzXTwc3z
> iKh9PlNXmjonmKL+MLlt+pUL42s0Du43skIH0JLpP2UiDgC3WHs9hk3KHy8OfTpj
> pfxDpMip2eMxsEjrXy0K1vJ012X1o4UDkb1GwUHoRAbEwqVpTfTYyHzAJqwpXAIr
> Ab9z1LDFP0w7NwaPzmcCJK5qbgC3Ry85Y07BwcaClVOKszckqexR55bEKtJchRFe
> MI/bbr0eDzndxZKpzmaJnrqyu5xZpH895Ww7/lwsO8hmBaH7rEd9LvCVZFbyIGvP
> 4ww2Sv3FuJcSLBG+MnoXzH5I01G1GzH6MYCH0OW0+bkQEMMPDe3InQiavqoqCM08
> U8CM0TBRYkT0H5dCaplGWTyjmbhEU5c1SPLiwdj4eEEFhUGv+EsZHXToczLGim7y
> wrV97sKF92UWkYDe6lkp4Va9kQ0kIiJr+VO3BLVKV9ZWxYWzgdQirIiJjIic/HjV
> obDWW6c9w5EvYOaCqMWliV9g063TOvZYNQm8cm+oORCdR9NYLJgG1g0OxGWDQUGm
> YhwIVngqP2m8mlg3jE1Z4y3vgM8cdh2vXzOZnb0WTsyjl9KrPYw=
> =lPDH
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[jonmcalexander]

What permissions are on the file containing the DLL, and Worker files?


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 
– 12/31

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Ellen Meiselman  
Sent: Tuesday, February 25, 2020 11:51 AM
To: Tomcat Users List 
Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

Thank you - when I remove the secret line, save and restart Tomcat, it results 
in the same 403 error.

On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) 
wrote:

> The workers.properties below look good to me at first sight.
>
> Just to eliminate something, could you try the following changes :
>
> 1) workers.properties :
> remove the line
>  > worker.worker1.secret="mySecret".
>
> 2) AJP Connector in tomcat :
>
>   address="127.0.0.1"
>  port="8009"
>  secretRequired="false"
>  redirectPort="8443" />
>
> then restart tomcat and IIS.
> What's happening then ?
>
> Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and 
> earlier.
> Before, by default, the "secret" was disabled. Since 8.5.51, by 
> default, the secret is enabled, and you have to disable it explicitly 
> if you don't want it (as I did above).
>
> With the settings above, we are just trying to get back to a 
> configuration without secret, to check if that works in your case.
> As indicated in the documentation
> (
> http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imple
> mentations)
> you can
> do that in your case, because the communication between IIS and Tomcat 
> is fairly secure, since it happens all within the same host.
>
>
> On 25.02.2020 18:06, Ellen Meiselman wrote:
> > Yes, everything is on the same server.
> >
> > workers.properties:
> > # Set properties for worker1 (ajp13)
> > worker.worker1.type=ajp13
> > worker.worker1.host=127.0.0.1
> > worker.worker1.port=8009
> > worker.worker1.secret="mySecret".
> >
> > On Tue, Feb 25, 2020 at 11:27 AM 
> > 
> > wrote:
> >
> >> -Original Message-
> >> From: Ellen Meiselman 
> >> Sent: Tuesday, February 25, 2020 10:01 AM
> >> To: Tomcat Users List 
> >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and
> Tomcat
> >>
> >>> Hi,
> >>
> >>> I've been testing, and so far, there is no change in the behavior. 
> >>> I am
> >> still getting the same tomcat->based 403 error.
> >>
> >>> Based on what you said above...
> >>>
> >>> secretRequired="true" (which is the default, so it can be removed) 
> >>> secret="xxx"
> >>
> >>
> >>> ...I removed secretRequired="true" and left secret. So the 
> >>> connector
> >> definition now looks like this:
> >>>  >>>address="127.0.0.1"
> >>>port="8009"
> >>>secret="mySecret"
> >>>redirectPort="8443" />
> >>
> >> 
> >>
> >> I'm assuming that your web-front-end is on the same server as your
> Tomcat
> >> instance, based on you having the address set to 127.0.0.1, correct?
> What
> >> do you have in your workers.properties file?
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

Thank you - when I remove the secret line, save and restart Tomcat, it
results in the same 403 error.

