tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00" <jason.t.hansel....@navy.mil>
Subject RE: Tomcat 6.0.18/ IIS 6.0 /SSL
Date Thu, 05 Aug 2010 13:15:17 GMT
Rainer,
Thanks again for being patient with me. I've seen some different behavior
this morning. When I am trying to access my page, I get "Service Temporary
Unavailable", which is better than what I was receiving.

[Thu Aug 05 09:12:49.655 2010] [10216:8452] [debug] jk_uri_worker_map.c
(1036): Attempting to map URI '/geoweb1b.eims.local/geoportal' from 2 maps
[Thu Aug 05 09:12:49.686 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal/*=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.702 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.733 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal/*=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.749 2010] [10216:8452] [debug] jk_uri_worker_map.c
(850): Attempting to map context URI '/geoportal=worker1' source
'uriworkermap'
[Thu Aug 05 09:12:49.764 2010] [10216:8452] [debug] jk_uri_worker_map.c
(873): Found an exact match '/geoportal=worker1'
[Thu Aug 05 09:12:49.780 2010] [10216:8452] [debug] jk_isapi_plugin.c
(1916): check if [/geoportal] points to the web-inf directory
[Thu Aug 05 09:12:49.795 2010] [10216:8452] [debug] jk_isapi_plugin.c
(1932): [/geoportal] is a servlet url - should redirect to worker1
[Thu Aug 05 09:12:49.811 2010] [10216:8452] [debug] jk_isapi_plugin.c
(1972): fowarding escaped URI [/geoportal]
[Thu Aug 05 09:12:49.827 2010] [10216:8452] [debug] jk_worker.c (339):
Maintaining worker worker1
[Thu Aug 05 09:12:49.842 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2792): Reading extension header HTTP_TOMCATWORKER6A6B0000: worker1
[Thu Aug 05 09:12:49.858 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2793): Reading extension header HTTP_TOMCATWORKERIDX6A6B0000: 1
[Thu Aug 05 09:12:49.889 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2794): Reading extension header HTTP_TOMCATURI6A6B0000: /geoportal
[Thu Aug 05 09:12:49.905 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2795): Reading extension header HTTP_TOMCATQUERY6A6B0000: (null)
[Thu Aug 05 09:12:49.920 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2850): Applying service extensions
[Thu Aug 05 09:12:49.936 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2930): Client Certificate encoding:1 sz:1022 flags:1
[Thu Aug 05 09:12:49.952 2010] [10216:8452] [debug] jk_isapi_plugin.c
(3108): Service protocol=HTTP/1.1 method=GET host=150.xxx.xx.xx
addr=150.xxx.xx.xx name=myserver.server.local port=443 auth=SSL/PCT
user=EIMS\john.doe uri=/geoportal
[Thu Aug 05 09:12:49.967 2010] [10216:8452] [debug] jk_isapi_plugin.c
(3120): Service request headers=8 attributes=9 chunked=no content-length=0
available=0
[Thu Aug 05 09:12:49.983 2010] [10216:8452] [debug] jk_worker.c (116): found
a worker worker1
[Thu Aug 05 09:12:49.999 2010] [10216:8452] [debug] jk_isapi_plugin.c
(2162): got a worker for name worker1
[Thu Aug 05 09:12:50.030 2010] [10216:8452] [debug] jk_ajp_common.c (3093):
acquired connection pool slot=0 after 0 retries
[Thu Aug 05 09:12:50.045 2010] [10216:8452] [debug] jk_ajp_common.c (605):
ajp marshaling done
[Thu Aug 05 09:12:50.061 2010] [10216:8452] [debug] jk_ajp_common.c (2376):
processing worker1 with 2 retries
[Thu Aug 05 09:12:50.077 2010] [10216:8452] [debug] jk_ajp_common.c (1579):
(worker1) all endpoints are disconnected.
[Thu Aug 05 09:12:50.092 2010] [10216:8452] [debug] jk_connect.c (480):
socket TCP_NODELAY set to On
[Thu Aug 05 09:12:50.108 2010] [10216:8452] [debug] jk_connect.c (604):
trying to connect socket 712 to 127.0.0.1:8009
[Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_connect.c (622):
connect to 127.0.0.1:8009 failed (errno=61)
[Thu Aug 05 09:12:51.061 2010] [10216:8452] [info] jk_ajp_common.c (959):
Failed opening socket to (127.0.0.1:8009) (errno=61)
[Thu Aug 05 09:12:51.092 2010] [10216:8452] [error] jk_ajp_common.c (1585):
(worker1) connecting to backend failed. Tomcat is probably not started or is
listening on the wrong port (errno=61)
[Thu Aug 05 09:12:51.108 2010] [10216:8452] [info] jk_ajp_common.c (2540):
(worker1) sending request to tomcat failed (recoverable), because of error
during request sending (attempt=1)
[Thu Aug 05 09:12:51.124 2010] [10216:8452] [debug] jk_ajp_common.c (2397):
retry 1, sleeping for 100 ms before retrying
[Thu Aug 05 09:12:51.249 2010] [10216:8452] [debug] jk_ajp_common.c (1579):
(worker1) all endpoints are disconnected.
[Thu Aug 05 09:12:51.249 2010] [10216:8452] [debug] jk_connect.c (480):
socket TCP_NODELAY set to On
[Thu Aug 05 09:12:51.280 2010] [10216:8452] [debug] jk_connect.c (604):
trying to connect socket 712 to 127.0.0.1:8009
[Thu Aug 05 09:12:52.264 2010] [10216:8452] [info] jk_connect.c (622):
connect to 127.0.0.1:8009 failed (errno=61)
[Thu Aug 05 09:12:52.280 2010] [10216:8452] [info] jk_ajp_common.c (959):
Failed opening socket to (127.0.0.1:8009) (errno=61)
[Thu Aug 05 09:12:52.295 2010] [10216:8452] [error] jk_ajp_common.c (1585):
(worker1) connecting to backend failed. Tomcat is probably not started or is
listening on the wrong port (errno=61)
[Thu Aug 05 09:12:52.311 2010] [10216:8452] [info] jk_ajp_common.c (2540):
(worker1) sending request to tomcat failed (recoverable), because of error
during request sending (attempt=2)
[Thu Aug 05 09:12:52.327 2010] [10216:8452] [error] jk_ajp_common.c (2559):
(worker1) connecting to tomcat failed.
[Thu Aug 05 09:12:52.342 2010] [10216:8452] [error] jk_isapi_plugin.c
(2195): service() failed with http error 503
[Thu Aug 05 09:12:52.374 2010] [10216:8452] [debug] jk_ajp_common.c (757):
(worker1) resetting endpoint with sd = 4294967295 (socket shutdown)
[Thu Aug 05 09:12:52.389 2010] [10216:8452] [debug] jk_ajp_common.c (3010):
recycling connection pool slot=0 for worker worker1 

