3.2.1Install Java 1.6 JDK
The Java JDK will be for instance installed on the server in the directory “D:\localapp\jdk1.6.0_30”. This is done via the installation file “jdk-6u30-windows-i586/x64.exe”.
Download the appropriate version (x86/x64) and at the time of writing (April 2012), 1.6.0_30 was the latest version downloadable from http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html .
This installation also comes with a bundled JRE1.6. If you want, you can install it in the default location (C:\Program Files\Java\jre) or somewhere else. We rather install it on D:\localapp\jre.
Change the Windows Environment variable ‘JAVA_HOME’ to point to the new JDK via “Start/Configuration Settings/System/Advanced/Environment Variables/New System Variable”
3.2.2Install Apache Tomcat 7
To install Tomcat the provided file “apache-tomcat-7.0.25-windows-XYZ.zip” must be for instance extracted to the directory “D:\localapp\tomcat7”. The extracted directory is the full program directory.
Some prefer the easier way and will use the 32-bit/64-bit Windows Service Installer.
Tomcat binaries can be downloaded from: http://tomcat.apache.org/download-70.cgi
This setup is based on the downloadable 32-bit ZIP archive. Choose the appropriate version according to your OS architecture.
-
Installation Windows Service
Next step is to create a Windows Service for Tomcat. This can be done via the “service.bat”-command, delivered in the bin-directory.
Run the “service.bat install”- command in the bin-directory and the windows service “Tomcat7” will be installed. If you want another service name, edit first service.bat.
Note:
Due to other versions of Tomcat which are installed on the server, it is possible that the “service.bat”-command doesn’t run properly. If this is the case, the Tomcat variable “CATALINA_HOME” has to be emptied before running the commando. This can be done via the following command
set CATALINA_HOME=
This will only change this variable in our command prompt session.
-
Changing startup parameters and JVM settings.
Create the file “setenv.bat” in the Tomcat bin-directory with the following content:
set CATALINA_OPTS=-XX:MaxPermSize=256m -Xms512M -Xmx512M -Dsun.net.client.defaultReadTimeout=600000
set CATALINA_HOME=D:\localapp\Tomcat7
REM default setting is 60 seconds, for customer A: 10 minutes
REM CATALINA_OPTS="$CATALINA_OPTS -Dsun.net.client.defaultReadTimeout=60000 -Dsun.net.client.defaultConnectTimeout=60000"
These parameters will be set when the Tomcat service starts. Instead of using the variable ‘JAVA_OPTS’, we’re manipulating the variable ‘CATALINA_HOME’, which ensures that the change of these variables will only affect this Tomcat service and no other JAVA-applications running on the server.
3.3Demo setup IIS -> Tomcat -> HPSM web application
3.3.1Install IIS
In the following paragraphs, screen shots are based on Windows 2003 and IIS6.
Note: when using IIS7 and 7.5 think about:
Review the settings we’ve documented and check the settings described in http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html and especially check if this paragraph make sense:
“In a 64 Bit environment - at least for IIS 7 - the used IIS Application Pool should have "Enable 32-bit Applications" set to "False". Otherwise the redirector will not be called and returns an http code 404. If you think, the 32bit version of isapi_redirect.dll would do the job instead, you will get an http code 500, because the library is not loadable into a 64 Bit IIS. ”
By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity.
3.3.2Jakarta ISAPI plugin
The Jakarta ISAPI plugin will be used to connect IIS with Tomcat.
With the Jakarta plugin towards Tomcat, the Apache Java Protocol (AJP) is used. For more info, please see text below.
Configure the Tomcat Web container to support the AJP protocol
The Apache AJP protocol is packet-oriented and enables the Web server to communicate with the JSP/servlet container over TCP connections. Again, AJP is used here by IIS HTTP Server to communicate with Tomcat.
To cut down on the expensive process of socket creation, the Web server attempts to maintain persistent TCP connections to the servlet container, and attempts to reuse a connection for multiple request/response cycles. Once the Web server has opened a connection to the servlet container and assigned a connection to a particular request, it will not be used for any other requests until the request handling cycle has terminated. This makes the code at either end of the connection simpler -- although it does cause more connections to be open at once.
Once a connection is assigned to handle a particular request, the basic request information (HTTP headers, and so on) is sent over the TCP connection as a packet. At this point, the servlet container is presumably ready to start processing the request and sends the formatted packet of reply messages back to the Web server.
Source: http://www.ibm.com/developerworks/websphere/library/techarticles/0703_krishnasamy/0703_krishnasamy.html
3.3.3Create directory structure for JAKARTA_ISAPI
The Jakarta ISAPI plugin will be used to connect Tomcat with IIS1.
