Solved

Integrate Tomcat 5 with Apache 2 using Jk2

Posted on 2004-05-02
4
14,938 Views
Last Modified: 2012-06-21
I'm attempting to integrate Tomcat 5 (5.0.19) with Apache 2 (2.0.49) using JK2 and it's been pretty tough going but I've have had enough success to want to finish it off.

My apache server is 192.168.2.23.  It's running a standard Redhat 9 installation with apache, tomcat, etc installed subsequently.  It's on a lan with two other Windows PCs.

What works:
http://192.168.2.23/ - apache greeting page
http://192.168.2.23/server-status - apache server status
http://192.168.2.23/jkstatus - jk status page
http://192.168.2.23:8080 - tomcat greeting page
http://192.168.2.23:8080/manager/status - tomcat status
http://192.168.2.23:8080/jsp-examples - jsp examples page

What doesn't work (that I'd really like to because this is the sort of thing that I'm doing all this for!):
http://192.168.2.23/jsp-examples

This last URL gives the page:
------------------
The servlet container is temporary unavailable or being upgraded
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, malcolmr@bigpond.net.au and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
--------------------------------------------------------------------------------
Apache/2.0.49 (Unix) mod_ssl/2.0.49 OpenSSL/0.9.7a mod_jk2/2.0.4-dev Server at 192.168.2.23 Port 80
------------------

This produces the following message in the apache error log:
------------------
[Sun May 02 18:35:11 2004] [error] channelUn.connect() connect failed 13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.connect() failed ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [error] ajp13.service() failed to connect endpoint errno=13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.service() Error  forwarding ajp13:/usr/local/tomcat5/work/jk2.socket 1 1
[Sun May 02 18:35:11 2004] [notice] channelUn.close(): close unix socket -1
[Sun May 02 18:35:11 2004] [notice] ajp13.done() close endpoint ajp13:/usr/local/tomcat5/work/jk2.socket error_state 1
[Sun May 02 18:35:11 2004] [error] lb.service() worker failed 120000 for ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() All workers in error state, use the one with oldest error
[Sun May 02 18:35:11 2004] [error] channelUn.connect() connect failed 13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.connect() failed ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [error] ajp13.service() failed to connect endpoint errno=13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.service() Error  forwarding ajp13:/usr/local/tomcat5/work/jk2.socket 1 1
[Sun May 02 18:35:11 2004] [notice] channelUn.close(): close unix socket -1
[Sun May 02 18:35:11 2004] [notice] ajp13.done() close endpoint ajp13:/usr/local/tomcat5/work/jk2.socket error_state 1
[Sun May 02 18:35:11 2004] [error] lb.service() worker failed 120000 for ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() All workers in error state, use the one with oldest error
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() We tried all possible workers 2
[Sun May 02 18:35:11 2004] [error] lb_worker.service() all workers in error or disabled state
[Sun May 02 18:35:11 2004] [error] mod_jk.handler() Error connecting to tomcat 120000
------------------

Suggestions?
0
Comment
Question by:malcolm6425
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:Mercantilum
ID: 10982895
I'm not much familiar with tomcat, but permission denied on a network socket can be

- either the access to the path  /usr/local/tomcat5/work/ is not allowed (write) for the apache / tomcat user
- or same problem with jk2.socket
- or the socket is already connected
- or (from man pages) << The  user  tried  to  connect  to a broadcast address without having the socket broadcast flag  enabled *OR* the connection request failed because of a local firewall rule.>>

If it can be of help.
0
 

Author Comment

by:malcolm6425
ID: 10984769
Thanks Mercantilum - that's definitely the right track.

I did a chmod 666 on jk2.socket and, voila, up came my jsp-examples page!
- fantastic!

One remaining niggle is that, when I reboot the PC, the permissions on jk2.socket are being reset to the original:
srw-rw----    1 tomcat   tomcat          0 May  4 18:38 jk2.socket

Based on your previous info, I now understand (?) that Apache is trying to write to the socket and is lacking the appropriate privileges.  The original instructions which I followed included the following command (which I executed faithfully):
usermod -G apache,tomcat apache
I believe that this assigns the apache user to the tomcat group which should give it write privileges on jk2.socket.  As we've seen, that's not enough, so I'm wondering how to give the apache user sufficient privileges to jk2.socket without having to hack the permissions each time I reboot the PC (and am concerned that there may be security implications of giving open access to jk2.socket).

I notice that there aren't actually any running processes owned by apache - all the http stuff seems to be running as nobody or root:
root      1752     1  0 18:37 ?        00:00:00 /usr/apache2/bin/httpd
root      1761     1  0 18:37 ?        00:00:00 jsvc.exec -user tomcat -home...
tomcat    1762  1761  1 18:37 ?        00:00:31 [jsvc]
nobody    1778  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1779  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1780  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1781  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1782  1752  0 18:37 ?        00:00:00 [httpd]

I tried:
usermod -G apache,tomcat nobody
thinking that I could add nobody to the tomcat group thereby giving it write privileges to jk2.socket.  That didn't seem to work either.

Any more thoughts?
Cheers
Malcolm
0
 
LVL 10

Accepted Solution

by:
Mercantilum earned 500 total points
ID: 10984867
I think the problem of rights back to 660 (instead of 666) is because apache/tomcat recreates the socket, and thus it gets the defaults accesses.
The default accesses for a directory is set with "umask" umask xyz will do a binary AND with NOT xyz ;
e.g.  umask 002 for a file created by default with 666 would set  666 & ~006 = 666 & 771 = 660
But I wouldn't change umask for the apache / tomcat users, as it may have other implications.

The cleaner to my mind is to set the right user / group for apache, as it seems to be the case for tomcat (as tomcat:tomcat, for user:group).
The main httpd process belongs to root, but its "children" for safe-sake are owned by (in your case) nobody.
"nobody"  is the default user for apache when it starts and nothing else is mentioned in the config.

What I would do is
- open httpd.conf
- look for User or Group directives (could be inside a VirtualHost if you have  one)
- keep nobody for User (no change) but would set
Group tomcat

So that apache will share the tomcat group rights.
0
 

Author Comment

by:malcolm6425
ID: 10984919
Spot on
- thanks Mercantilum
- magic job!
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now