On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) 
wrote:

> The workers.properties below look good to me at first sight.
>
> Just to eliminate something, could you try the following changes :
>
> 1) workers.properties :
> remove the line
>  > worker.worker1.secret="mySecret".
>
> 2) AJP Connector in tomcat :
>
>   address="127.0.0.1"
>  port="8009"
>  secretRequired="false"
>  redirectPort="8443" />
>
> then restart tomcat and IIS.
> What's happening then ?
>
> Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and
> earlier.
> Before, by default, the "secret" was disabled. Since 8.5.51, by default,
> the secret is
> enabled, and you have to disable it explicitly if you don't want it (as I
> did above).
>
> With the settings above, we are just trying to get back to a configuration
> without secret,
> to check if that works in your case.
> As indicated in the documentation
> (
> http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Implementations)
> you can
> do that in your case, because the communication between IIS and Tomcat is
> fairly secure,
> since it happens all within the same host.
>
>
> On 25.02.2020 18:06, Ellen Meiselman wrote:
> > Yes, everything is on the same server.
> >
> > workers.properties:
> > # Set properties for worker1 (ajp13)
> > worker.worker1.type=ajp13
> > worker.worker1.host=127.0.0.1
> > worker.worker1.port=8009
> > worker.worker1.secret="mySecret".
> >
> > On Tue, Feb 25, 2020 at 11:27 AM 
> > wrote:
> >
> >> -Original Message-
> >> From: Ellen Meiselman 
> >> Sent: Tuesday, February 25, 2020 10:01 AM
> >> To: Tomcat Users List 
> >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and
> Tomcat
> >>
> >>> Hi,
> >>
> >>> I've been testing, and so far, there is no change in the behavior. I am
> >> still getting the same tomcat->based 403 error.
> >>
> >>> Based on what you said above...
> >>>
> >>> secretRequired="true" (which is the default, so it can be removed)
> >>> secret="xxx"
> >>
> >>
> >>> ...I removed secretRequired="true" and left secret. So the connector
> >> definition now looks like this:
> >>>  >>>address="127.0.0.1"
> >>>port="8009"
> >>>secret="mySecret"
> >>>redirectPort="8443" />
> >>
> >> 
> >>
> >> I'm assuming that your web-front-end is on the same server as your
> Tomcat
> >> instance, based on you having the address set to 127.0.0.1, correct?
> What
> >> do you have in your workers.properties file?
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

I *think* that this would be covered by the workers.properties used by the
isapi_redirect.dll, correct?

On Tue, Feb 25, 2020 at 11:42 AM André Warnier (tomcat/perl) 
wrote:

> On 25.02.2020 17:26, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > -Original Message-
> > From: Ellen Meiselman 
> > Sent: Tuesday, February 25, 2020 10:01 AM
> > To: Tomcat Users List 
> > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and
> Tomcat
> >
> >> Hi,
> >
> >> I've been testing, and so far, there is no change in the behavior. I am
> still getting the same tomcat->based 403 error.
> >
> >> Based on what you said above...
> >>
> >> secretRequired="true" (which is the default, so it can be removed)
> >> secret="xxx"
> >
> >
> >> ...I removed secretRequired="true" and left secret. So the connector
> definition now looks like this:
> >>  >>address="127.0.0.1"
> >>port="8009"
> >>secret="mySecret"
> >>redirectPort="8443" />
> >
> > 
> >
> > I'm assuming that your web-front-end is on the same server as your
> Tomcat instance, based on you having the address set to 127.0.0.1, correct?
> What do you have in your workers.properties file?
>
> addendum : .. on the IIS side of things.
> There should be the same "secret" there.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

On 2/25/20 12:06, Ellen Meiselman wrote:
> Yes, everything is on the same server.
>
> workers.properties: # Set properties for worker1 (ajp13)
> worker.worker1.type=ajp13 worker.worker1.host=127.0.0.1
> worker.worker1.port=8009 worker.worker1.secret="mySecret".

Just so there is no confusion: your "mySecret" should have neither
quotes nor the trailing period.

Are those literally in your ISS config file?