-
Consult Isapi documentation on http://tomcat.apache.org/connectors-doc/reference/iis.html
-
Download appropriate binaries from http://tomcat.apache.org/download-connectors.cgi
-
Modify content isapi_redirect-1.2.XY.properties and the file should have the same name as the DLL file (without extension of course).
-
Rename DLL and properties file to isapi_redirect.dll and isapi_redirect.properties
Create the following directory three subdirectories:
for the configuration files of the Jakarta ISAPI Plugin:
This structure will be for instance created in the directory “D:\localapp\Apache\”on the webserver.
The following files need to be placed in de bin-directory:
-
isapi_redirect.properties
-
isapi_redirect.dll (32 bit or 64 bit, depending on your server OS)
The following files need to be put in the conf-directory:
-
uriworkermap.properties
-
workers.properties
3.3.4Content of isapi_redirect files
In this file the redirect settings used by Jakarta ISAPI can be configured.
# Configuration file for the Jakarta ISAPI Redirector plug-in for IIS
# more information on http://tomcat.apache.org/connectors-doc/reference/iis.html
# this properties file is intended to replace Windows registry settings
# The path to the ISAPI Redirector Extension, relative to the website
# This must be in a virtual directory with execute privileges
#extension_uri=/jakarta/isapi_redirect.dll
## version 1.2.32
extension_uri=/jakarta/isapi_redirect.dll
# Full path to the log file for the ISAPI Redirector
#log_file=$(ISAPI_PATH)\log\$(ISAPI_NAME).log
log_file=D:\localapp\Apache\JAKARTA_ISAPI\log\isapi_redirect.log
# Log level (debug, info, warn, error or trace)
log_level=info
# Full path to the workers.properties file
worker_file=D:\localapp\Apache\JAKARTA_ISAPI\conf\workers.properties
# Full path to the uriworkermap.properties file
worker_mount_file=D:\localapp\Apache\JAKARTA_ISAPI\conf\uriworkermap.properties
# Improve security
#reject_unsafe=1
# custom error page when back end is not there anymore
#error_page=
3.3.5Configure workers.properties
In this file the load balancing method of Jakarta ISAPI is configured. Two workers are defined: sm9lb for Service Manager and jkstatus for the jkmanager application. For the sm9lb-worker the redirect port settings are defined.
The example below has defined 3 workers for possible load balancing. For this setup we only use one of them (tomcat1).
More information can be found on http://tomcat.apache.org/connectors-doc/reference/workers.html
# workers.properties.minimal -
#
# This file provides minimal jk configuration properties needed to
# connect to Tomcat.
#
ps=\
# The workers that jk should create and work with
#
# Define workers using ajp13
# ------------------------
# First tomcat server
# ------------------------
worker.tomcat1.port=8019
worker.tomcat1.host=16.111.0.12
worker.tomcat1.type=ajp13
worker.tomcat1.lbfactor=1
# ------------------------
# Second tomcat server
# ------------------------
#worker.tomcat2.port=8010
#worker.tomcat2.host=17.111.12.16
#worker.tomcat2.type=ajp13
#worker.tomcat2.lbfactor=1
# ------------------------
# Third tomcat server
# ------------------------
#worker.tomcat3.port=8011
#worker.tomcat3.host=16.101.12.164
#worker.tomcat3.type=ajp13
#worker.tomcat3.lbfactor=1
################ Define the LB worker
# The advanced router LB worker
##########################################
worker.list=sm9lb
worker.sm9lb.type=lb
#worker.sm9lb.balance_workers=tomcat1,tomcat2,tomcat3
# only worker tomcat1 will be used
worker.sm9lb.balance_workers=tomcat1
worker.sm9lb.socket_keepalive=1
worker.sm9lb.method=S
worker.sm9lb.connection_pool_timeout=40
#worker.sm9lb.max_packet_size= 65536
# Add the status worker to the worker list
worker.list=jkstatus
# Define a 'jkstatus' worker using status
worker.jkstatus.type=status
Note: tomcat1, tomcat2 and tomcat3 are the jvmRoutes defined in Tomcat’s server.xml.
When using one single Tomcat instance, it’s not needed to modify Tomcat’s server.xml.
See screen shot below:
3.3.6Configure uriworkermap.properties
In this properties file the HPSM web application with example context root smbsc is configured to work with the already configured worker sm9lb. The jkmanager-tag is redirected to the worker jkstatus.
