Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of rainer.jung@kippdata.de
 designates 195.227.30.149 as permitted sender)
Message-ID: <4C59A570.50507@kippdata.de>
Date: Wed, 04 Aug 2010 19:37:52 +0200
From: Rainer Jung <rainer.jung@kippdata.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de;
 rv:1.9.2.7) Gecko/20100713 Thunderbird/3.1.1
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat 6.0.18/ IIS 6.0 /SSL
References: 
 <6DFA58BAF200E54593A1538FC86E89CF01D1BF7E@naeachrlez02v.nadsusea.nads.navy.mil>
In-Reply-To: 
 <6DFA58BAF200E54593A1538FC86E89CF01D1BF7E@naeachrlez02v.nadsusea.nads.navy.mil>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

On 04.08.2010 18:07, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote:
>
>
> I am trying to get Tomcat and IIS configured on my secure web server
> (SSL) so that I can access my deployed web application via https and NOT
> over http. Connection to non-SSL works, but I cannot have that
> connection due to security.
>
> I want to run Tomcat through IIS, and I have configured it using the
> isapi_redirect.dll (thanks to Electronjockey). However, when I try and
> hit my https://site/geoportal <https://site/geoportal> my credentials do
> not carry me through to the web application, instead I receive "Internet
> Explorer Cannot Display Webpage". Can someone help me out on how to
> configure my server.xml and interpretting my log files please? I have
> even tried to export my server certificate, and call it using the
> keystore:"", still not working. I'm a Tomcat green horn, any help would
> be awesome.
>
> Isapi_redirect.log file: Looks like some sort of authentication is being
> passed, then the ajp13 is not found?
>
> [Wed Aug 04 11:51:15.901 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (3108): Service protocol=HTTP/1.1 method=GET host=150.125.174.70
> addr=150.125.174.70 name=mywebsite port=443 auth=SSL/PCT
> user=EIMS\john.doe uri=/jakarta/isapi_redirect.dll
>
> [Wed Aug 04 11:51:15.916 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (3120): Service request headers=5 attributes=9 chunked=no
> content-length=0 available=0
>
> [Wed Aug 04 11:51:15.932 2010] [10712:8360] [debug] jk_worker.c (116):
> did not find a worker ajp13
> [Wed Aug 04 11:51:15.948 2010] [10712:8360] [debug] jk_isapi_plugin.c
> (2162): could not get a worker for name ajp13
> [Wed Aug 04 11:51:15.979 2010] [10712:8360] [error] jk_isapi_plugin.c
> (2210): could not get a worker for name ajp13

Hard to tell without knowing the version of the isapi redirector, not 
having your configuration. This looks like:

- it is trying to use a worker named ajp13 to connect to Tomcat. Lile y 
you have configured the redirector to use this worker within your 
uriworkermap.properties file

- the redirector doesn't know how to use this worker. Either you are 
missing the workers.properties configuration file or there is no 
definition for a worker named ajp13 in the file.

A good starting point for a workers.properties file is the example file 
contained in the source distribution of version 1.2.30. Please do also 
use this version of the redirector.

Note: from the point of view of Tomcat it doesn't really matter whether 
you are talking http or https in the browser. This protocol is only used 
between the browser and IIS. Between IIS and Tomcat when using the isapi 
redirector the protocol is always AJP13 (it is just coincidence, that 
this is the same name as the name of the worker in your logs). The 
protocol is similar to HTTP but binary and it transports the information 
whether the browser used http or https, so Tomcat is aware of this. This 
protocol does not use the http or https connectors in server.xml, only 
the AJP13 connector.

> Here is the meat of my server.xml (pretty sure it's wrong):
>
> <!-- A "Connector" represents an endpoint by which requests are received
> and responses are returned. Documentation at :
> Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
> Java AJP Connector: /docs/config/ajp.html
> APR (HTTP/AJP) Connector: /docs/apr.html
> Define a non-SSL HTTP/1.1 Connector on port 8080
> -->
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="80" />
> <!-- A "Connector" using the shared thread pool-->
>
> <Connector executor="tomcatThreadPool"
> port="8009" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLSv1"
> keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat
> 6.0\conf\cert.pfx"
> keystorePass="mypassword"
> keystoreType="pkcs12" />
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Two connectors, both on port 8009, will not work. Use the latter one.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org