- -chris

> On Tue, Feb 25, 2020 at 11:27 AM
>  wrote:
>
>> -Original Message- From: Ellen Meiselman
>>  Sent: Tuesday, February 25, 2020 10:01 AM To:
>> Tomcat Users List  Subject: Re: At wits
>> end: Difficulties with IIS ISAPI connector and Tomcat
>>
>>> Hi,
>>
>>> I've been testing, and so far, there is no change in the
>>> behavior. I am
>> still getting the same tomcat->based 403 error.
>>
>>> Based on what you said above...
>>>
>>> secretRequired="true" (which is the default, so it can be
>>> removed) secret="xxx"
>>
>>
>>> ...I removed secretRequired="true" and left secret. So the
>>> connector
>> definition now looks like this:
>>> >> secret="mySecret" redirectPort="8443" />
>>
>> 
>>
>> I'm assuming that your web-front-end is on the same server as
>> your Tomcat instance, based on you having the address set to
>> 127.0.0.1, correct? What do you have in your workers.properties
>> file?
>>
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VWtkACgkQHPApP6U8
pFjIXA//caIbYn+Z9lDBNzpD6RDhEuSPw0Aq3pxGgSlI4sHFsIvA4PzJG1aAFYb0
TzN2gms6GmTgeGDeIXgNub+ae7Pgers7ZVsJ9HDKTlT9uYEEShI5g7xfOzXTwc3z
iKh9PlNXmjonmKL+MLlt+pUL42s0Du43skIH0JLpP2UiDgC3WHs9hk3KHy8OfTpj
pfxDpMip2eMxsEjrXy0K1vJ012X1o4UDkb1GwUHoRAbEwqVpTfTYyHzAJqwpXAIr
Ab9z1LDFP0w7NwaPzmcCJK5qbgC3Ry85Y07BwcaClVOKszckqexR55bEKtJchRFe
MI/bbr0eDzndxZKpzmaJnrqyu5xZpH895Ww7/lwsO8hmBaH7rEd9LvCVZFbyIGvP
4ww2Sv3FuJcSLBG+MnoXzH5I01G1GzH6MYCH0OW0+bkQEMMPDe3InQiavqoqCM08
U8CM0TBRYkT0H5dCaplGWTyjmbhEU5c1SPLiwdj4eEEFhUGv+EsZHXToczLGim7y
wrV97sKF92UWkYDe6lkp4Va9kQ0kIiJr+VO3BLVKV9ZWxYWzgdQirIiJjIic/HjV
obDWW6c9w5EvYOaCqMWliV9g063TOvZYNQm8cm+oORCdR9NYLJgG1g0OxGWDQUGm
YhwIVngqP2m8mlg3jE1Z4y3vgM8cdh2vXzOZnb0WTsyjl9KrPYw=
=lPDH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[tomcat/perl]

The workers.properties below look good to me at first sight.

Just to eliminate something, could you try the following changes :

1) workers.properties :
remove the line
> worker.worker1.secret="mySecret".

2) AJP Connector in tomcat :



then restart tomcat and IIS.
What's happening then ?

Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and earlier.
Before, by default, the "secret" was disabled. Since 8.5.51, by default, the secret is 
enabled, and you have to disable it explicitly if you don't want it (as I did above).


With the settings above, we are just trying to get back to a configuration without secret, 
to check if that works in your case.
As indicated in the documentation 
(http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Implementations) you can 
do that in your case, because the communication between IIS and Tomcat is fairly secure, 
since it happens all within the same host.



On 25.02.2020 18:06, Ellen Meiselman wrote:

Yes, everything is on the same server.

workers.properties:
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8009
worker.worker1.secret="mySecret".

On Tue, Feb 25, 2020 at 11:27 AM 
wrote:


-Original Message-
From: Ellen Meiselman 
Sent: Tuesday, February 25, 2020 10:01 AM
To: Tomcat Users List 
Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat


Hi,



I've been testing, and so far, there is no change in the behavior. I am

still getting the same tomcat->based 403 error.


Based on what you said above...

secretRequired="true" (which is the default, so it can be removed)
secret="xxx"




...I removed secretRequired="true" and left secret. So the connector

definition now looks like this:






I'm assuming that your web-front-end is on the same server as your Tomcat
instance, based on you having the address set to 127.0.0.1, correct? What
do you have in your workers.properties file?






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

Yes, everything is on the same server.

workers.properties:
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8009
worker.worker1.secret="mySecret".

