Integrate Tomcat 5 with Apache 2 using Jk2

I'm attempting to integrate Tomcat 5 (5.0.19) with Apache 2 (2.0.49) using JK2 and it's been pretty tough going but I've have had enough success to want to finish it off.

My apache server is 192.168.2.23.  It's running a standard Redhat 9 installation with apache, tomcat, etc installed subsequently.  It's on a lan with two other Windows PCs.

What works:
http://192.168.2.23/ - apache greeting page
http://192.168.2.23/server-status - apache server status
http://192.168.2.23/jkstatus - jk status page
http://192.168.2.23:8080 - tomcat greeting page
http://192.168.2.23:8080/manager/status - tomcat status
http://192.168.2.23:8080/jsp-examples - jsp examples page

What doesn't work (that I'd really like to because this is the sort of thing that I'm doing all this for!):
http://192.168.2.23/jsp-examples

This last URL gives the page:
------------------
The servlet container is temporary unavailable or being upgraded
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, malcolmr@bigpond.net.au and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
--------------------------------------------------------------------------------
Apache/2.0.49 (Unix) mod_ssl/2.0.49 OpenSSL/0.9.7a mod_jk2/2.0.4-dev Server at 192.168.2.23 Port 80
------------------

This produces the following message in the apache error log:
------------------
[Sun May 02 18:35:11 2004] [error] channelUn.connect() connect failed 13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.connect() failed ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [error] ajp13.service() failed to connect endpoint errno=13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.service() Error  forwarding ajp13:/usr/local/tomcat5/work/jk2.socket 1 1
[Sun May 02 18:35:11 2004] [notice] channelUn.close(): close unix socket -1
[Sun May 02 18:35:11 2004] [notice] ajp13.done() close endpoint ajp13:/usr/local/tomcat5/work/jk2.socket error_state 1
[Sun May 02 18:35:11 2004] [error] lb.service() worker failed 120000 for ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() All workers in error state, use the one with oldest error
[Sun May 02 18:35:11 2004] [error] channelUn.connect() connect failed 13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.connect() failed ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [error] ajp13.service() failed to connect endpoint errno=13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.service() Error  forwarding ajp13:/usr/local/tomcat5/work/jk2.socket 1 1
[Sun May 02 18:35:11 2004] [notice] channelUn.close(): close unix socket -1
[Sun May 02 18:35:11 2004] [notice] ajp13.done() close endpoint ajp13:/usr/local/tomcat5/work/jk2.socket error_state 1
[Sun May 02 18:35:11 2004] [error] lb.service() worker failed 120000 for ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() All workers in error state, use the one with oldest error
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() We tried all possible workers 2
[Sun May 02 18:35:11 2004] [error] lb_worker.service() all workers in error or disabled state
[Sun May 02 18:35:11 2004] [error] mod_jk.handler() Error connecting to tomcat 120000
------------------

Suggestions?
malcolm6425Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
MercantilumConnect With a Mentor Commented:
I think the problem of rights back to 660 (instead of 666) is because apache/tomcat recreates the socket, and thus it gets the defaults accesses.
The default accesses for a directory is set with "umask" umask xyz will do a binary AND with NOT xyz ;
e.g.  umask 002 for a file created by default with 666 would set  666 & ~006 = 666 & 771 = 660
But I wouldn't change umask for the apache / tomcat users, as it may have other implications.

The cleaner to my mind is to set the right user / group for apache, as it seems to be the case for tomcat (as tomcat:tomcat, for user:group).
The main httpd process belongs to root, but its "children" for safe-sake are owned by (in your case) nobody.
"nobody"  is the default user for apache when it starts and nothing else is mentioned in the config.

What I would do is
- open httpd.conf
- look for User or Group directives (could be inside a VirtualHost if you have  one)
- keep nobody for User (no change) but would set
Group tomcat

So that apache will share the tomcat group rights.
0
 
MercantilumCommented:
I'm not much familiar with tomcat, but permission denied on a network socket can be

- either the access to the path  /usr/local/tomcat5/work/ is not allowed (write) for the apache / tomcat user
- or same problem with jk2.socket
- or the socket is already connected
- or (from man pages) << The  user  tried  to  connect  to a broadcast address without having the socket broadcast flag  enabled *OR* the connection request failed because of a local firewall rule.>>

If it can be of help.
0
 
malcolm6425Author Commented:
Thanks Mercantilum - that's definitely the right track.

I did a chmod 666 on jk2.socket and, voila, up came my jsp-examples page!
- fantastic!

One remaining niggle is that, when I reboot the PC, the permissions on jk2.socket are being reset to the original:
srw-rw----    1 tomcat   tomcat          0 May  4 18:38 jk2.socket

Based on your previous info, I now understand (?) that Apache is trying to write to the socket and is lacking the appropriate privileges.  The original instructions which I followed included the following command (which I executed faithfully):
usermod -G apache,tomcat apache
I believe that this assigns the apache user to the tomcat group which should give it write privileges on jk2.socket.  As we've seen, that's not enough, so I'm wondering how to give the apache user sufficient privileges to jk2.socket without having to hack the permissions each time I reboot the PC (and am concerned that there may be security implications of giving open access to jk2.socket).

I notice that there aren't actually any running processes owned by apache - all the http stuff seems to be running as nobody or root:
root      1752     1  0 18:37 ?        00:00:00 /usr/apache2/bin/httpd
root      1761     1  0 18:37 ?        00:00:00 jsvc.exec -user tomcat -home...
tomcat    1762  1761  1 18:37 ?        00:00:31 [jsvc]
nobody    1778  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1779  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1780  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1781  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1782  1752  0 18:37 ?        00:00:00 [httpd]

I tried:
usermod -G apache,tomcat nobody
thinking that I could add nobody to the tomcat group thereby giving it write privileges to jk2.socket.  That didn't seem to work either.

Any more thoughts?
Cheers
Malcolm
0
 
malcolm6425Author Commented:
Spot on
- thanks Mercantilum
- magic job!
0
All Courses

From novice to tech pro — start learning today.