EducationSoftwareStrategy.com
StrategyCommunity

Knowledge Base

Product

Community

Knowledge Base

TopicsBrowse ArticlesDeveloper Zone

Product

Download SoftwareProduct DocumentationSecurity Hub

Education

Tutorial VideosSolution GalleryEducation courses

Community

GuidelinesGrandmastersEvents
x_social-icon_white.svglinkedin_social-icon_white.svg
Strategy logoCommunity

© Strategy Inc. All Rights Reserved.

LegalTerms of UsePrivacy Policy
  1. Home
  3. Topics

KB484096: Setting up the AJP port on Tomcat and Apache Servers

Dan Esparza

Quality Architect, Senior • MicroStrategy

On February 27, 2020, the National Vulnerability Database disclosed that a critical security flaw has existed in Apache Tomcat for the past 13 years. In response to this security vulnerability, the AJP port is now disabled by default. For customers who require the use of the AJP port, this article provides steps on how to set up the AJP port on Tomcat and Apache Servers to avoid the vulnerability.

With the changes Tomcat has introduced in version 9.0.31, the AJP port will be disabled by default. For more information on why this port is disabled, see KB484091: Addressing the Apache Tomcat JServ Protocol (AJP) Security Vulnerability.
Although the port is now disabled by default, some Strategy customers who have implemented a Single Sign-On solution using a trusted provider, like Siteminder or Ping Federate, may be using the AJP port to communicate with the target application server, like Tomcat. For these customers, Strategy recommends using the procedure below to re-establish the connection using the AJP protocol.
Although this is not the only workaround, this approach has been proven to work effectively with Strategy products. It is not guaranteed this will apply to other tools that reside in the same application server.
The instructions below are provided for Tomcat 9.0.30 and future versions.

Prerequisites


Before you begin, ensure you have the following:

  • Apache HTTP Server 2.x (2.4.42 or higher is recommended)
  • Firewall to allow the defined AJP port to be open for trusted sources
  • JK module for Apache Server

Changes Required on the Tomcat Applications Server

Modifications to the Server.xml  File

On Tomcat 9.0.30 and earlier, this is how the connector for AJP typically appears:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

On Tomcat 9.0.31, the connection for AJP appears as follows:
<!--    <Connector protocol="AJP/1.3"              address="::1"              port="8090"              redirect="8443"/>-->

To enable the AJP connector and run it on port 8009 (default), perform the following steps:

  1. Open the 
    /Apache Software Foundation/Tomcat 9.0_Tomcat9_30/conf/server.xml
    file with a text editor.
  2. Remove the comments for the connector.
  3. Modify the address parameter to expand the listening range to not only the loopback address.
  4. Enable the 
    secretRequired
    parameter.
  5. Define a secret to be exchanged with the HTTP Server:
    <Connector protocol="AJP/1.3"	           address="::"	           secretRequired="true"	           secret="mysecret"	           allowedRequestAttributesPattern="AJP_LOCAL_ADDR"<!--optional-->	           port="8009"	           redirectPort="8443" />

  6. Restart Tomcat.

Modifications to the Apache HTTP Server


After confirming the AJP port is up and running, make the following changes on the Apache HTTP Server to the workers.properties.

  1. Open the
     /Apache Software Foundation/Apache2.x/conf/httpd.conf
    (or /
    Apache Software Foundation/Apache2.x/conf/extra/httpd-ssl.conf
    ) file with a text editor.
    If the 
    JKMount
    has already been defined in prior versions, you can skip the step below.
  2. Define the following mount to direct it to the proper worker:
    JkMount /Strategy tomcat30worker

    JkMount /Strategy/* tomcat30worker

  3. Save and close.
  4. Open the 
    /Apache Software Foundation/Apache2.x/conf/workers.properties
    and add an additional worker definition for your secret. For example: 
    worker.tomcat30worker.port=8009

    worker.tomcat30worker.host=my_tomcat_server_machine_or_ip

    worker.tomcat30worker.type=ajp13

    worker.tomcat30worker.secret=mysecret

  5. Save and close the files.
  6. Restart the Apache Server.

Troubleshooting

Apache HTTP Server


Problem:                            Error returned 403 – Forbidden
File to be modified:            

workers.properties

Entry:                                 
Worker.xxx.secret= <must match secret in tomcat's server.xml>

 

Tomcat

Problem:                            Error returned 403 – Forbidden
File to be modified:            

server.xml

Entry:                                 
Requiredsecret="true" <!--if set to false, the problem will arise-->

 

Tomcat

Problem:                            Error returned 503 - Server error
File to be modified:            

server.xml

Entry:                                 
Address="::" <!--if set to "::1" or "127.0.0.1" or not defined, it will only respond to localhost requests-->                   [lPv4 alternative]:                    Address="0.0.0.0"

Not Tested Solution

For mod_proxy_aip module (an alternative to the JK module), perform the following steps.
Note: You need version 2.4.42 or higher.
In 

/Apache Software Foundation/Apache2.x/conf/httpd.conf
or
 /Apache Software Foundation/Apache2.x/conf/extra/httpd-ssl.conf
, add the following:
ProxyPass /Strategy/ ajp://my_application_server_machine:8009/Strategy/ secret=”mysecret”ProxyPassReverse /Strategy/ https://my_application_server_machine:8443/Strategy/

Comment

0 comments

Details

Knowledge Article

Published:

March 4, 2020

Last Updated:

March 19, 2020