-----Original Message-----
From: Rainer Jung [mailto:rainer.jung@kippdata.de] 
Sent: Thursday, August 05, 2010 4:13 AM
To: Tomcat Users List
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL

See below

On 04.08.2010 22:17, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
> Rainer,
> Do you have a suggestion? Do I need to change my worker.properties? 
> Sorry, I'm new to Tomcat, I appreciate your help.
>
> -----Original Message-----
> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
> Sent: Wednesday, August 04, 2010 4:09 PM
> To: Tomcat Users List
> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>
> On 04.08.2010 21:50, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
wrote:
>> I did read your post and I changed the Port Number.
>>
>> "<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />  
>> This connector should be used depending on your redirector config 
>> which we haven't seen yet
>>
>> Here is my workers.properties:
>>
>> worker.list=worker1
>> worker.worker1.type=ajp13
>> worker.worker1.host=127.0.0.1
>> worker.worker1.port=8009
>>
>> Here is my uriworkermap.properties:
>>
>> /geoportal|/*=worker1
>
> This didn't work, since the log snippet said it tried to use a worker 
> named "ajp13", not "worker1".

"This" = uriworkermap.properties.

So what did you do to let IIS find your uriworkermap.properties?
Can we be sure that works? Does your redirector debug log file indicate

- that it finds and reads the right uriworkermap.properties file
- that it finds the right map in there and thus tries to use a worker named
"worker1"
- is your request URL actually starting with "/geoportal/" or equal to
"geoportal"? What is the URL you are testing with?

