tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Tomcat 6.0.18/ IIS 6.0 /SSL
Date Thu, 05 Aug 2010 08:12:45 GMT
See below

On 04.08.2010 22:17, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Do you have a suggestion? Do I need to change my worker.properties? Sorry,
> I'm new to Tomcat, I appreciate your help.
>
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 4:09 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
>> I did read your post and I changed the Port Number.
>>
>> "<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />  This
>> connector should be used depending on your redirector config which we
>> haven't seen yet
>>
>> Here is my workers.properties:
>>
>> worker.list=worker1
>> worker.worker1.type=ajp13
>> worker.worker1.host=127.0.0.1
>> worker.worker1.port=8009
>>
>> Here is my uriworkermap.properties:
>>
>> /geoportal|/*=worker1
>
> This didn't work, since the log snippet said it tried to use a worker named
> "ajp13", not "worker1".

"This" = uriworkermap.properties.

So what did you do to let IIS find your uriworkermap.properties?
Can we be sure that works? Does your redirector debug log file indicate

- that it finds and reads the right uriworkermap.properties file
- that it finds the right map in there and thus tries to use a worker 
named "worker1"
- is your request URL actually starting with "/geoportal/" or equal to 
"geoportal"? What is the URL you are testing with?

Regards,

Rainer

>> -----Original Message-----
>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>> Sent: Wednesday, August 04, 2010 3:40 PM
>> To: Tomcat Users List
>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> wrote:
>>> Jung,
>>> I'm still getting the errors.
>>
>> Why shouldn't you?
>> Did you actually read my post?
>> Which parts didn't you understand?
>>
>>> <Connector port="8080" protocol="Java HTTP"   ----What protocol should I
>> use
>>> here (do not want to expose)
>>>                   connectionTimeout="20000"
>>>                   redirectPort="80" />
>>
>> This connector is *not* involved when using
>>
>> Browser ->   IIS/Redirector ->   Tomcat
>>
>>>        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>> -------------Does this look right?
>>>                   maxThreads="150" scheme="https" secure="true"
>>>                   clientAuth="false" sslProtocol="TLSv1"
>>>       		   keystoreFile="C:\Program Files (x86)\Apache
> Software
>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>>                   keystorePass="password"
>>> 		   keystoreType="pkcs12" />
>>
>> This one neither.
>>
>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>> -----------------Is this where my actual authentication is taking place?
>> This connector should be used depending on your redirector config
>> which we haven't seen yet.
>>
>> The error message you provided doesn't have to do with authentication.
>> Authentication problems might show up after you solved your worker
>> configuration problem. Until now your IIS doesn't even talk to Tomcat.
>>
>> Regards,
>>
>> Rainer
>>
>>>
>>> -----Original Message-----
>>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>>> Sent: Wednesday, August 04, 2010 1:38 PM
>>> To: Tomcat Users List
>>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>>
>>> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
>> wrote:
>>>>
>>>>
>>>> I am trying to get Tomcat and IIS configured on my secure web server
>>>> (SSL) so that I can access my deployed web application via https and
>>>> NOT over http. Connection to non-SSL works, but I cannot have that
>>>> connection due to security.
>>>>
>>>> I want to run Tomcat through IIS, and I have configured it using the
>>>> isapi_redirect.dll (thanks to Electronjockey). However, when I try
>>>> and hit my https://site/geoportal<https://site/geoportal>    my
>>>> credentials do not carry me through to the web application, instead
>>>> I receive "Internet Explorer Cannot Display Webpage". Can someone
>>>> help me out on how to configure my server.xml and interpretting my
>>>> log files
>> please?
>>>> I have even tried to export my server certificate, and call it using
>>>> the keystore:"", still not working. I'm a Tomcat green horn, any
>>>> help would be awesome.
>>>>
>>>> Isapi_redirect.log file: Looks like some sort of authentication is
>>>> being passed, then the ajp13 is not found?
>>>>
>>>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
>>>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
>>>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>>>
>>>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (3120): Service request headers=5 attributes=9 chunked=no
>>>> content-length=0 available=0
>>>>
>>>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>>>> did not find a worker ajp13
>>>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug]
>>>> jk_isapi_plugin.c
>>>> (2162): could not get a worker for name ajp13 [Wed Aug 04
>>>> 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
>>>> (2210): could not get a worker for name ajp13
>>>
>>> Hard to tell without knowing the version of the isapi redirector, not
>>> having your configuration. This looks like:
>>>
>>> - it is trying to use a worker named ajp13 to connect to Tomcat. Lile
>>> y you have configured the redirector to use this worker within your
>>> uriworkermap.properties file
>>>
>>> - the redirector doesn't know how to use this worker. Either you are
>>> missing the workers.properties configuration file or there is no
>>> definition for a worker named ajp13 in the file.
>>>
>>> A good starting point for a workers.properties file is the example
>>> file contained in the source distribution of version 1.2.30. Please
>>> do also use this version of the redirector.
>>>
>>> Note: from the point of view of Tomcat it doesn't really matter
>>> whether you are talking http or https in the browser. This protocol
>>> is only used between the browser and IIS. Between IIS and Tomcat when
>>> using the isapi redirector the protocol is always AJP13 (it is just
>>> coincidence, that this is the same name as the name of the worker in
>>> your logs). The protocol is similar to HTTP but binary and it
>>> transports the information whether the browser used http or https, so
>>> Tomcat is aware of this. This protocol does not use the http or https
>> connectors in server.xml, only the AJP13 connector.
>>>
>>>> Here is the meat of my server.xml (pretty sure it's wrong):
>>>>
>>>> <!-- A "Connector" represents an endpoint by which requests are
>>>> received and responses are returned. Documentation at :
>>>> Java HTTP Connector: /docs/config/http.html (blocking&    non-blocking)
>>>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>>>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>>>> -->
>>>> <Connector port="8080" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="80" />
>>>> <!-- A "Connector" using the shared thread pool-->
>>>>
>>>> <Connector executor="tomcatThreadPool"
>>>> port="8009" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="443" />
>>>>
>>>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector
>>>> uses the JSSE configuration, when using APR, the connector should be
>>>> using the OpenSSL style configuration described in the APR
>>>> documentation
>>>> -->
>>>>
>>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>>> maxThreads="150" scheme="https" secure="true"
>>>> clientAuth="false" sslProtocol="TLSv1"
>>>> keystoreFile="C:\Program Files (x86)\Apache Software
>>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>>> keystorePass="mypassword"
>>>> keystoreType="pkcs12" />
>>>>
>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->    <Connector
>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>>
>>> Two connectors, both on port 8009, will not work. Use the latter one.
>>>
>>> Regards,
>>>
>>> Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message