On Tue, Feb 25, 2020 at 11:27 AM 
wrote:

> -Original Message-
> From: Ellen Meiselman 
> Sent: Tuesday, February 25, 2020 10:01 AM
> To: Tomcat Users List 
> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
>
> >Hi,
>
> >I've been testing, and so far, there is no change in the behavior. I am
> still getting the same tomcat->based 403 error.
>
> >Based on what you said above...
> >
> > secretRequired="true" (which is the default, so it can be removed)
> > secret="xxx"
>
>
> >...I removed secretRequired="true" and left secret. So the connector
> definition now looks like this:
> > >   address="127.0.0.1"
> >   port="8009"
> >   secret="mySecret"
> >   redirectPort="8443" />
>
> 
>
> I'm assuming that your web-front-end is on the same server as your Tomcat
> instance, based on you having the address set to 127.0.0.1, correct? What
> do you have in your workers.properties file?
>

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[tomcat/perl]

On 25.02.2020 17:26, jonmcalexan...@wellsfargo.com.INVALID wrote:

-Original Message-
From: Ellen Meiselman 
Sent: Tuesday, February 25, 2020 10:01 AM
To: Tomcat Users List 
Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat


Hi,



I've been testing, and so far, there is no change in the behavior. I am still 
getting the same tomcat->based 403 error.



Based on what you said above...

secretRequired="true" (which is the default, so it can be removed)
secret="xxx"




...I removed secretRequired="true" and left secret. So the connector definition 
now looks like this:





I'm assuming that your web-front-end is on the same server as your Tomcat 
instance, based on you having the address set to 127.0.0.1, correct? What do 
you have in your workers.properties file?


addendum : .. on the IIS side of things.
There should be the same "secret" there.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[jonmcalexander]

-Original Message-
From: Ellen Meiselman  
Sent: Tuesday, February 25, 2020 10:01 AM
To: Tomcat Users List 
Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

>Hi,

>I've been testing, and so far, there is no change in the behavior. I am still 
>getting the same tomcat->based 403 error.

>Based on what you said above...
>
> secretRequired="true" (which is the default, so it can be removed) 
> secret="xxx"


>...I removed secretRequired="true" and left secret. So the connector 
>definition now looks like this:
>   address="127.0.0.1"
>   port="8009"
>   secret="mySecret"
>   redirectPort="8443" />



I'm assuming that your web-front-end is on the same server as your Tomcat 
instance, based on you having the address set to 127.0.0.1, correct? What do 
you have in your workers.properties file?

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Ellen Meiselman]

Hi,

I've been testing, and so far, there is no change in the behavior. I am
still getting the same tomcat-based 403 error.

Based on what you said above...
>
> secretRequired="true" (which is the default, so it can be removed)
> secret="xxx"


...I removed secretRequired="true" and left secret. So the connector
definition now looks like this:



I've also carefully checked the workers.properties and server.xml to be
sure that "mySecret" is exactly the same in both places, and that the
correct worker is mapped to that directory. The only difference is that
there are no quotes around the secret password in workers.properties.

I also tried adding secretRequired="false" - wouldn't that eliminate the
secret as an issue? But I still get the 403 error.

The only really odd thing - at least I think it is odd - is that the error
shows up in what I think is the wrong log. I set up logs for both hosts -
one is called localhost_access_log.2020-02-25.txt which is used for hits to
localhost, at least as I understand it. The
other, 127_0_01_access_log.2020-02-25.txt,  should be used for the AJP
connector, but is empty. Here's a sample.

10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET
/exposedApplication/simple.html  HTTP/1.1"
403 618
10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET
/exposedApplication/simple.html
HTTP/1.1" 403 618
10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET
//exposedApplication/simple.html HTTP/1.1"
403 618

One person requested a trace, but I'm not sure how to do that.

