oh oh. So it looks like you have been thrown to the wolves, he ?
The positive side of it, is that if you solve it, you'll be the star.
Time for some ascii-art I think.
Except for firewalls, you have the following schema :
Browser-1 <---> <---> - webapp
Browser-2 <---> IIS + IR <---> AJP + Tomcat - webapp
... <---> - webapp
Browser-n <---> <---> - webapp
The dotted lines represent TCP/IP connections.
IIS + IR : IIS plus the Isapi_Redirector module
AJP + Tomcat : The Tomcat <Connector protocol="AJP"> module, plus Tomcat itself, and then
the applications (webapps) running in Tomcat.
A request starts at the browser, goes to IIS over a connection to port 80 (if simple
HTTP), or port 443 (if HTTPS).
IIS sees that this request is really for Tomcat, so it passes it to its Isapi_redirector
module.
The Isapi_redirector module creates another connection to Tomcat's AJP "Connector", this
time over port 8009, where presumably this AJP connector is listening.
When the AJP connector receives the request, it creates a "thread" in Tomcat to handle
this request.
A thread is like a sub-process of tomcat; it is created to process one request, and will
disappear when this request is processsed and it has sent the response.
To create the response, the thread "runs" one of the webapps.
Now to clear some side-issues :
- the protocol/format used between the browsers and IIS may be HTTP or HTTPS
(SSL),
- but the protocol/format between the "IR" module on the IIS side, and the "AJP" module on
the Tomcat side, is neither. It is using a special protocol/format named AJP. (So the
notion of SSL is not relevant here; the decryption already happens at the IIS level, and
over the AJP connection the data flows essentially "in clear".)
For this whole scheme to work, there are a few pre-requisites :
- the browsers must be able to establish a TCP/IP connection to the IIS server. I guess
that part works.
- the IIS server (and its IR module), must be able to establish a TCP connection to the
AJP module of Tomcat, which is usually configured to "listen" on port # 8009.
- the numbers of requests sent at the same time by the sum of all the browsers, needs to
be more or less matched to the number of connections that the IR module and the AJP module
can establish between themselves (otherwise some browser requests would never reach Tomcat)
- the number of simultaneous threads that the AJP connector can start inside of Tomcat,
must also be more or less matched to the number of browser requests. Otherwise, requests
would pile up and have to wait, for a thread to become available to take care of them.
In the long term, that is not sustainable.
So the first thing here, would be to make sure that the Tomcat AJP connector is really
listening on port 8009. The wish for that is indicated, inside your server.xml, by a tag
like :
<Connector port="8009" protocol="AJP/1.3" ... />
Do you have such a tag ?
The second step would be to verify that it is really listening there.
For that, you could use the "netstat" command in a command window on the
server, as follows :
netstat -aon -p tcp
and look for a line that looks like this :
TCP 0.0.0.0:8009 0.0.0.0:0 LISTEN 2704
(the important part being that ":8009" part)
Do you see that ?
amythyst wrote:
Thanks for the reply.
With that script, how exactly would I execute that script?
Pardon my ignorance, but I am a database developer that has been thrown into
networking because our network admin is at a loss to what the problem is and
doesn't seem keen on fixing it.
According to him, all the ports that we are using are open on the
firewall... 8080, 8081, 443, 8443 and 8009. Tomcat is set to listen on port
8009 and I have configured the server.xml file to accept requests from 8009.
When you ask how many threads I have configured you're talking about worker
threads right? I only have the one.
Michael Ludwig-6 wrote:
amythyst schrieb am 27.12.2010 um 06:52 (-0800):
Hi, yes we have a connector configured for port 8009.
Configured, okay; but it is not replying to your redirector's requests.
You can test AJP connectivity using this Perl script:
http://www.perlmonks.org/?node_id=766945
Question about the firewall... IIS is set up for port 8081 and 443
for our default website. The application is running on 8080 and
8443. And as I said, tomcat is listening on 8009 to route traffic to
the application. In the firewall, I believe the network guy has set
up port 8081 to allow traffic inside. Does he also need to do
something for 8009 or 8080 and 8443?
He needs to allow Tomcat to listen on 8009, and IIS to connect to
tomcat-server:8009. The other two ports your Tomcat is configured to
listen on should be irrelevant as far as the ISAPI redirector is
concerned; it does AJP, not HTTP or HTTPS.
We are running the app with SSL, so it would be the secure ports I
should be focusing on right?
Not for the AJP connection between IIS and Tomcat.
Below are my worker files for the connector:
# uriworkermap.properties - IIS
/jira/*=worker1
Okay.
# workers.properties.minimal -
worker.list=worker1
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
Also okay. If you don't configure the connection_pool_size, the
default applies, which is 250 for IIS.
http://tomcat.apache.org/connectors-doc/reference/workers.html
How many threads have you configured for your AJP connector?
--
Michael Ludwig
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