# uriworkermap.properties - IIS
#
# This file provides sample mappings for example wlb
# worker defined in workermap.properties.minimal
# The general syntax for this file is:
# [URL]=[Worker name]
#/admin/*=wlb
#/manager/*=wlb
# Optionally filter out all .jpeg files inside that context
# For no mapping the url has to start with exclamation (!)
!/servlets-examples/*.jpeg=wlb
#
# Mount jkstatus to /jkmanager
# For production servers you will need to secure the access to the /jkmanager url via IIS
#
#/jkmanager=jkstatus
/jkmanager|/*=jkstatus
# HPSM 9.30 web application
/smbsc|/*=sm9lb
3.3.7Configuring the Tomcat ISAPI Connector in IIS
3.3.7.1Web Services Extensions for Jakarta
Note: In case port 80 on IIS cannot be use, continue on 3.3.7.5 You cannot use port 80 ? below.
Open IIS Manager, and expand the Internet Information Services tree, from the (local computer), to the Default Web Site,
Verify that the Default Web Site has been stopped,
From the Internet Information Services tree, select the Web Services Extensions node
Right click on the “Web Service Extensions” and select “Add a new Web service extension …” item:
Enter the following line into the ‘Extension name’ field in the opened window: Jakarta Isapi Redirector.
Via the Add button, select the isapi_redirect.dll and after clicking OK, select the checkbox ‘Set extension status to Allowed’.
3.3.7.2Step 2: configure isapi_redirect.dll
Right-click on the Default Web Site node in the IIS Manager tree, and select Properties from the drop-down menu.
From the Default Web Site Properties window, select the ISAPI Filters tab, and click on the Add button,
On the Add/Edit Filter Properties window set the following parameters :
Filter name: Jakarta Isapi Redirector,
Executable: for instance C:\Apache\JAKARTA_ISAPI\bin\isapi_redirect.dll
3.3.7.3New -> Virtual Directory for Jakarta
-
On the Default Web Site Properties window click OK to save the settings,
-
right click on the Default Web Site node in the IIS Manager tree, and
-
select New -> Virtual Directory... from the drop-down menu.
-
This launches the Virtual Directory Creation Wizard.
-
From the Virtual Directory Creation Wizard, Web Site Content Directory, set for instance the path to: C:\Apache\JAKARTA_ISAPI\bin\
-
From the Virtual Directory Creation Wizard, Virtual Directory Access Permissions, enable the following checkboxes:
-
Read,
-
Execute (such as ISAPI applications or CGI),
-
Write,
-
and accept the warning from IIS Manager,
-
In the Internet Information Services tree, below the Default Web Site node, a new folder has been added called Jakarta,
3.3.7.4Check running ISAPI filter
-
Start the Default Web Site
-
verify that the Jakarta Isapi Redirector filter on the ISAPI Filters tab from the Default Web Site Properties window is running,
-
and that the Priority is set to High,
Note - If you check on its status, you may notice that the ISAPI filter hasn’t been successfully loaded at this stage, even if you have re-started IIS. This is expected behavior and is documented in the IIS6 Operations Guide,
“In an effort to optimize resources in IIS 6.0, an ISAPI filter is not loaded until a request is made to a Web site that requires the ISAPI filter. Until this request is made, IIS Manager does not display the status of the ISAPI filter.”
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/93f23233-2a47-4104-b0b4-a7ec0d3116f3.mspx
However, once IIS has served a successful request to it you will see the status of the ISAPI filter change to ‘Loaded’.
3.3.7.5You cannot use port 80 ?
Note: If the previous steps were executed, you can ignore this paragraph.
As there is another web site running on port 80 in the customers environment, we will define a new web site that listens on port 81.
Please create a new node under Web Sites with the following properties:
Step 1: Web Services Extensions for Jakarta
Open the IIS Manager, and expand the Internet Information Services tree, from the (local computer), down to Web Sites.
From the Internet Information Services tree, select the Web Services Extensions node
Right click on the “Web Service Extensions” and select “Add a new Web service extension …” item:
Enter the following line into the ‘Extension name’ field in the opened window:
Jakarta Isapi Redirector.
Via the Add button, select the isapi_redirect.dll and after clicking OK, select the checkbox ‘Set extension status to Allowed’.
Finally, you’ll get back to this screen:
Step 2: configure isapi_redirect.dll
Right-click on the newly created node in the IIS Manager tree, and select Properties from the drop-down menu.
From the Site Properties window, select the ISAPI Filters tab, and click on the Add button:
On the Add/Edit Filter Properties window set the following parameters :
Filter name: Jakarta Isapi Redirector,
Executable: D:\localapps\Apcache\JAKARTA_ISAPI\bin\isapi_redirect.dll
Step 3: New -> Virtual Directory for Jakarta
On the Node Properties window click on the OK to save the settings,
right-click on the node in the IIS Manager tree,
and select New -> Virtual Directory... from the drop-down menu.