Thank you,

Ellen

On Mon, Feb 24, 2020 at 4:04 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Chris,
>
> On 2/24/20 15:53, Chris Cheshire wrote:
> > On Mon, Feb 24, 2020 at 3:19 PM Ellen Meiselman 
> > wrote:
> >>
> >> Hi,
> >>
> >> I’m having a lot of trouble configuring the isapi_redirect
> >> connector between IIS and Tomcat. I am running out of ideas so
> >> it’s time to ask for help from the experts. I think the problems
> >> remaining are in the tomcat configuration area, not the IIS area
> >> anymore.
> >>
> >> What’s wrong: The ISAPI module appears to be working and
> >> correctly sending AJP requests to Tomcat on port 8009, at which
> >> point Tomcat refuses those requests with a 403 error. The
> >> isapi_redirect.log shows the complete content of the tomcat
> >> response, and no longer shows any errors - in other words, it
> >> thinks it is working.
> >>
> >> Text of the 403 error:
> >>
> >> HTTP Status 403 – Forbidden Type Status Report Description The
> >> server understood the request but refuses to authorize it. Apache
> >> Tomcat/8.5.51
> >>
> >>
> >> What does work: Requests directly to Tomcat on port 8080 to pages
> >> within the connector-exposed web application work fine. For
> >> example, both of these work:
> >> localhost:8080/exposedApplication/simple.html. (viewed on the
> >> server’s browser)
> >> my.servers.domain.com:8080/exposedApplication/simple.html (viewed
> >> anywhere else)
> >>
> >>
> >> What does not work: Requests that go through IIS and the
> >> connector to the connector-exposed application result in a 403
> >> error. For example, this does not work:
> >> https:my.servers.domain.com/exposedApplication/simple.html
> >>
> >>
> >> This Windows 2019 setup has the following versions of tomcat,
> >> windows, etc:
> >>
> >> Tomcat version 8.5.51 Isapi_redirect.dll version 1.2.46.0 IIS
> >> 10/Windows server 2019
> >>
> >> I also have two older, similar Windows Server environments that
> >> work perfectly. They both use these versions:
> >>
> >> Tomcat version 8.5.3 (64 bit) as a service Isapi_redirect.dll
> >> version 1.2.40.0 64 bit IIS 8/Windows server 2012R2
> >>
> >>
> >> The component versions between the working and non-working
> >> environments are slightly different, and I think that might be
> >> the source of the problem - there are probably new configuration
> >> requirements that I need to be aware of. I started with the
> >> settings used in the working environments and found that some
> >> things needed to be changed to get the connector to work at alll.
> >> For example I had to specify an iPv4 address for the connector
> >> where I didn’t need to before.
> >>
> >> My theories at the moment: 1. Maybe
> >> allowedRequestAttributesPattern is a problem? I saw a note about
> >> the allowedRequestAttributesPattern attribute for the AJP
> >> connector possibly causing a 403 error, but I don’t understand
> >> how to use it or if it is needed. 2. It’s possible that something
> >> in the Tomcat permissions settings are wrong, but I really don’t
> >> know where to look.
> >>
> >>
> >> Relevant configuration settings in server.xml, workers.properties
> >> and uriworkermap.properties:
> >>
> >> server.xml
> >>
> >>   >> protocol="AJP/1.3”  address=“127.0.0.1" port="8009"
> >> requiredSecret="true"  secret=“" redirectPort="8443" />
> >>
> >>  >> autoDeploy="true">  >> className="org.apache.catalina.valves.Access

Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ellen,

On 2/24/20 17:33, Ellen Meiselman wrote:
> Wow, I think I’ve gotten more help in 10 minutes from this users
> group than in 2 weeks from anywhere else I’ve tried.

Welcome to the community :)

There are tons of real people here who want others to succeed. So
please stick around.

