Solved

Integrate Tomcat 5 with Apache 2 using Jk2

Posted on 2004-05-02
4
14,975 Views
Last Modified: 2012-06-21
I'm attempting to integrate Tomcat 5 (5.0.19) with Apache 2 (2.0.49) using JK2 and it's been pretty tough going but I've have had enough success to want to finish it off.

My apache server is 192.168.2.23.  It's running a standard Redhat 9 installation with apache, tomcat, etc installed subsequently.  It's on a lan with two other Windows PCs.

What works:
http://192.168.2.23/ - apache greeting page
http://192.168.2.23/server-status - apache server status
http://192.168.2.23/jkstatus - jk status page
http://192.168.2.23:8080 - tomcat greeting page
http://192.168.2.23:8080/manager/status - tomcat status
http://192.168.2.23:8080/jsp-examples - jsp examples page

What doesn't work (that I'd really like to because this is the sort of thing that I'm doing all this for!):
http://192.168.2.23/jsp-examples

This last URL gives the page:
------------------
The servlet container is temporary unavailable or being upgraded
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, malcolmr@bigpond.net.au and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
--------------------------------------------------------------------------------
Apache/2.0.49 (Unix) mod_ssl/2.0.49 OpenSSL/0.9.7a mod_jk2/2.0.4-dev Server at 192.168.2.23 Port 80
------------------

This produces the following message in the apache error log:
------------------
[Sun May 02 18:35:11 2004] [error] channelUn.connect() connect failed 13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.connect() failed ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [error] ajp13.service() failed to connect endpoint errno=13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.service() Error  forwarding ajp13:/usr/local/tomcat5/work/jk2.socket 1 1
[Sun May 02 18:35:11 2004] [notice] channelUn.close(): close unix socket -1
[Sun May 02 18:35:11 2004] [notice] ajp13.done() close endpoint ajp13:/usr/local/tomcat5/work/jk2.socket error_state 1
[Sun May 02 18:35:11 2004] [error] lb.service() worker failed 120000 for ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() All workers in error state, use the one with oldest error
[Sun May 02 18:35:11 2004] [error] channelUn.connect() connect failed 13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.connect() failed ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [error] ajp13.service() failed to connect endpoint errno=13 Permission denied
[Sun May 02 18:35:11 2004] [error] ajp13.service() Error  forwarding ajp13:/usr/local/tomcat5/work/jk2.socket 1 1
[Sun May 02 18:35:11 2004] [notice] channelUn.close(): close unix socket -1
[Sun May 02 18:35:11 2004] [notice] ajp13.done() close endpoint ajp13:/usr/local/tomcat5/work/jk2.socket error_state 1
[Sun May 02 18:35:11 2004] [error] lb.service() worker failed 120000 for ajp13:/usr/local/tomcat5/work/jk2.socket
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() All workers in error state, use the one with oldest error
[Sun May 02 18:35:11 2004] [notice] lb.getWorker() We tried all possible workers 2
[Sun May 02 18:35:11 2004] [error] lb_worker.service() all workers in error or disabled state
[Sun May 02 18:35:11 2004] [error] mod_jk.handler() Error connecting to tomcat 120000
------------------

Suggestions?
0
Comment
Question by:malcolm6425
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:Mercantilum
ID: 10982895
I'm not much familiar with tomcat, but permission denied on a network socket can be

- either the access to the path  /usr/local/tomcat5/work/ is not allowed (write) for the apache / tomcat user
- or same problem with jk2.socket
- or the socket is already connected
- or (from man pages) << The  user  tried  to  connect  to a broadcast address without having the socket broadcast flag  enabled *OR* the connection request failed because of a local firewall rule.>>

If it can be of help.
0
 

Author Comment

by:malcolm6425
ID: 10984769
Thanks Mercantilum - that's definitely the right track.

I did a chmod 666 on jk2.socket and, voila, up came my jsp-examples page!
- fantastic!

One remaining niggle is that, when I reboot the PC, the permissions on jk2.socket are being reset to the original:
srw-rw----    1 tomcat   tomcat          0 May  4 18:38 jk2.socket

Based on your previous info, I now understand (?) that Apache is trying to write to the socket and is lacking the appropriate privileges.  The original instructions which I followed included the following command (which I executed faithfully):
usermod -G apache,tomcat apache
I believe that this assigns the apache user to the tomcat group which should give it write privileges on jk2.socket.  As we've seen, that's not enough, so I'm wondering how to give the apache user sufficient privileges to jk2.socket without having to hack the permissions each time I reboot the PC (and am concerned that there may be security implications of giving open access to jk2.socket).

I notice that there aren't actually any running processes owned by apache - all the http stuff seems to be running as nobody or root:
root      1752     1  0 18:37 ?        00:00:00 /usr/apache2/bin/httpd
root      1761     1  0 18:37 ?        00:00:00 jsvc.exec -user tomcat -home...
tomcat    1762  1761  1 18:37 ?        00:00:31 [jsvc]
nobody    1778  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1779  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1780  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1781  1752  0 18:37 ?        00:00:00 [httpd]
nobody    1782  1752  0 18:37 ?        00:00:00 [httpd]

I tried:
usermod -G apache,tomcat nobody
thinking that I could add nobody to the tomcat group thereby giving it write privileges to jk2.socket.  That didn't seem to work either.

Any more thoughts?
Cheers
Malcolm
0
 
LVL 10

Accepted Solution

by:
Mercantilum earned 500 total points
ID: 10984867
I think the problem of rights back to 660 (instead of 666) is because apache/tomcat recreates the socket, and thus it gets the defaults accesses.
The default accesses for a directory is set with "umask" umask xyz will do a binary AND with NOT xyz ;
e.g.  umask 002 for a file created by default with 666 would set  666 & ~006 = 666 & 771 = 660
But I wouldn't change umask for the apache / tomcat users, as it may have other implications.

The cleaner to my mind is to set the right user / group for apache, as it seems to be the case for tomcat (as tomcat:tomcat, for user:group).
The main httpd process belongs to root, but its "children" for safe-sake are owned by (in your case) nobody.
"nobody"  is the default user for apache when it starts and nothing else is mentioned in the config.

What I would do is
- open httpd.conf
- look for User or Group directives (could be inside a VirtualHost if you have  one)
- keep nobody for User (no change) but would set
Group tomcat

So that apache will share the tomcat group rights.
0
 

Author Comment

by:malcolm6425
ID: 10984919
Spot on
- thanks Mercantilum
- magic job!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction As you’re probably aware the HTTP protocol offers basic / weak authentication, which in combination with the relevant configuration on your web server, provides the ability to password protect all or part of your host.  If you were not…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question