Tomcat 9.0.35 with JDK 11 behind a IIS 8.5 ISAPI redirector

Question

I am trying to install Tomcat 9.0.35 using JDK 11 on Windows 2012 R2 VM. This will an upgrade from Tomcat 9.0.11 and JDK 10. I am having issues with ISAPI Redirect. I see the following errors in ISAPI logs:

[2912:2028] [info] jk_open_socket::jk_connect.c (815): connect to 10.49.53.55:7009 failed (errno=61)
[2912:2028] [info] ajp_connect_to_endpoint::jk_ajp_common.c (1064): (tom9) Failed opening socket to (10.49.53.55:7009) (errno=61)
[2912:2028] [error] ajp_send_request::jk_ajp_common.c (1724): (tom9) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=61)
[2912:2028] [info] ajp_service::jk_ajp_common.c (2774): (tom9) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2)
[2912:2028] [error] ajp_service::jk_ajp_common.c (2795): (tom9) connecting to tomcat failed (rc=-3, errors=3, client_errors=0).
[2912:2028] [error] HttpExtensionProc::jk_isapi_plugin.c (2123): service() failed with http error 503

My AJP connector in Server.XML looks like this:

<Connector port="7009" redirectPort="8443" protocol="AJP/1.3" secretRequired="false" address="::1"/>

Does anyone know what changed in latest version of Tomcat and/or JDK?

Get rid of that ISAPI and use HttpPlatformHandler instead, https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/enabling-pretty-permalinks-in-wordpress#creating-a-rewrite-rule — Lex Li, May 27 '20 at 02:44
netstat on VM running tomcat 9.0.11 shows host listening on port 7009. netstat on this VM shows nothing listening on port 7009. — ops_guy, May 27 '20 at 16:49
Tried updating Server.xml to as per [link](https://blog.vulcan.io/fix-available-for-new-apache-tomcat-vulnerability-ghostcat-cve-2020-1938) and updating worker 'worker.tom9.secret' parameter. I am still getting same error. — ops_guy, May 27 '20 at 17:35
In my case the Tomcat AJP Connector was listening on `address="::1"` in `server.xml` so I was only able to connect if the worker `.host=::1` maybe you need to allow the listening address to be more broad like `address=::` (match all addresses)? — Mister_Tom, Feb 23 '21 at 23:12

ops_guy · Accepted Answer · 2020-05-27T19:54:59.103

You now have to add additional parameters to connector settings in Server.xml [Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="tomcat" ] and update worker.properties 'worker.tom9.secret=tomcat' parameter.

You can use whatever secret key you want to use instead of tomcat.

https://blog.vulcan.io/fix-available-for-new-apache-tomcat-vulnerability-ghostcat-cve-2020-1938

Tomcat 9.0.35 with JDK 11 behind a IIS 8.5 ISAPI redirector

1 Answers1