Thanks,
- -chris

>> On Feb 24, 2020, at 3:42 PM, Mark Thomas 
>> wrote:
>>
>> On 24/02/2020 20:19, Ellen Meiselman wrote:
>>> Hi,
>>>
>>> I’m having a lot of trouble configuring the isapi_redirect
>>> connector between IIS and Tomcat. I am running out of ideas so
>>> it’s time to ask for help from the experts. I think the
>>> problems remaining are in the tomcat configuration area, not
>>> the IIS area anymore.
>>>
>>> What’s wrong: The ISAPI module appears to be working and
>>> correctly sending AJP requests to Tomcat on port 8009, at which
>>> point Tomcat refuses those requests with a 403 error. The
>>> isapi_redirect.log shows the complete content of the tomcat
>>> response, and no longer shows any errors - in other words, it
>>> thinks it is working.
>>
>> I'd agree. If you see a response back from Tomcat then IIS is
>> working.
>>
>> You should also see an entry in the access log.
>>
>>> Text of the 403 error:
>>>
>>> HTTP Status 403 – Forbidden Type Status Report Description The
>>> server understood the request but refuses to authorize it.
>>> Apache Tomcat/8.5.51
>>
>> OK. That also indicates that IIS is passing the request to
>> Tomcat correctly processing the response.
>>
>> 
>>
>>> This Windows 2019 setup has the following versions of tomcat,
>>> windows, etc:
>>>
>>> Tomcat version 8.5.51 Isapi_redirect.dll version 1.2.46.0 IIS
>>> 10/Windows server 2019
>>
>> Thank you. It really helps when people provide that information.
>> It saves a lot of time.
>>
>> 
>>
>>> My theories at the moment: 1. Maybe
>>> allowedRequestAttributesPattern is a problem? I saw a note
>>> about the allowedRequestAttributesPattern attribute for the AJP
>>> connector possibly causing a 403 error, but I don’t understand
>>> how to use it or if it is needed. 2. It’s possible that
>>> something in the Tomcat permissions settings are wrong, but I
>>> really don’t know where to look.
>>
>> You shouldn't need to set allowedRequestAttributesPattern.
>>
>> I think it might be Tomcat configuration. Any again, very
>> helpfully, we have ...
>>
>>> Relevant configuration settings in server.xml,
>>> workers.properties and uriworkermap.properties:
>>>
>>> server.xml
>>>
>>>  >> protocol="AJP/1.3”  address=“127.0.0.1" port="8009"
>>> requiredSecret="true"  secret=“" redirectPort="8443" />
>>>
>>>
>>> >> autoDeploy="true"> >> className="org.apache.catalina.valves.AccessLogValve"
>>> directory="logs" prefix="localhost_access_log" suffix=".txt"
>>> pattern="%h %l %u %t "%r" %s %b" /> 
>>>
>>> >> autoDeploy="true"> >> className="org.apache.catalina.valves.AccessLogValve"
>>> directory="logs" prefix="127_0_01_access_log" suffix=".txt"
>>> pattern="%h %l %u %t "%r" %s %b" /> 
>>>
>>>
>>> workers.properties
>>>
>>> # Set properties for worker1 (ajp13) worker.worker1.type=ajp13
>>> worker.worker1.host=127.0.0.1 worker.worker1.port=8009
>>> worker.worker1.secret=
>>>
>>>
>>> uriworkermap.properties /exposedApplication/*=worker1
>>>
>>>
>>> Any suggestions or new directions will be welcome.
>>
>> My best guess would be that the value for secret is not the same
>> between workers.properties and Tomcat.
>>
>> I have a 2019 server test environment. I'll try and replicate
>> what you have with a clean 8.5.51 install and the examples
>> application and see what happens.
>>
>> Mark
>>
>> -
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5VO80ACgkQHPApP6U8
pFhuzQ/+JYVtD1P1XglBw9xwRFIXNS7oQDQshHuVctwciI9oWmxwAUJLixcQf1/y
/fZhGvFmPlxZEELkgPiISqnS5jQja7MgbXZupX4wFFnC0gi6SxFJ+i7z6XOwwFt7
C8tN43rlmALrkUDTaGsbZrIJ/E7hS5SSizk1c+HadY8jimbC+tQ0uR9gQIDhbiiP
nW0MHlRgv7DRZzQcfzFIzLOxTt6hcpeM6FDnmH4I0E47l2224zwlWD5vYGtqZ4jU
F7tk1WDr6BSUXi5s8jJrTeGtoOjTQvvKiQfrCi3N8YGqnqDrl6BJG736Dpdv2yYH
Hq/+nPgw6DAR4kBccTdHS+1AFAIp3g+NzbcK9Mgh0YJbE5F8WvNxpqYGeRv0JQkW
dDDw4FwCZlyJva8eyqUiPd2nUwPlDaRWKTZUrEnRJH7om5Ke+AZ7LCWBWSrm6+q+
sqUt0uOLO0BAu+KBZbJc6i47+501Wm2VBX06xvRMFgoXldgFVTuI+44VnpS5blZ3
lC34b4XvqJgRbZ8IBdwVUky1R5ny8ae08pWXDr4bzniWcSxnbc6uFj07q4JfFaMw
eNDmWNLwT5OxHQYwqQCAYgGp9CV+njCUSXJdP3vW4kWoRK1rz+HrBP66XSmiLNdO
XGSBPffgEBe0Oi3eybaE9KmIYE75pyNZwOlea6YmFwOr5K5egYk=
=mHOe
-END PGP SIGNATURE-