Hi guys I hit this while re-installing 8207.27 and thought I...

[Toby Mills]

Hi guys

I hit this while re-installing 8207.27 and thought Id pass it along.

After install on Windows - letting the installer install the Tomcat Jakarta redirector, I tried launching my browser to /ibi_apps/ and I got this:

The service is unavailable.

This is an HTTP 503.

In my case, I had thought Id look in the C:Program FilesApache Software FoundationJakarta Isapi Redirectorlog to see what was in the log file.

The basic install where Tomcat runs as Network Service will tend to have this problem because the C: drive is protected. Youve got a couple of options here to allow the Network service to write to that folder. I decided to just move my jakarta parts from the C: drive to the D: drive by using Regedit.

In the registry, these settings are down here:

ComputerHKEY_LOCAL_MACHINESOFTWAREApache Software FoundationJakarta Isapi Redirector1.0

 

image.png1038196 15.4 KB

 

At my customers site, were not really supposed to use the C: drive for anything but OS data anyway, so this works out well to just move the jakarta files over to the D: drive. Also - this allows Tomcat, running under Network Service, to write to the log file.

In there I see this error:

 

[error] ajp_send_request::jk_ajp_common.c (1725): (ajp13w) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=61)

 

This turns out to be a very accurate message. My Tomcats server.xml had port 8009 commented out by default:

(correcting this screenshot to show secretRequired and allowedRequestAtrributesPattern)

 

Removing the <-- and ending -->> so this connector is uncommented resolves the problem.

Ive got a second machine where I pre-installed Tomcat BEFORE the install of 8207. I havent uncommented the 8009 port or moved the jakarta files to D: yet.

I presume this same idea will work there.

Hope this helps somebody (or me again) someday.

[Toby Mills]

A quick extra note. Ive corrected the post above to show the full ajp block as written by the factory ibi install of tomcat. The difference is that I added the secretRequired=false allowedRequestAttributesPattern=".*"

The original picture I put up was of a plain jane Tomcat install with its default ajp connector. The extra info about secretRequired and allowedRequestAttributesPattern make the tomcat default AJP connector work properly. By Default, the AJP connector is commented out whether you use IBIs installer or not. But the helpful difference is the extra info that gets you past the so called Ghostcat vulnerability.

Let me put the whole ibi AJP block here for posterity:

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector protocol="AJP/1.3"

address="localhost"

port="8009"

redirectPort="8443"

secretRequired="false"

allowedRequestAttributesPattern=".*"

maxPostSize="-1" />

 

Hope thats not too confusing. I was trying to put on a newer version of tomcat before installing WebFOCUS in hopes of avoiding upgrading later. Thus the 2 different server.xmls Ive seen lately.