This launches the Virtual Directory Creation Wizard,
From the Virtual Directory Creation Wizard, Virtual Directory Alias, set the Alias to: Jakarta.
From the Virtual Directory Creation Wizard, Web Site Content Directory set the path to: “D:\localapps\Apache\JAKARTA_ISAPI\bin\”
From the Virtual Directory Creation Wizard, Virtual Directory Access Permissions, enable the following checkboxes:
-
Read,
-
Execute (such as ISAPI applications or CGI),
-
Write,
And accept the warning from the IIS Manager.
In the Internet Information Services tree, below the Site node, a new folder has been added called: Jakarta.
Check running ISAPI filter
Start the Default Web Site, and verify that the Jakarta Isapi Redirector filter on the ISAPI Filters tab from the Default Web Site Properties window is up and running, and that the Priority is set to: High.
Note - If you check on its status, you may notice that the ISAPI filter hasn’t been successfully loaded at this stage, even if you have re-started IIS. This is expected behavior and is documented in the IIS6 Operations Guide,
“In an effort to optimize resources in IIS 6.0, an ISAPI filter is not loaded until a request is made to a Web site that requires the ISAPI filter. Until this request is made, IIS Manager does not display the status of the ISAPI filter.”
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/93f23233-2a47-4104-b0b4-a7ec0d3116f3.mspx
However, once IIS has served a successful request to it you will see the status of the ISAPI filter change to ‘Loaded’.
3.3.8Enable Integrated Windows Authentication (IWA) on IIS
Go to the properties of the Default Web Site and go to the Directory Security tab, click the Edit button from Authentication and Access control.
Enable “Integrated Windows Authentication” and disable all the rest:
By enabling the checkbox “Integrated Windows Authentication”, we will force Kerberos above NTLM authentication.
3.3.9How-to secure jkmanager
Create a new virtual directory “jkmanager” and let it point to the ISAPI log file directory.
Allow only 127.0.0.1 and local access:
Beside 127.0.0.1, add also the local IP addresses of the web server (ex. 10.136.17.185):
This is the result when you access jkmanager from the local machine. Only this URL will work: http://localhost:81/jkmanager
3.3.10Configuring Internet Explorer
Start the Internet Explorer browser on the machine
-
on the menu bar click on Tools, and select Internet Options,
-
Select the Security tab,
-
select the Local Intranet content zone,
-
and click on the Sites... button,
-
add the following address to the list of trusted web sites : http://
-
make sure that the "Require server verification (https:) for all site in this zone" option is not selected,
-
on the Security tab page, select the Local Intranet content zone, and click on the Custom Level... button,
-
at the bottom, on the User Authentication, Logon section, select the following option :
-
automatic logon with current username and password
The following screen shots are based on IE8.
Go to Tools- Internet Options.
Click on the button Sites
Add your IIS server FQDN (before, uncheck Require server verification if https is not enabled).
Click close
Click button Custom level
Go to the User Authentication part and change the default "Automatic logon in Intranet Zone" to "Automatic logon with current user name and password"
Click OK and go to the Advanced Tab in Internet Options
Check if Integrated Windows Authentication is enabled (Kerberos authN. instead of NTLM)
3.3.11Request Entity Too Large
In case you get a Request Entity Too Large error in your browser, you should consider these additional steps.
Figure : Request Entity Too Large error
Very often the HTTP header encodes the users group membership in the authorization header. By default Tomcat has an 8k maximum header, whilst users belonging to many groups can have an authorization token that can swell to larger than this size. This explains why you see some people can login and others can't.
To solve this issue, you just change the maxHttpHeaderSize to something larger than the default 8k and you should be set.
In order to change the ISAPI Redirector, look for max_packet_size on http://tomcat.apache.org/connectors-doc/reference/workers.html and don't forget to read the comment about also changing the Tomcat configuration.
On the Tomcat level, we need to change the packetSize.
This attribute sets the maximum AJP packet size in Bytes. The maximum value is 65536. It should be the same as the max_packet_size directive configured for mod_jk. Normally it is not necessary to change the maximum packet size. Problems with the default value have been reported when sending certificates or certificate chains. The default value is 8192.
A useful example can be found on http://builddeploy.blogspot.com/2009/04/resolving-http-error-413-request-entity.html
Example Tomcat AJP port change:
enableLookups="false" redirectPort="8443" debug="0" tomcatAuthentication=”false” packetSize=20000
protocol="AJP/1.3" />”
The values of packetSize and max_packet_size must be equal !
Share with your friends: |