Regards,

Rainer

>> -----Original Message-----
>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>> Sent: Wednesday, August 04, 2010 3:40 PM
>> To: Tomcat Users List
>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>
>> On 04.08.2010 20:58, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
> wrote:
>>> Jung,
>>> I'm still getting the errors.
>>
>> Why shouldn't you?
>> Did you actually read my post?
>> Which parts didn't you understand?
>>
>>> <Connector port="8080" protocol="Java HTTP"   ----What protocol should I
>> use
>>> here (do not want to expose)
>>>                   connectionTimeout="20000"
>>>                   redirectPort="80" />
>>
>> This connector is *not* involved when using
>>
>> Browser ->   IIS/Redirector ->   Tomcat
>>
>>>        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>> -------------Does this look right?
>>>                   maxThreads="150" scheme="https" secure="true"
>>>                   clientAuth="false" sslProtocol="TLSv1"
>>>       		   keystoreFile="C:\Program Files (x86)\Apache
> Software
>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>>                   keystorePass="password"
>>> 		   keystoreType="pkcs12" />
>>
>> This one neither.
>>
>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> 
>>> -----------------Is this where my actual authentication is taking place?
>> This connector should be used depending on your redirector config 
>> which we haven't seen yet.
>>
>> The error message you provided doesn't have to do with authentication.
>> Authentication problems might show up after you solved your worker 
>> configuration problem. Until now your IIS doesn't even talk to Tomcat.
>>
>> Regards,
>>
>> Rainer
>>
>>>
>>> -----Original Message-----
>>> From: Rainer Jung [mailto:rainer.jung@kippdata.de]
>>> Sent: Wednesday, August 04, 2010 1:38 PM
>>> To: Tomcat Users List
>>> Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
>>>
>>> On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 
>>> 55E00
>> wrote:
>>>>
>>>>
>>>> I am trying to get Tomcat and IIS configured on my secure web 
>>>> server
>>>> (SSL) so that I can access my deployed web application via https 
>>>> and NOT over http. Connection to non-SSL works, but I cannot have 
>>>> that connection due to security.
>>>>
>>>> I want to run Tomcat through IIS, and I have configured it using 
>>>> the isapi_redirect.dll (thanks to Electronjockey). However, when I try
>>>> and hit my https://site/geoportal<https://site/geoportal>    my
>>>> credentials do not carry me through to the web application, instead 
>>>> I receive "Internet Explorer Cannot Display Webpage". Can someone 
>>>> help me out on how to configure my server.xml and interpretting my 
>>>> log files
>> please?
>>>> I have even tried to export my server certificate, and call it 
>>>> using the keystore:"", still not working. I'm a Tomcat green horn, 
>>>> any help would be awesome.
>>>>
>>>> Isapi_redirect.log file: Looks like some sort of authentication is 
>>>> being passed, then the ajp13 is not found?
>>>>
>>>> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] 
>>>> jk_isapi_plugin.c
>>>> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70 
>>>> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT 
>>>> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>>>>
>>>> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] 
>>>> jk_isapi_plugin.c
>>>> (3120): Service request headers=5 attributes=9 chunked=no 
>>>> content-length=0 available=0
>>>>
>>>> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
>>>> did not find a worker ajp13
>>>> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] 
>>>> jk_isapi_plugin.c
>>>> (2162): could not get a worker for name ajp13 [Wed Aug 04
>>>> 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
>>>> (2210): could not get a worker for name ajp13
>>>
>>> Hard to tell without knowing the version of the isapi redirector, 
>>> not having your configuration. This looks like:
>>>
>>> - it is trying to use a worker named ajp13 to connect to Tomcat. 
>>> Lile y you have configured the redirector to use this worker within 
>>> your uriworkermap.properties file
>>>
>>> - the redirector doesn't know how to use this worker. Either you are 
>>> missing the workers.properties configuration file or there is no 
>>> definition for a worker named ajp13 in the file.
>>>
>>> A good starting point for a workers.properties file is the example 
>>> file contained in the source distribution of version 1.2.30. Please 
>>> do also use this version of the redirector.
>>>
>>> Note: from the point of view of Tomcat it doesn't really matter 
>>> whether you are talking http or https in the browser. This protocol 
>>> is only used between the browser and IIS. Between IIS and Tomcat 
>>> when using the isapi redirector the protocol is always AJP13 (it is 
>>> just coincidence, that this is the same name as the name of the 
>>> worker in your logs). The protocol is similar to HTTP but binary and 
>>> it transports the information whether the browser used http or 
>>> https, so Tomcat is aware of this. This protocol does not use the 
>>> http or https
>> connectors in server.xml, only the AJP13 connector.
>>>
>>>> Here is the meat of my server.xml (pretty sure it's wrong):
>>>>
>>>> <!-- A "Connector" represents an endpoint by which requests are 
>>>> received and responses are returned. Documentation at :
>>>> Java HTTP Connector: /docs/config/http.html (blocking&    non-blocking)
>>>> Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector:
>>>> /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080
>>>> -->
>>>> <Connector port="8080" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="80" />
>>>> <!-- A "Connector" using the shared thread pool-->
>>>>
>>>> <Connector executor="tomcatThreadPool"
>>>> port="8009" protocol="HTTP/1.1"
>>>> connectionTimeout="20000"
>>>> redirectPort="443" />
>>>>
>>>> <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector 
>>>> uses the JSSE configuration, when using APR, the connector should 
>>>> be using the OpenSSL style configuration described in the APR 
>>>> documentation
>>>> -->
>>>>
>>>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>>> maxThreads="150" scheme="https" secure="true"
>>>> clientAuth="false" sslProtocol="TLSv1"
>>>> keystoreFile="C:\Program Files (x86)\Apache Software 
>>>> Foundation\Tomcat 6.0\conf\cert.pfx"
>>>> keystorePass="mypassword"
>>>> keystoreType="pkcs12" />
>>>>
>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->    <Connector
>>>> port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>>
>>> Two connectors, both on port 8009, will not work. Use the latter one.
>>>
>>> Regards,
>>>
>>> Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message